Anomaly Policies

Learn how to use anomaly policies to help identify unusual user activity.
Anomaly policies use audit logs and network flow logs to help you identify unusual network and user activity for all users, and is especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise. These policies rely on threat feeds to resolve IP addresses to geo-locations and perform user entity behavior analysis (UEBA). When Prisma Cloud identifies a suspicious IP address, the threat feed enables you to classify and view more information on the malicious IP addresses with which the suspicious IP address is communicating, so you can quickly figure out which alerts to pay attention to and act on.
Before the service can detect unusual activity for your enterprise, you must Define Prisma Cloud Enterprise and Anomaly Settings to specify a training threshold and set the baseline for what are normal trends in your network. To set this baseline, Prisma Cloud gathers information about the user or identities used to access the monitored cloud accounts, the devices used for access, the IP addresses and locations they come from, the ports and protocols typically used, the cloud services they use and the frequency, the hours within which they access these applications, and the activities they perform within the cloud services.
The anomaly policies that are predefined and marked as Prisma Cloud Default policies alert you to these issues:
Account hijacking attempts
—Detect potential account hijacking attempts discovered by identifying unusual login activities. These can happen if there are concurrent login attempts made in short duration from two different geographic locations, which is
impossible time travel
, or login from a previously unknown browser, operating system, or location.
Excessive login failures
—Detect potential account hijacking attempts discovered by identifying brute force login attempts. Excessive login failure attempts are evaluated dynamically based on the models observed with continuous learning.
Unusual user activity
—Discover insider threat and an account compromise using advanced data science. The Prisma Cloud machine learning algorithm profiles a user's activities on the console, as well as the usage of access keys based on the location and the type of cloud resources.
Network evasion and resource misuse
—Detects unusual server port activity or unusual protocol activity from a client within or outside your cloud environment to an server host within or outside your network using a server port or an IP protocol that is not typical to your network traffic flows.
To identify potential resource misuse, the anomaly policy monitors when a host inside your cloud environment that has no prior mail-related network activity, starts generating outbound SMTP traffic.
Network reconnaissance
—Detect port scan or port sweep activities that probe a server or host for open ports. The port scanning policies identify when an attacker is performing a vertical scan to find any ports on a target, and the port sweep detects a horizontal scan where an attacker is scanning for a specific port on many targets hosts.The policies identify whether the source of the attack internal that is the port scan or sweep originates from an instance within your cloud environment, or external where the source of the port scan or sweep originates from the internet and targets the cloud environment that is monitored by Prisma Cloud. The policies that detect internal port scan and port sweep activity are enabled by default.
anomaly-policies.png
Alerts generated by anomaly policies are grouped by policy and then by user. Because the same IP address can resolve to different locations at different points in time, if there is an unusual user activity from a previously unseen location for an IP address that has been seen before, Prisma Cloud does not generate an anomaly alert (and reduces false positives).
If you want to add one or more IP addresses as trusted sources. see Trusted IP Addresses on Prisma Cloud. IP addresses included in the trusted list do not generate alerts for network based anomaly policies such as network reconnaisance, evasion and resource misuse policies.
To view alerts generated for an anomaly policy, see
Alerts
Overview
, and filter for alerts generated against anomaly policies and get the details on what was identified as unusual or suspicious activity. Note that multiple alerts of the same type (when a user accesses a resource that is flagged as an anomaly), are logged as a single alert, while a distinct alert is generated if the same user accesses another type of resource.
anomaly-policies-alert-details.png
Alerts generated against the anomaly policies also include additional context based on threat feed information from Autofocus and Facebook Threat Exchange. Use the tooltip to review the threat details. If you have an AutoFocus license, you can click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the
Investigate
page, see Use Prisma Cloud to Investigate Network Incidents.
network-anomaly-alerts-tooltip.png
From the alert details use the
investigate-icon.png
, to pivot to the
Investigate
page for a
Trending View
of all anomalous activities performed by the entity or user.
anomaly-policies-investigate.png

Recommended For You