1. Overview

Prisma Cloud provides runtime protection to ensure that processes that run in your environment meet the parameters of the learned models and the rules defined in Console. This article provides more information on the options available for tailoring the monitoring and response within the runtime rules.

Prisma Cloud ships with a rule named Default - alert on suspicious runtime behavior that enables runtime protection for processes by default. You can further refine your policy by creating additional custom rules that target specific resources, enable or disable protection features, and define exceptions to the automatically generated allow-list models.

2. Process rules

New runtime rules can be created in Console in Defend > Runtime > Container Policy. Click Add rule, specify a rule name and scope in the General tab, then select the Processes tab to define how Prisma Cloud handles new processes in running containers.

For more information on how rules are applied, and how models and rules are combined to create a resultant policy, see the article on runtime defense.

2.1. Effect

When behavior is detected that deviates from your runtime policy (resultant from the combination of your container model and your rules), Prisma Cloud Defender takes action. For processes, the Defender can be set into one of four modes.

  • Disable — Defender doesn’t provide any protection for processes.

  • Alert — Defender raises alerts when it detects process activity that deviates from your defined runtime policy. These alerts are visible in Monitor > Events > Container Audits.

  • Prevent — Defender stops the process (and just the process) that violates your policy from executing. This is known as discrete blocking.

  • Block — Defender stops the entire container if a process that violates your policy attempts to run.

Note that besides taking action on processes outside of the allow-list model, Defender also takes action when existing binaries that have been modified are executed. For example, an attacker might replace httpd (Apache) with an older version that can be exploited. Prisma Cloud raises alerts for each of the following cases:

  • A modified binary is executed,

  • A modified binary listens on a port,

  • A modified binary makes an outbound connection.

3. Detection

Prisma Cloud can detect anomalous process activity. These features can be independently enabled or disabled.

3.1. Detect crypto miners

Prisma Cloud can detect crypto miners. If detected, a crypto miner incident type is created in Incident Explorer. When this option is enabled, Defender takes action on this type of incident according to the configured effect.

3.2. Detect processes used for lateral movement

Prisma Cloud can detect processes, such as netcat, known to facilitate lateral movement between resources on a network. If detected, a lateral movement incident type is created in Incident Explorer. When this option is enabled, Defender takes action on this type of incident according to the configured effect.

3.3. Detect parent child process relationships

As part of the model, Prisma Cloud learns what processes are invoked, and the parent processes that triggered the invocation. If this option is enabled, Defender can act on processes that are invoked by a parent other than that which is specified by the model. This action may show up as an audit in a number of different incident types in Incident Explorer.

4. Explicitly allowed and denied processes

The fields for Explicitly allowed processes and Explicitly denied processes let you tailor your runtime models. Processes can be listed by name or MD5 hash.