Learn how to use anomaly policies to help identify unusual
user activity.
Anomaly policies use audit logs and network
flow logs to help you identify unusual network and user activity
for all users, and is especially critical for privileged users and
assumed roles where detecting unusual activity may indicate the
first steps in a potential misuse or account compromise. These policies
rely on threat feeds to resolve IP addresses to geo-locations and
perform user entity behavior analysis (UEBA). When Prisma Cloud
identifies a suspicious IP address, the threat feed enables you
to classify and view more information on the malicious IP addresses
with which the suspicious IP address is communicating, so you can
quickly figure out which alerts to pay attention to and act on.
Before the service can detect unusual activity
for your enterprise, you must Define Prisma Cloud Enterprise and Anomaly Settings to specify
a training threshold and set the baseline for what are normal trends
in your network. To set this baseline, Prisma Cloud gathers information
about the user or identities used to access the monitored cloud accounts,
the devices used for access, the IP addresses and locations they
come from, the ports and protocols typically used, the cloud services
they use and the frequency, the hours within which they access these
applications, and the activities they perform within the cloud services.
The anomaly policies that are enabled by default alert you to
these issues:
Account hijacking attempts
—Detect potential account hijacking
attempts discovered by identifying unusual login activities. These
can happen if there are concurrent login attempts made in short
duration from two different geographic locations, which is
impossible
time travel
(ITT), or login from a previously unknown browser,
operating system, or location. It includes one policy with the name
Account
hijacking attempts
.
Excessive login failures
—Detect potential account hijacking
attempts discovered by identifying brute force login attempts. Excessive
login failure attempts are evaluated dynamically based on the models
observed with continuous learning. It includes one policy with the
name
Excessive login failures
.
Unusual user activity
—Discover insider threat and an account
compromise using advanced data science. The Prisma Cloud machine
learning algorithm profiles a user's activities on the console,
as well as the usage of access keys based on the location and the
type of cloud resources. It includes one policy with the name
Unusual
user activity
.
Network evasion and resource misuse
—Detects unusual server
port activity or unusual protocol activity from a client within
or outside your cloud environment to an server host within or outside
your network using a server port or an IP protocol that is not typical
to your network traffic flows.To identify potential resource misuse,
the anomaly policy monitors when a host inside your cloud environment
that has no prior mail-related network activity, starts generating
outbound SMTP traffic. It includes five policies- spambot activity,
unusual server port—internal and external, unusual protocol—internal
and external.
Network reconnaissance
—Detect port scan or port sweep
activities that probe a server or host for open ports. The port
scanning policies identify when an attacker is performing a vertical
scan to find any ports on a target, and the port sweep detects a
horizontal scan where an attacker is scanning for a specific port
on many targets hosts.The policies identify whether the source of
the attack internal that is the port scan or sweep originates from
an instance within your cloud environment, or external where the
source of the port scan or sweep originates from the internet and
targets the cloud environment that is monitored by Prisma Cloud.
The policies that detect internal port scan and port sweep activity
are enabled by default. It includes four policies- Port scan activity—internal
and external, port sweep activity—internal and external
To find all anomaly policies on Prisma Cloud, on the
Policies
page,
filter on the PolicyType
Anomaly
.
As a example,
the
Anomalous compute provisioning activity
is
not enabled by default. When you enable this policy, it detects
potential creation of an unauthorized network of compute instances
either accidentally or for cryptojacking. This can be detected by
a high number of cloud instances being created, a provisioning activity originating
from TOR nodes, or provisioning activities originating from multiple
distant locations in a short duration of time. So periodically,
review the list of Anomaly policies and assess which ones you would
like to enable for your enterprise.
Alerts generated for anomaly policies are grouped by policy and
then by user. Because the same IP address can resolve to different
locations at different points in time, if there is an unusual user
activity from a previously unseen location for an IP address that
has been seen before, Prisma Cloud does not generate an anomaly
alert (and reduces false positives).
To view alerts generated for an anomaly policy, see
Alerts
Overview
,
and filter for alerts generated against anomaly policies and get
the details on what was identified as unusual or suspicious activity.
Note that multiple alerts of the same type (when a user accesses
a resource that is flagged as an anomaly), are logged as a single
alert, while a distinct alert is generated if the same user accesses
another type of resource.
Alerts generated against the anomaly policies also include additional
context based on threat feed information from Autofocus and Facebook
Threat Exchange. If you have an AutoFocus license, you can click
the IP address link to launch the AutoFocus portal and search for
a Suspicious IP address directly from the
page. For
UEBA anomaly policies, you can also see a
Trending View
of
all anomalous activities performed by the entity or user.
Cloud Service Providers Supported for Anomaly Policies
Anomaly policies are of two subtypes— Network and UEBA.
The network anomaly policies process network flow logs to identify
attacks from the network activity observed; the UEBA anomaly policies
detect attacks from the user activity recorded in the audit event
logs.
The table below shows the services used by the Prisma Cloud to
read the audit event and network flow logs from each of the cloud
providers supported:
Data from
AWS Services
Azure Services
GCP Services
Audit Event Logs
AWS CloudTrail
Azure Monitor
Google Stackdriver Logging
Network Flow Logs
AWS Cloudwatch
Azure Network Watcher
Google Stackdriver Logging
All the network anomaly policies are available for detecting
potential issues on AWS, Azure, and GCP.
Most of the UEBA anomaly policies support all of the cloud providers
for which Prisma Cloud ingests audit event logs. There are five
policies for which there is partial support; Prisma Cloud only ingests
AWS login activity, which restricts the coverage provided by the
account hijacking attempts, excessive login activity, and suspicious
login activity policies. Support in Azure and GCP for suspicious
activity in IoT services and suspicious activity in media services
policies is not available at present.