Use Prisma Cloud to Investigate Network Incidents

Learn how to use Prisma Cloud to investigate network incidents.
Prisma Cloud ingests and monitors network traffic from cloud services and allows customers to query network events in their cloud environments. You can detect when services, applications or databases are exposed to the internet and if there are potential data exfiltration attempts. Network queries are currently supported for AWS, Azure and GCP.
To view network traffic data, you can use Network queries. Enter your queries in the Search. If the search expression is valid and complete, you can see a green check mark and results of your query. You can choose to save the searches that you have created for investigating incidents in
My Saved Searches
. Use these queries for future reuse, instead of typing the queries all over again. You can also use the Saved Searches to create a policy.
Saved Searches
has list of search queries saved by any user in the system.
Network queries enable you to search for network resources or network flows. By using packets, bytes, source or destination resource, source or destination IP address, and source or destination port information, these queries enable you to monitor traffic and the interconnectivity of the resources that belong to your cloud accounts and regions.
To download network traffic details for your entire network, a node or an instance, or for a specific connection between a source and a destination node in a CSV format, click
Download
on the top right hand corner. This report groups all connection details by port and includes details such as source and destination IP addresses and names, inbound and outbound bytes, inbound and outbound packets, and whether the node accepted the traffic connection
To see the details of a network resource, click the resource and view
Instance Summary
,
Network Summary
, or
Alert Summary
.
To see the accepted and rejected traffic, use the
Traffic Summary
link. Note that the attempted bytes count displays traffic that is either denied by the security group or firewall rules or traffic that was reset by a host or virtual machine that received the packet and responded with a RST packet.
To view details of a connection, click the connection and click
View Details
. If the traffic is from a suspicious IP address as characterized by a threat feed, you get more details on the threat feed source, when it was classified and reason for classification.
And if you have an AutoFocus license, you can click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the
Investigate
page.

Recommended For You