01-02-2024 07:48 AM
The "defended" status, attached to each Cloud Discovery discovered asset, is not reflecting the asset's actual defended status.
Across registry, serverless, hosts, etc, Prisma Cloud Discovery uses a loose definition to conclude the defended status of assets. For instance:
Registry scans -> Looks at the registry settings, does it have a setting matching the name of the registry? The it is considered "defended"
Serverless scans --> Does the cloud account have serverless scan enabled? Then it is considered "defended"
Containers/hosts --> Does the host have a defender? Then it is considered "defended"
What we have seen quite regularly is that, this is not enough. More metrics must be employed before concluding an asset is indeed defended.
Practical examples we have faced:
Registry Setting exists, but due to improper access credentials, the registry cannot be scanned. Cloud Discovery still shows it as defended
Accounts with Serverless Scan turned on appear as defended, when there are obvious issues collecting any data (see screenshots)
Etc.
Suggestion: Use of reliable metrics before concluding an asset's "defended" status.
Have you come across this issue? Did you manage to solve it? If yes, how? If not, please consider upvoting the idea linked below.
Linked Idea: Use of reliable metrics | Prisma Cloud New Features Request Portal (aha.io)
Somewhat related LiveCommunity thread: Why are EKS Clusters defended with daemonsets NOT rendering in PCC/Manage/Defenders/Manage DaemonSet...
