Define Prisma Cloud Enterprise and Anomaly Settings

Set the enterprise level settings to set up the browser timeout when inactive, user attribution for alerts, and build training models for anomalies and define thresholds for alerts.
Set the enterprise level settings to build standard training models for anomaly detection, alert disposition, and some other global settings such as the timeout before the user is looked out for inactivity, and user attribution for alerts.

Set Up Inactivity Timeout

Specify a timeout period after which an inactive administrative user will be automatically logged out of Prisma Cloud. An inactive user is one who does not interact with the UI using their keyboard and mouse within the specified time period.
  1. Select
    Settings
    Enterprise Settings
    .
  2. User Idle Timeout
    If you modify the timeout period, the new value is in effect for all administrative users who log in after you make the change; the previous timeout applies for all currently logged in users.

Set Up Global Settings for Policy and Alerts

These settings apply to all Prisma Cloud policies. For Anomaly policies, you have more customizable settings, see Set Up Anomaly Policy Thresholds.
  • Auto enable new default policies of the type
    .
    1. Select
      Settings
      Enterprise Settings
      .
    2. Granularly enable new
      Default
      policies of severity
      High
      ,
      Medium
      or
      Low
      .
      While some high severity policies are enabled to provide the best security outcomes, by default, policies of medium or low severity are in a disabled state. When you select the checkbox to auto enable policies of a specific severity, you can either retroactively enable all policies that match the severity or only enable policies that are added to Prisma Cloud going forward.
      If you enable policies of a specific severity, when you then clear the checkbox, the policies that were enabled previously are not disabled; going forward, policies that match the severity you cleared are no longer enabled to scan your cloud resources and generate alerts.
      enterprise-settings-policies-disable.png
      If you want to disable the policies that are currently active, you must disable the status of each policy on the
      Policies
      page.
  • Enable
    Make Alert Dismissal Note Mandatory
    , to mandate the users to dismiss alerts only after specifying a reason.
  • Enable
    Populate User Attribution in Alerts Notifications
    User attribution data provides you with context on who created or modified the resource that triggered the alert. Select this option to make sure that the alerts include user attribution data in the alert payload, so that it is sent as part of the JSON data to notification channels such as SQS or Splunk. Enabling this option can result in a delay of up to two hours in the generation of alerts because the relevant user information may not be instantly available from the cloud provider.

Set Up Anomaly Policy Thresholds

Prisma Cloud allows you to define different thresholds for anomaly detection for Unusual Entity Behavior Analysis (UEBA) that correspond to policies which analyze audit events, and for unusual network activity that correspond to policies which analyze network flow logs. You can also define your preference for when you want to alert notifications based on the severity assigned to the anomaly policy.
If you want to exclude one or more IP addresses or a CIDR block from generating alerts against Anomaly policies, see Trusted IP Addresses on Prisma Cloud.
  • For UEBA policies:
    1. Select
      Settings
      Anomaly Settings
      Alerts and Thresholds
      .
      anomaly-policies-ueba-settings.png
    2. Select a policy.
    3. Define the
      Training Model Threshold
      .
      The Training Model Threshold informs Prisma Cloud on the values to use for setting the baseline for the machine learning (ML) models.
      For production environments, set the
      Training Model Threshold
      to
      High
      so that you allow for more time and have more data to analyze for determining the baseline.
      For unusual user activity:
      1. Low: The behavioral models are based on observing at least 25 events over 7 days.
      2. Medium: The behavioral models are based on observing at least 100 events over 30 days.
      3. High: The behavioral models are based on observing at least 300 events over 90 days.
      For account hijacking:
      1. Low: The behavioral models are based on observing at least 10 events over 7 days.
      2. Medium: The behavioral models are based on observing at least 25 events over 15 days.
      3. High: The behavioral models are based on observing at least 50 events over 30 days.
    4. Define your
      Alert Disposition
      .
      Alert Disposition is your preference on when you want to be notified of an alert, based on the severity of the issue —low, medium, high. The alert severity is based on the severity associated with the policy that triggers an alert.
      You can profile every activity by location or user activity. The activity-based anomalies identify any activities which have not been consistently performed in the past. The location based anomalies identify locations from which activities have not been performed in the past.
      Choose the disposition (in some cases you may only have two to choose from):
      1. Conservative:
        For unusual user activity—Report on unknown location and service to classify an anomaly.
        For account hijacking—Reports on location and activity to login under travel conditions that are not possible, such as logging in from India and US within 8 hours.
      2. Moderate:
        For unusual user activity—Report on unknown location, or both unknown location and service to classify an anomaly.
      3. Aggressive:
        For unusual user activity—Report on either unknown location or service to classify an anomaly.
        For account hijacking—Report on unknown browser and Operating System, or impossible time travel.
      Set the
      Alert Disposition
      to
      Conservative
      to reduce false positives.
      When you change
      Training Model Threshold
      or
      Alert Disposition
      the existing alerts are resolved and new ones are regenerated based on the new setting. It might take a while for the new anomaly alerts to show on the Alerts page.
  • For unusual network activity.
    For anomalies policies that help you detect network incidents, such as unusual protocols or port used to access a server on your network, you can customize the following for each policy.
    1. Select
      Settings
      Anomaly Settings
      Alerts and Thresholds
      .
    2. Select a policy.
      anomaly-policies-network-settings.png
    3. Define the
      Training Model Threshold
      .
      The Training Model Threshold informs Prisma Cloud on the values to use for various parameters such as number of days and packets for creating the ML models. These thresholds are available only for the policies that require model building such as Unusual server port activity and Spambot activity.
      1. Low: The behavioral models are based on observing at least 10K packets over 7 days.
      2. Medium: The behavioral models are based on observing at least 100k packets over 14 days.
      3. High: The behavioral models are based on observing at least 1M packets over 28 days.
    4. Define your
      Alert Disposition
      .
      Alert Disposition is your preference on when you want to be notified of an alert, based on the severity of the issue —low, medium, high. The alert severity is based on the severity associated with the policy that triggers an alert. You can choose from three dispositions based on the number of ports, hosts or the volume of traffic generated to a port or host on a resource:
      1. Aggressive: Reports High, Medium, and Low severity alerts.
        For example, a Spambot policy that sees 250MB traffic to a resource, or a port sweep policy that scans 10 hosts.
      2. Moderate: Reports High and Medium severity alerts.
        For example, a Spambot policy that sees 500MB traffic to a resource, or a port sweep policy that scans 25 hosts.
      3. Conservative: Report on High severity alerts only.
        For example, a Spambot policy that sees 1GB traffic to a resource, or a port sweep policy that scans 40 hosts.

Recommended For You