Anomaly Policies

Learn how to use anomaly policies to help identify unusual user activity.
Anomaly policies use audit logs and network flow logs to help you identify unusual network and user activity for all users, and is especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise. These policies rely on third-party feed to resolve IP addresses to geo-locations and perform user entity behavior analysis (UEBA). Before the service can detect unusual activity for your enterprise, you must Define Prisma Cloud Enterprise Settings to specify a training threshold and set the baseline for what are normal trends in your network. To set this baseline, Prisma Cloud gathers information about the user or identities used to access the monitored cloud accounts, the devices used for access, the IP addresses and locations they come from, the cloud services they use an the frequency, the hours within which they access these applications, and the activities they perform within the cloud services.
Prisma Cloud includes four types of anomaly policies that are predefined and marked as Default policies:
Account hijacking attempts
—Detect potential account hijacking attempts discovered by identifying unusual login activities. These can happen if there are concurrent login attempts made in short duration from two different geographic locations, which is
impossible time travel
, or login from a previously unknown browser, operating system, or location.
Excessive login failures
—Detect potential account hijacking attempts discovered by identifying brute force login attempts. Excessive login failure attempts are evaluated dynamically based on the models observed with continuous learning.
Unusual user activity
—Discover insider threat and an account compromise using advanced data science. The Prisma Cloud machine learning algorithm profiles a user's activities on the console, as well as the usage of access keys based on the location and the type of cloud resources.
Network reconnaissance
—Detect port scan or port sweep activities that probe a server or host for open ports. The port scanning policies identify when an attacker is performing a vertical scan to find any ports on a target, and the port sweep detects a horizontal scan where an attacker is scanning for a specific port on many targets hosts.The policies identify whether the source of the attack internal that is the port scan or sweep originates from an instance within your cloud environment, or external where the source of the port scan or sweep originates from the internet and targets the cloud environment that is monitored by Prisma Cloud. The policies that detect internal port scan and port sweep activity are enabled by default.
anomaly-policies.png
Alerts generated by anomaly policies are grouped by policy and then by user. Because the same IP address can resolve to different locations at different points in time, if there is an unusual user activity from a previously unseen location for an IP address that has been seen before, Prisma Cloud does not generate an anomaly alert (and reduces false positives).
To view alerts generated for an anomaly policy, see
Alerts
Overview
, and filter for alerts generated against anomaly policies and get the details on what was identified as unusual or suspicious activity. Note that multiple alerts of the same type (when a user accesses a resource that is flagged as an anomaly), are logged as a single alert, while a distinct alert is generated if the same user accesses another type of resource.
anomaly-policies-alert-details.png
From the alert details use the
investigate-icon.png
, to pivot to the
Investigate
page for a
Trending View
of all anomalous activities performed by the entity or user.
anomaly-policies-investigate.png

Related Documentation