1. Overview

All Prisma Cloud administrative activities are logged.

Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), and all logon activity (success and failure) are logged. For every event, both the user name and source IP are captured.

For login activity, the following events are captured:

  • Every login attempt from the login page, including failures.

  • Every failed attempt to authenticate to the API. Successfully authenticated calls to the API are not recorded.

The full set of log data is available to anyone with a user role of auditor or higher.

To view the administrative history, open Console, then go to Manage > View Logs > History.

Settings and rule events show how a configuration has changed. Both the API endpoint, and a diff of the previous and current JSON objects are shown. The following screenshot shows the changes to a vulnerability rule:

admin activity audit trail diffs

Use the API reference to determine what has changed and how to interpret the meaning of the change. The /api/v1/policies/cve endpoint creates and modifies vulnerability rules. An id of 46 specifies how to handle vulnerabilities in OS packages. And minSeverity specifies the threshold for taking the action specified in block. In this case, user ian has changed the threshold for blocking containers with vulnerable OS packages from 9 (Critical) to 7 (High).