By Rusty Otto, Customer Success Engineer
Prisma Cloud not only offers insight related to configuration of resources, but also provides visibility into actions taking place within the cloud; whether it is tied to users or the traffic which is recorded in the flow logs. This function is useful because you may want to review the actions which your users are performing in the cloud along with obtaining a general idea of the traffic patterns seen within the flow logs. You have the ability to investigate alerts based on actions and network traffic. In order to get the most value out of Prisma Cloud, let's go over how to use these two sources for threat detection.
As far as setup goes, there is no additional setup required for the audit logs since the available permissions Prisma Cloud has are sufficient to ingest them. For flow logs, there are some specific steps to follow to allow Prisma Cloud to ingest them. Unless these steps are performed in the accounts you wish to have the network traffic visible to Prisma Cloud in, we would not be able to ingest this information. The steps vary per cloud and are available in the onboarding documentation for each.
Prisma Cloud ingests the audit logs from the cloud providers which allows you to gain insight into the typical, and thanks to our anomaly policies, not so typical actions of your users. To get an idea of the type of information you are able to search on, I would suggest starting a query with the cloud type and then go to operation, as shown here -
event from cloud.audit_logs where cloud.type = 'aws' AND operation =
From there the auto suggest will begin to populate a list. As always you can type something, like ‘bucket’, to see all related API actions that are ingested. With this in mind it would be possible to create a policy that watches for specific actions such as bucket deletion or instance termination.
Event from cloud.audit_logs where cloud.type = 'aws' AND operation = 'DeleteBucket'
Event from cloud.audit_logs where cloud.type = 'aws' AND operation = 'TerminateInstances'
There is a lot of flexibility with RQL, so you should be able to create a query based on what you are trying to find as long as you know what you are looking for.
Knowing that Prisma Cloud can track the activity of users as well as network traffic within the clouds, it should be no surprise that this information is utilized to create policies that map to the MITRE framework. This allows you to perform investigations, as well as alert on activities that are mapped to the MITRE ATT&CK Matrix such as reconnaissance and initial access.
Network RQL provides an equally robust feature set that allows you to dive into the mountains of flow logs your accounts are sure to generate.
In addition to VPC flow logs, Prisma Cloud can also proactively look at resource configurations in the cloud to let you know which are potentially exposed to network traffic based on network path analysis. With the use of both the flow logs and the network path analyzer you can have more comprehensive coverage of your cloud environment. Some example network RQL -
View traffic originating from the Internet & suspicious IPs to resource with relation to the role -
network from vpc.flow_record where source.publicnetwork IN ( 'Suspicious IPs' , 'Internet IPs' ) and dest.resource IN ( resource where role IN ( 'HTTP', 'AWS ELB', 'VM Instance' ) )
Find instances that are accessible over the Internet using insecure ports -
network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs' ) and protocol = 'TCP' AND dest.port IN ( 21,23,80)
As with any RQL, knowing what you want to find is key.
Combining the information presented by the flow logs and audit logs of your onboarded cloud accounts allows you to monitor the activities in your cloud as opposed to just the configurations in the cloud. With this in mind, it is always important to utilize the flow log and audit information you have so you can get a full picture of your cloud presence. These insights will help you in making decisions accordingly in securing your cloud environments.