Prisma Cloud Threat Detection
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View and Forward Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Prisma Cloud Threat Detection
An overview of the threat detection capabilities in Prisma Cloud’s CSPM and CWPP modules.
Prisma Cloud enables threat detection across the Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) modules so that you can prevent and detect security risks across their multi-and-hybrid cloud environments, hosts, containers, and serverless functions.
CSPM supports two categories of policies which are Incident and Risk, with Incident being the group of policies that supplies the threat detection functionality and includes two types of anomaly policies: User Entity Behavior Analytics (UEBA) and Network anomaly which utilizes either machine learning or AutoFocus. The Risk category corresponds to the
config
policies which uses the resource query language (RQL).With anomaly policies, data is collected from various sources such as audit and network flow logs and are processed using sophisticated data analysis techniques like machine learning, statistical modeling, and graph analysis to detect threats; both known-and-unknown. With RQL based policies, events related to user or network activity are analyzed to match a certain criteria, such as a JSON field having a specific value.
Threat detection in the CWPP module consists of a collection of threat data that is aggregated from a myriad of sources both commercial and open source, and that is then delivered via the Prisma Cloud Intelligence Stream. This threat data is then consumed across various feature sets of Compute such as
Vulnerabilities
and Runtime
.Threat Detection in CSPM
An overview of the threat detection functionality in Prisma Cloud’s CSPM module.
Prisma Cloud provides policies for a myriad of use cases such as detecting account hijacking attempts, backdoor activity, network data exfiltration, unusual protocol, and DDoS activity. After a threat is detected, an alert will be generated notifying administrators of the issue on hand so that they can quickly remediate it. In addition, several of these policies map to the MITRE ATT&CK® Enterprise IaaS Matrix which serves as a roadmap for securing your cloud assets.
- Anomaly policies:
- User Entity and Behavior Analytics (UEBA)—A set of anomaly policies for identifying deviant user activity such as a user logging on from an unknown location, successive log in attempts from distant geographical locations, or an abnormally large number of compute resources being created. You can view all the UEBA policies by applying aPolicy Typefilter forAnomalyinPolicies, and typinguebain the search field to view results which displays thePolicy SubtypeofUEBA.
- Network anomaly policies—A set of anomaly policies that continuously monitors network logs for malicious network traffic using machine learning as well as matching IPs against AutoFocus. There are network anomaly policies for detecting various threats such as Botnet, Ransomware, and Worm attacks. Prisma Cloud currently supports over forty network policies—you can view all of them by applying aPolicy Typefilter forAnomalyinPolicies, and typingnetworkin the search field to view the results which displays thePolicy SubtypeofNetwork.
- Anomaly settings customization—You can use the anomaly settings to control the criterion in which alerts are generated for anomaly policies. You can modify the anomaly settings to change the model training threshold, customize alert disposition, and add anomaly trusted lists to suppress alerts from trusted resources.
- Alert disposition—A method of specifying your preference for when you want to be notified of an alert—Conservative,Moderate, orAggressive; these preferences are based on the severity of the issues:Low,Medium,High.Conservativegenerates high severity alerts,Moderategenerates high and medium severity alerts, andAggressivegenerates high, medium, and low severity alerts.The criteria for determining the severity is different for each of the policies.
- Anomaly training model thresholds—A method for defining different thresholds for training the models for anomaly detection for UEBA and network anomalies. You can set theTraining Model ThresholdtoLow,Medium, orHigh. These thresholds are used to determine the volume—for example, a minimum of 100 user events—and duration of data—for example, 30 days—used for training the models. Refer to Set Up Anomaly Policy Thresholds for more details on customizing your anomaly policy thresholds.The thresholds are different for each of the policies.
- Anomaly trusted list—A method of suppressing specific resources that you do not want to generate alerts for. For example, if there are IP addresses that you are using to perform penetration testing, then you can add those IPs to a trusted list to suppress their alerts. Refer to Suppress Alerts for Prisma Cloud Anomaly Policies for details on creating an Anomaly Trusted List.
- Resource Query Language (RQL) policies:
- Audit Event—A set of RQL based policies that monitors audit events in your environment for potential policy violations. You create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk. To view all of the audit event policies available, apply a filter forPolicy Typeand selectAudit Event. Refer to Create a Network or Audit Event Policy to learn how to create custom audit event policies.
- Network Event—A set of RQL based policies that monitor network activities in your environment. To view all of the Network policies available, apply a filter forPolicy Typeand selectNetwork. Refer to Create a Network or Audit Event Policy to learn how to create custom network event policies.
- Custom policies that work with 3rd party integrations—A custom RQL based policy can be created that integrates with 3rd party services like Amazon GuardDuty or AWS Inspector for enhanced threat detection functionality. In addition, you also have the ability to clone existing RQL based policies and make modifications to them to fit your specific cloud security needs. Refer to Create a Custom Policy on Prisma Cloud for details on creating custom policies.
- Prisma Cloud mapping to the MITRE ATT&CK® Enterprise IaaS Matrix—The MITRE ATT&CK Matrix is a knowledge base of tactics, techniques, and procedures (TTPs) that bad actors could utilize in their attacks. A subset of this—the IaaS Matrix—covers cloud based tactics and techniques. Prisma Cloud has config and anomaly policies that map to the IaaS Matrix so that you can continuously monitor the security of your cloud for discovery and initial access, to impact and exfiltration objectives; this enables security teams to automatically detect various attack threats across their cloud environments. View the anomaly policies that map to these objectives of the IaaS Matrix by applying aPolicy Typefilter ofAnomaly, and aCompliance Standardfilter with the version of the IaaS Matrix you want to view results for likeMITRE ATT&CK v8.2; then, in the Prisma Cloud search box enter the objectives that you want to view anomaly policies for likediscoveryorimpact.
Threat Detection in CWPP
An overview of the threat detection functionality in Prisma Cloud’s CWPP module.
The Prisma Cloud CWPP module, also known as Prisma Cloud Compute supports threat detection via Prisma Cloud Advanced Threat Detection (ATD) via the Prisma Cloud Intelligence Stream. ATD is the main source of threat data in Compute—it collects data from commercial threat feeds, open source threat feeds, IP reputation lists, Prisma Cloud Labs, common vulnerability exposures (CVEs), and user supplied data. The Prisma Cloud Intelligence Stream uses the data in ATD to deliver the threat feed in real time which is then utilized across several features in Compute such as vulnerability, runtime, and Web Application and API Security (WAAS) providing a breadth of threat detection capabilities across your compute workloads.
- Vulnerability—The CVE information from the different providers, packages, and images are taken from the Prisma Cloud Intelligence Stream, and additional information is added on top of that and the risk score for vulnerability scanning. The type of information you get in the threat feed reveals if an exploit exists or not, what type of attack complexity it has, and any environmental risks. The risk score is calculated from the data that Compute has from the CVEs and the environment factors which you can view in. Refer to Vulnerability Explorer for more information on how to use theMonitorVulnerabilitiesVulnerability Explorer.
- Runtime—Ingests threat data from connections to malicious IP addresses, domains, or files known to have suspicious malware from the Prisma Cloud Intelligence Stream, and uses that to detect anomalous behavior. TheIncident explorer(), raises a single alert per incident type every 24 hours; subsequent alerts for the same incident type are suppressed. In addition, you can analyze the runtime information for a resource by viewing the live forensics inRuntimeIncident explorerIncident explorer. Runtime also integrates with WildFire (), which is Palo Alto Networks malware detection engine and identifies malware for both known-and-unknown threats thus enhancing your malware detection capabilities. Refer to Runtime defense for containers to learn more about runtime defense in Compute.SettingsWildFire
- WAAS—If you’re making HTTP requests to a web application then Compute analyzes those requests if you have WAAS enabled on that resource. Computational behavioral analysis is conducted on the resource, and the request is analyzed to determine its intent. This data is analyzed across the different threats that Compute evaluates such as Cross Site Scripting (XSS) or SQL injection, and then an alert generates in, forMonitorEventsContainers,Hosts, orServerless. Refer to Web-Application and API Security (WAAS) for an overview on how WAAS works in Compute.