Learn how to use Prisma Cloud to investigate network
Prisma Cloud ingests and monitors network
traffic from cloud services and allows customers to query network
events in their cloud environments. You can detect when services,
applications or databases are exposed to the internet and if there
are potential data exfiltration attempts. Network queries are currently
supported for AWS, Azure and GCP.
To view network traffic data, you can use Network queries. Enter
your queries in the Search. If the search expression is valid and
complete, you can see a green check mark and results of your query.
You can choose to save the searches that you have created for investigating
My Saved Searches
. Use these
queries for future reuse, instead of typing the queries all over
again. You can also use the Saved Searches to create a policy.
has list of search queries saved by any user
in the system.
Network queries enable you to search for network resources or
network flows. By using packets, bytes, source or destination resource,
source or destination IP address, and source or destination port
information, these queries enable you to monitor traffic and the
interconnectivity of the resources that belong to your cloud accounts
To download network traffic details for your entire network,
a node or an instance, or for a specific connection between a source
and a destination node in a CSV format, click
the top right hand corner. This report groups all connection details
by port and includes details such as source and destination IP addresses
and names, inbound and outbound bytes, inbound and outbound packets,
and whether the node accepted the traffic connection
To see the details of a network resource, click the resource
To see the accepted and rejected traffic, use the
link. Note that the attempted bytes count displays
traffic that is either denied by the security group or firewall
rules or traffic that was reset by a host or virtual machine that
received the packet and responded with a RST packet.
To view details of a connection, click the connection and click
. If the traffic is from a suspicious IP address
as characterized by a threat feed, you get more details on the threat
feed source, when it was classified and reason for classification.
And if you have an AutoFocus license, you can click the IP address
link to launch the AutoFocus portal and search for a Suspicious
IP address directly from the