1. Overview

Without secure hosts, you cannot have secure containers. Host machines are a critical component in the container environment, and they must be secured with the same care as containers. Prisma Cloud Defender collects data about your hosts for monitoring and analysis.

Runtime host protection is designed to continuously report an up-to-date context for your hosts. You can set detection for malware, network, log inspection, file integrity, activities and custom events. Some of the detected events can only be alerted on, while others can be prevented.

2. Host runtime policy

Runtime protection for hosts is enabled by default. When Defender is installed, it automatically starts collecting data about the underlying host. Prisma Cloud ships with a default rule named Default - alert on suspicious runtime behavior, which enables some basic monitoring. To see the rule, open Console, then go to Defend > Runtime > Host Policy.

Create new rules to enhance host protection. Go to Defend > Runtime > Host Policy, and click Add Rule.

host runtime rule
  • Rules are assigned with names to provide an indication of target of each rules.

  • The scope of each rule is determined by the collection assigned to that rule.

  • Prisma Cloud uses rule order and pattern matching to determine which rule to apply for each workload.

Anti-malware provides a set a capabilities that lets you alert or prevent malware activity and exploit attempts.

The Prevent action for detection of file system events requires a Linux kernel version 4.20 or later.

2.1. Anti-malware

2.1.1. Global settings

  • Alert/prevent processes by path — Provides the ability to alert on or prevent execution of specific processes based on the processes name or the full path of binary from which the process is executed. Some of the common tools are available for easy addition by selecting their category.

  • Allow processes by path — Provides the ability to mark processes as safe to use based on the process name or full path. Processes added to this list will not be alerted on or prevented by any of the Malware runtime capabilities.

2.1.2. Anti-malware and exploit prevention settings

  • Crypto miners — Apply specific techniques for detection of crypto miners, alert on file creation, and alert or prevent their execution.

  • Non-packaged binaries created or run by service — Detect binaries created by a service without a package manager. alert on file creation, and alert or prevent their execution.

  • Non-packaged binaries created or run by user — Detect binaries created by a user without a package manager. alert on file creation, and alert or prevent their execution. Alert on file creation, and alert or prevent their execution.

  • Processes running from temporary storage — Detect processes running from temporary storage (unexpected behavior for legitimate processes). Alert/prevent on file creation or execution.

  • Webshell attacks — Detect abuse of web servers vulnerabilities to create a webshell. Alert on webshell creation and and alert or prevent execution of linux command line tools from web servers.

  • Reverse shell attacks — Detect usage of reverse shell and generate an alert.

  • Execution flow hijack — Detect execution flow hijack attempt and generate an alert.

  • Encrypted/packed binaries — Detect usage of encrypted/packed binaries and generate an alert. Such files are alerted on as encrypted and packed binaries may be used as a method to deploy malware undetected.

  • Binaries with suspicious ELF headers — Detect suspicious binaries for ELF headers and generate an alert.

  • Malware based on custom feeds — Generate alerts for files classified as malware by their MD5

  • Malware based on Prisma Cloud advanced threat — Generate alerts for files classified as malware by Prisma Cloud advanced intelligence feed

2.1.3. Advanced malware analysis

  • Malware based on WildFire analysis — Use WildFire, Palo Alto Networks' malware analysis engine, to detect malware and generate alerts. Currently Wildfire analysis is provided without additional costs, but this may change in future releases. To use Wildfire, it must first be enabled.

2.1.4. Host observations

  • Track SSH events — As part of the host observation capability, we are also full tracking all SSH activities, which is enabled by default. Tracking can be disabled via this toggle.

2.2. Networking

Networking provides customers high level of granularity in controlling network traffic based on IP, port and DNS. Customers can use their own custom rules or use Prisma Cloud advanced threat protection to alert on or prevent access to malicious sites.

2.2.1. IP connectivity

  • *Allowed IPs: — create an approved list of IPs which access to will not generate an alert.

  • Denied IPs and ports — Create lists of listening ports, outbound internet ports and outbound IPs which access to would generate an alert.

  • Suspicious IPs based on custom feed — Generate alerts based on entries added to the list of suspicious or high risk IP endpoints under Manage > System > Custom feeds > IP reputation lists

  • Suspicious IPs based on Prisma Cloud advanced threat protection — Generate alerts based on the Prisma Cloud advanced threat protection intelligence stream.

2.2.2. DNS

When DNS monitoring is enabled, Prisma Cloud filters DNS lookups. By default, DNS monitoring is disabled.

  • Allowed domains — Create an approved list of domains which access to will not generate an alert or be prevented.

  • Denied domains — Create a list of denied domains which access to will be alerted or prevented.

  • Suspicious domains based on Prisma Cloud Advanced threat protection — Generate alerts or prevent access to domains based on the Prisma Cloud advanced threat protection intelligence stream.

2.3. Log inspection

Prisma Cloud lets you collect and analyze operating systems and application logs for security events. For each inspection rule, specify the log file to parse and any number of inspection expressions. Inspection expressions support the RE2 regular expression syntax.

A number of predefined rules are provided for apps such as sshd, mongod, and nginx.

2.4. File integrity management (FIM)

Changes to critical files can reduce your overall security posture, and they can be the first indicator of an attack in progress. Prisma Cloud FIM continually watches the files and directories in your monitoring profile for changes. You can configure to FIM to detect:

  • Reads or writes to sensitive files, such as certificates, secrets, and configuration files.

  • Binaries written to the file system.

  • Abnormally installed software. For example, files written to a file system by programs other than apt-get.

A monitoring profile consists of rules, where each rule specifies the path to monitor, the file operation, and exceptions.

runtime defense hosts fim rule

The file operations supported are:

  • Writes to files or directories. When you specify a directory, recursive monitoring is supported.

  • Reads. When you specify a directory, recursive monitoring isn’t supported.

  • Attribute changes. The attributes watched are permissions, ownership, timestamps, and links. When you specify a directory, recursive monitoring isn’t supported.

2.5. Activities

Set up rules to audit host events.

2.6. Custom rules

For details on custom rules policy refer to this section.

3. Monitoring

To view the data collected about each host, go to Monitor > Runtime > Host Observations, and select a host from the table.

3.1. Apps

The Apps tab lists the running programs on the host. New apps are added to the list only on a network event.

Prisma Cloud automatically adds some important apps to the monitoring table even if they don’t have any network activity, including cron and systemd.
host runtime apps

For each app, Prisma Cloud records the following details:

  • Running processes (limited to 10).

  • Outgoing ports (limited to 5).

  • Listening ports (limited to 5).

Prisma Cloud keeps a sample of spawned processes and network activity for each monitored app, specifically:

  • Spawned process — Processes spawned by the app, including observation timestamps, user name, process (and parent process) paths, and the executed command line (limited to 10 processes).

  • Outgoing ports — Ports used by the app for outgoing network activity, including observation timestamps, the process that triggered the network activery, IP address, port, and country resolution for public IPs (limited to 5 ports).

  • Listening ports — Ports used by the app for incoming network activity, including the listening process and observation timestamps (limited to 5 ports).

Proc events will add the proc only to existing apps in the profile. Defender will cache the runtime data, saving timestamps for each of the 10 processes last spawn time.


  • Maximum of 100 apps.

  • Last 10 spawned processes for each app.

3.2. SSH session history

The SSH events tab shows ssh commands run in interactive sessions, limited to 100 events per hour.