Workload Protection Policies

Prisma Cloud includes system default policies for protecting hosts and containers from runtime incidents and for detecting vulnerabilities on these workloads.

Enable Workload Policies

By default, the workload protection policies are disabled. You can enable these policies and use them in an alert rule for viewing alerts on runtime incidents and vulnerabilities.
  1. On the
    Policies
    page, filter on the Policy Type
    Workload Incident
    and
    Workload Vulnerability
    .
    These policies are assigned as Cloud Type
    Any
    , and cannot be cloned.
  2. Toggle the
    Status
    to enable the policies.
    Click a policy to view the details. Each policy provides a read only view of the vulnerability management rules that power the protections. Use
    Manage Rules
    to view the details on each rule on the
    Compute
    tab. You can use the system default rules or custom vulnerability rules.
    For example, the
    Hosts detected with known Vulnerabilities
    policy has the corresponding rules on
    Compute
    Defend
    Vulnerabilities
    Host
    .
  3. Use the workload policy in an alert rule.

Create an Alert Rule for Workload Policies

  1. Create a Resource List for Compute Access Group.
    Select
    Settings
    Resource Lists
    Add Resource List
    . See Compute Access Group.
  2. Create an alert rule.
    1. Select
      Alerts
      Alert Rules
      Add Alert Rule
      .
    2. Add a Name.
      Auto-remediation is not supported for Workload Incident and Workload Vulnerability policy. For details on the other optional settings, see Automations.
    3. Select
      Compute Access Group
      and choose one ore more to assign to this rule.
    4. Assign policies.
      Only Workload Vulnerability and Workload Incident policies are available for Compute Access Groups. To include other policy types, see run-time checks for other resources.
    5. Review the summary and save your changes.
  3. Verify that the alert rule is working.
    You must have the Defender installed on the host or container image.
    1. Check for issues on a host or container image.
      To check any vulnerabilities on a host, select
      Compute
      Monitor
      Vulnerabilities
      Hosts
      . Find the host name and review the details in the
      Vulnerabilities
      column .
    2. Check for alerts.
      Select
      Alerts
      Overview
      , and set the Policy Type filter to
      Workload Vulnerability
      and
      `*Workload Incident
      .
      View the vulnerabilies count details for the violating resources.

Filter for Alerts Related to Workload Policies

After you create an alert rule, when a policy violation occurs, you can view the alert for the workload incidents and vulnerabilities along with all the other policies that detect run-time issues on the Prisma Cloud console.
  1. Select
    Alerts
    Overview
    .
  2. Set the Filters for the alerts related to workload policies.
    Most of the filters are easy to interpret and use. The following include specific for viewing alerts related to workloads, such as container images or hosts, that do not belong to cloud accounts which are onboarded to Prisma Cloud.
    • Cloud Account—Name of the cloud account if account is onboarded in Prisma Cloud; Choose
      None
      to filter on-premises workload resources.
    • Cloud Account ID—Cloud Account ID of the cloud account if account is onboarded on Prisma Cloud; Choose
      None
      to filter on-premises workload resources.
    • Cloud Service,Cloud Region,Cloud Type—Choose
      Other
      to filter container workloads.

Recommended For You