1. Overview

Without secure hosts, you cannot have secure containers. Host machines are a critical component in the container environment, and they must be secured with the same care as containers. Prisma Cloud Defender collects data about your hosts for monitoring and analysis.

Runtime host protection is designed to continuously report an up-to-date context for your hosts. You can set alerts for filesystem, process, network, log file events, and more. Some events, such as process executions, can be blocked.

2. Enabling host runtime protection

Runtime protection for hosts is enabled by default. When Defender is installed, it automatically starts collecting data about the underlying host. Prisma Cloud ships with a default rule named Default - alert on suspicious runtime behavior, which enables some basic monitoring. To see the rule, open Console, then go to Defend > Runtime > Host Policy.

As part of the default rule, Prisma Cloud Advanced Threat Protection (TATP) is enabled. TATP supplements runtime protection by alerting you when:

  • Malware is found anywhere on the host file system.

  • Connections are made to banned IP addresses.

  • Attempts to hijack execution flow is detected on the host.

Process monitoring is also enabled in the default rule, with both crypto miner detection and SSH session history enabled. To view the data collected, go to Monitor > Runtime > Host Observations, and select a host from the table.

3. Host runtime policy

Create new rules to enhance host protection. Go to Defend > Runtime > Host Policy, and click Add Rule.

host runtime rule

Rules can be scoped by:

  • Hostname.

  • Labels.

  • Cloud account.

For labels, Prisma Cloud supports AWS tags, as well as distro attributes. Distro attributes are designed for central security teams that manage the policies in Console, but have little influence over the operational practices of the groups that run apps in the environments being secured. If the central security team can’t rely on naming conventions or labels to apply policies that are OS-specific (e.g. different compliance checks for different OSs), they can leverage the distro attributes. Supported distro attributes are:

  • Distro name — "osDistro:<value>" (e.g. "osDistro:Ubuntu")

  • Distro version — "osVersion:<value>" (e.g. "osVersion:20.04")

3.1. Process monitoring

Process monitoring lets you alert or block specific processes by explicit policy. The Processes tab in the host runtime rule dialog has suggestions for processes known to aid exploits.

SSH history tracking can be disabled in this tab, where the hosts in scope are set in the General tab.

3.2. Log inspection

Prisma Cloud lets you collect and analyze operating systems and application logs for security events. For each inspection rule, specify the log file to parse and any number of inspection expressions. Inspection expressions support the RE2 regular expression syntax.

A number of predefined rules are provided for apps such as sshd, mongod, and nginx.

3.3. Networking

Prisma Cloud lets you secure host networking. You can filter DNS traffic and alert on inbound and outbound connections.

3.3.1. DNS

When DNS monitoring is enabled, Prisma Cloud filters DNS lookups. By default, DNS monitoring is disabled. Dangerous domains are detected as follows:

  • Prisma Cloud Intelligence Stream -- Prisma Cloud’s threat feed contains a list of known bad domains.

  • Explicit allow and deny lists — Host runtime rules let you augment the Prisma Cloud’s Intelligence Stream data with your own lists of known good and bad domains.

When DNS monitoring is enabled, configure how Defender handles DNS lookups:

  • Alert — Anomalous activity generates audits.

  • Prevent — Anomalous activity generates audits. Anomalous DNS lookups are dropped.

3.3.2. IP connectivity

You can raise alerts when inbound or outbound connections are established. Specify inbound ports, and outbound IPs and ports.

Outbound connections are event-driven, which means that as soon as a process attempts to establish a connection, you’ll be notified. Prisma Cloud polls inbound connections, which means you’ll be notified periodically, and not necessarily the moment an inbound connection is established.

3.4. Activities

Set up rules to audit host events.

4. File integrity management (FIM)

Changes to critical files can reduce your overall security posture, and they can be the first indicator of an attack in progress. Prisma Cloud FIM continually watches the files and directories in your monitoring profile for changes. You can configure to FIM to detect:

  • Reads or writes to sensitive files, such as certificates, secrets, and configuration files.

  • Binaries written to the file system.

  • Abnormally installed software. For example, files written to a file system by programs other than apt-get.

A monitoring profile consists of rules, where each rule specifies the path to monitor, the file operation, and exceptions.

runtime defense hosts fim rule

The file operations supported are:

  • Writes to files or directories. When you specify a directory, recursive monitoring is supported.

  • Reads. When you specify a directory, recursive monitoring isn’t supported.

  • Attribute changes. The attributes watched are permissions, ownership, timestamps, and links. When you specify a directory, recursive monitoring isn’t supported.

5. Monitoring

To view the data collected about each host, go to Monitor > Runtime > Host Observations, and select a host from the table.

5.1. Apps

The Apps tab lists the running programs on the host. New apps are added to the list only on a network event.

Prisma Cloud automatically adds some important apps to the monitoring table even if they don’t have any network activity, including cron and systemd.
host runtime apps

For each app, Prisma Cloud records the following details:

  • Running processes (limited to 10).

  • Outgoing ports (limited to 5).

  • Listening ports (limited to 5).

Prisma Cloud keeps a sample of spawned processes and network activity for each monitored app, specifically:

  • Spawned process — Processes spawned by the app, including observation timestamps, user name, process (and parent process) paths, and the executed command line (limited to 10 processes).

  • Outgoing ports — Ports used by the app for outgoing network activity, including observation timestamps, the process that triggered the network activery, IP address, port, and country resolution for public IPs (limited to 5 ports).

  • Listening ports — Ports used by the app for incoming network activity, including the listening process and observation timestamps (limited to 5 ports).

Proc events will add the proc only to existing apps in the profile. Defender will cache the runtime data, saving timestamps for each of the 10 processes last spawn time.

Limitations:

  • Maximum of 100 apps.

  • Last 10 spawned processes for each app.

5.2. SSH session history

The SSH events tab shows ssh commands run in interactive sessions, limited to 100 events per hour.

host runtime ssh history

5.3. Security updates

Prisma Cloud periodically checks for security updates. It’s implemented as a compliance check. This feature is supported only for Ubuntu/Debian distributions with the "apt-get" package installer.

Prisma Cloud probes for security updates every time the scanner runs (every 24 hours, by default). The check is enabled by default in Defend > Compliance > Hosts in the Default - alert on critical and high rule.

host runtime update compliance check

The security updates tab shows pending security updates (based on a new compliance check that was added for this purpose). Supported for Ubuntu and Debian

On each host scan, Prisma Cloud checks for available package updates marked as security updates. If such updates are found, they’re listed under the security updates tab.

6. Audits

Audits can be viewed under Monitor > Events.