Anomaly Policies

Learn how to use anomaly policies to help identify unusual user activity.
Anomaly policies use audit logs and network flow logs to help you identify unusual network and user activity for all users, and is especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise. These policies rely on threat feeds to resolve IP addresses to geo-locations and perform user entity behavior analysis (UEBA). When Prisma Cloud identifies a suspicious IP address, the threat feed enables you to classify and view more information on the malicious IP addresses with which the suspicious IP address is communicating, so you can quickly figure out which alerts to pay attention to and act on.
Before the service can detect unusual activity for your enterprise, you must Define Prisma Cloud Enterprise and Anomaly Settings to specify a training threshold and set the baseline for what are normal trends in your network. To set this baseline, Prisma Cloud gathers information about the user or identities used to access the monitored cloud accounts, the devices used for access, the IP addresses and locations they come from, the ports and protocols typically used, the cloud services they use and the frequency, the hours within which they access these applications, and the activities they perform within the cloud services.
The anomaly policies that are enabled by default alert you to these issues:
Account hijacking attempts
—Detect potential account hijacking attempts discovered by identifying unusual login activities. These can happen if there are concurrent login attempts made in short duration from two different geographic locations, which is
impossible time travel
(ITT), or login from a previously unknown browser, operating system, or location. It includes one policy with the name
Account hijacking attempts
Excessive login failures
—Detect potential account hijacking attempts discovered by identifying brute force login attempts. Excessive login failure attempts are evaluated dynamically based on the models observed with continuous learning. It includes one policy with the name
Excessive login failures
Unusual user activity
—Discover insider threat and an account compromise using advanced data science. The Prisma Cloud machine learning algorithm profiles a user's activities on the console, as well as the usage of access keys based on the location and the type of cloud resources. It includes one policy with the name
Unusual user activity
Network evasion and resource misuse
—Detects unusual server port activity or unusual protocol activity from a client within or outside your cloud environment to an server host within or outside your network using a server port or an IP protocol that is not typical to your network traffic flows.To identify potential resource misuse, the anomaly policy monitors when a host inside your cloud environment that has no prior mail-related network activity, starts generating outbound SMTP traffic. It includes five policies- spambot activity, unusual server port—internal and external, unusual protocol—internal and external.
Network reconnaissance
—Detect port scan or port sweep activities that probe a server or host for open ports. The port scanning policies identify when an attacker is performing a vertical scan to find any ports on a target, and the port sweep detects a horizontal scan where an attacker is scanning for a specific port on many targets hosts.The policies identify whether the source of the attack internal that is the port scan or sweep originates from an instance within your cloud environment, or external where the source of the port scan or sweep originates from the internet and targets the cloud environment that is monitored by Prisma Cloud. The policies that detect internal port scan and port sweep activity are enabled by default. It includes four policies- Port scan activity—internal and external, port sweep activity—internal and external
To find all anomaly policies on Prisma Cloud, on the
page, filter on the PolicyType
As a example, the
Anomalous compute provisioning activity
is not enabled by default. When you enable this policy, it detects potential creation of an unauthorized network of compute instances either accidentally or for cryptojacking. This can be detected by a high number of cloud instances being created, a provisioning activity originating from TOR nodes, or provisioning activities originating from multiple distant locations in a short duration of time. So periodically, review the list of Anomaly policies and assess which ones you would like to enable for your enterprise.
Alerts generated for anomaly policies are grouped by policy and then by user. Because the same IP address can resolve to different locations at different points in time, if there is an unusual user activity from a previously unseen location for an IP address that has been seen before, Prisma Cloud does not generate an anomaly alert (and reduces false positives).
If you want to add one or more IP addresses as trusted sources, see Trusted IP Addresses on Prisma Cloud. For adding other resource types, such as tags or cloud services in a trusted list to suppress alerts, see Suppress Alerts for Prisma Cloud Anomaly Policies.
To view alerts generated for an anomaly policy, see
, and filter for alerts generated against anomaly policies and get the details on what was identified as unusual or suspicious activity. Note that multiple alerts of the same type (when a user accesses a resource that is flagged as an anomaly), are logged as a single alert, while a distinct alert is generated if the same user accesses another type of resource.
Alerts generated against the anomaly policies also include additional context based on threat feed information from Autofocus and Facebook Threat Exchange. If you have an AutoFocus license, you can click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the
page, see Use Prisma Cloud to Investigate Network Incidents.
Navigate to the
page. For UEBA anomaly policies, you can also see a
Trending View
of all anomalous activities performed by the entity or user.

Cloud Service Providers Supported for Anomaly Policies

Anomaly policies are of two subtypes— Network and UEBA. The network anomaly policies process network flow logs to identify attacks from the network activity observed; the UEBA anomaly policies detect attacks from the user activity recorded in the audit event logs.
The table below shows the services used by the Prisma Cloud to read the audit event and network flow logs from each of the cloud providers supported:
Data from
AWS Services
Azure Services
GCP Services
Audit Event Logs
AWS CloudTrail
Azure Monitor
Google Stackdriver Logging
Network Flow Logs
AWS Cloudwatch
Azure Network Watcher
Google Stackdriver Logging
All the network anomaly policies are available for detecting potential issues on AWS, Azure, and GCP.
Most of the UEBA anomaly policies support all of the cloud providers for which Prisma Cloud ingests audit event logs. There are five policies for which there is partial support; Prisma Cloud only ingests AWS login activity, which restricts the coverage provided by the account hijacking attempts, excessive login activity, and suspicious login activity policies. Support in Azure and GCP for suspicious activity in IoT services and suspicious activity in media services policies is not available at present.

Recommended For You