Practical Guide: Mastering Alerts in Prisma Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L2 Linker

By Rusty Otto, Senior Customer Success Engineer

 

Prisma Cloud stands out as a comprehensive security solution by providing informative insights into cloud environments in the ever-evolving landscape of cloud security. You can have deeper visibility and control over your resources using Prisma Clouds’ many features, such as the Command Center, alerts based on resource configurations, events and actions in the cloud, and IAM capabilities. 

 

In this blog post, we'll explore these features and guide you on leveraging them to improve your cloud security posture.

 

The Command Center: Your Security Hub

 

The Command Center is a cornerstone of Prisma Cloud. It provides a unified view of the top cloud security incidents and risks discovered across your assets. It offers an overview of critical action items, combining visibility with the information presented in alerts or compliance areas to help prioritize your response. 

 

For new users, the Command Center is the perfect starting point. To get there, simply navigate to the Command Center tab from your Prisma Cloud dashboard. 

 

unnamed.png

Figure 1 : Command_Center_Palo-Alto-Networks

 

Decoding Alerts

 

Alerts in Prisma Cloud are more than simple notifications. They are integral to understanding your cloud environment. Prisma Cloud gathers information for the alerts from three main sources: resource configurations, events in the cloud audit logs, and traffic recorded in the flow logs. When investigating an alert, the alert’s source will inform you if a fix is available and how to handle any issues.

 

Config Alerts

 

Insecure configurations trigger config alerts. An open security group is a common cause for alerts. Security groups with allow-all rules pose a security risk, even when unattached, because they can be attached to an existing instance, allowing access to your assets. Once Prisma Cloud detects such a security group, it sends an alert.

 

Addressing this is straightforward. If auto-remediation is enabled, Prisma Cloud will automatically manage the violation by running an API command to remove the violating rule in the security group. This generates the alert in a 'Resolved' state for the Prisma Cloud administrator. 

 

Alternatively, you can manually address the security group via the CSP UI or other means. The alert will be resolved the next time Prisma scans the account because the new configuration will be noted.

 

Event/Network Alerts

 

Prisma Cloud also creates alerts based on user actions or network traffic, leveraging machine learning to create models for your organization’s typical behavior for each asset. It specifies models for your organization rather than from a list because each organization uses its assets differently, and what is typical for your organization may be atypical for another. 

 

For user action or network traffic alert types, no additional information is given via the cloud provider’s API to let Prisma Cloud know the alert should be marked as resolved. In either case, Prisma Cloud only knows whether the user took the action or the network traffic occurred. With this in mind, you must investigate the alerts to determine their nature and potential impact. Once the investigation is complete, you can dismiss the alerts within Prisma Cloud. 

 

rotto_1-1689102375736.png

Figure 2 : Event/Network_Alerts_Palo-Alto-Networks

 

IAM Alerts

 

With IAM, you can address a significant factor in many breach scenarios – roles & permissions with too much access. Overly permissive role permissions are often taken advantage of to perform actions that the role wasn't designed to allow but does. If not taken care of in a timely manner, this can lead to breaches, ransomware attacks, and data leaks.

 

In line with IAM best practices, Prisma Cloud can alert you to overly permissive roles so you can remediate them quickly and apply the correct permissions. 

 

These alerts are similar to network or activity-based alerts, as there is no signal from the CSP that they were resolved. Therefore, they require you or your team to address and dismiss them.

 

rotto_2-1689102379023.png

Figure 3 : IAM_Alerts_Palo-Alto-Networks

 

Leverage IAM Graph for Effective Permissions

 

The IAM Security module runs a proprietary algorithm to calculate the effective permissions of users across your cloud service providers. To showcase this, consider the following RQL query:

 

    config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'

 

rotto_3-1689102379622.png

Figure 4 : IAM_RQL_Query_Palo-Alto-Networks

 

This query checks for S3 buckets in your account accessible from the Internet. The results and IAM Graph help visualize the information, enabling more informed decision-making.

 

Putting It All Together

 

Given the different workflows and alert types, crafting a plan based on Prisma Cloud's insights is crucial. Depending on the type of alert, following the proper workflow to investigate and remediate will allow you to decrease the risk in your cloud environments and improve your overall security posture.  Additionally, every alert type offers the possibility of using the snooze function, giving you time to address other issues before returning to the alert. In summary, Prisma Cloud continually ingests and updates available information from the cloud providers about resources and their configurations while updating alerts accordingly. Utilizing these features and understanding how to navigate the alerts will put you in a strong position to improve your cloud security posture and get the fullest out of Prisma Cloud. 

 

About the Author

 

CSE's intro card (Rusty) (1).png

  • 4468 Views
  • 0 comments
  • 5 Likes
Register or Sign-in
Labels
Top Liked Authors