Threat Detection on CloudDefense
Secure containers, CaaS (i.e., AWS Fargate), hosts, Kubernetes, and cloud infrastructure. Use machine learning (ML) based detections for detecting cryptojacking with 99% precision. Apply multi-layered defense with image profiling, Drift Control, and out-of-the-box policies based on open-source Falco. Automatically trigger response actions and notify the right teams immediately.

The dynamic, distributed nature of cloud environments often creates alerts that lack context at a volume that can overwhelm security teams. Attempting to correlate logs, API metadata and signature-driven alerts can quickly flood teams with false positives instead of actionable insight.

Read about our comprehensive approach to Threat Detection.
Start Free Trial
Start Free Trial

Our approach to threat detection

ML-based network anomaly detection

Prisma Cloud employs advanced ML to learn normal network behavior of each customer’s cloud environment to detect network anomalies and zero-day attacks effectively with minimal false positives.

Port scan and sweep detection

Detect common reconnaissance techniques per MITRE ATT&CK Cloud Matrix to facilitate remediation activities such as closing ports opened unintentionally.

DNS threat detection

Identify threats attempting to exploit your network with DNS-based attacks such as domain generation algorithm (DGA) and cryptomining – all without changing your DNS infrastructure.

Unusual port and server activity detection

Spot unusual activities which adversaries typically employ to evade detection while looking for critical assets such as PII, financial information and others in preparation for data exfiltration.

User and entity behaviour analytics (UEBA)

Users who access cloud environments can pose a significant threat if not continuously monitored for unusual activities that could signal possible credential or account compromise.

Anomalous compute provisioning detection

Learn the normal behavior of each user to detect anomalous compute provisioning activities, indicative of either accidental resource misuse or more sinister attacks like cryptojacking

Insider threat detection

Discover suspicious behaviors such as excessive login failures that could signal compromised accounts, brute force attacks, and other behaviors that traditional security tools miss.

Suspicious user activity detection

Identify specific actions and surface correlated account data, both in real time and with historical context.

Detect and respond to threats across dynamic systems.

Start Free Trial
Start Free Trial

Threat intelligence-based threat detection policies

Leveraging Palo Alto Networks’ AutoFocus threat intelligence and proprietary security research, Prisma Cloud provides a comprehensive set of out of the box policies to detect malicious network and user activities.

AutoFocus-based network threat detection

Out of the box policies to detect advanced and malicious network based attacks such as DDOS, Botnet, Ransomware, Remote Access Trojan, Cryptomining and many more.

Policy-based network threat detection

Detect suspicious network activities such as DB ports receiving internet traffic and Internet connectivity via TCP over insecure port.

Policy-based detection of suspicious user activities

Alert on sensitive IAM and storage configurations which are often steps of a multi-staged attack in motion.

Granular control on false positives & negatives

Unlike most basic ML-based threat detection solutions in the market, Prisma Cloud provides granular control for customers to make the appropriate tradeoffs between false positives and negatives that fit their business and security needs.

Alert Disposition

Choose Aggressive to minimize false negatives, Moderate for a good balance between false positives and negatives, or Conservative to minimize false positives.

Training Model Threshold

Choose Low to minimize training period, Medium for a good balance between speed of detection and false positives, or High to minimize false positives.

Trusted List

Use TrustedList of Cloud Service, IP, Machine ID, Tag and others to prevent false positive alerts on benign activities.

CloudDefense for Your CIEM and CSPM Needs

Leverage out-of-the-box detection policies

Save time with our rules mapped to MITRE ATT&CK framework, NIST, and PCI, along with other container/Kubernetes runtime threat detection and cloud security policies. Detect and prevent container drift.  Enhance detection with threat intelligence feeds.

Understand the Attack Surface

Detect risky behavior across accounts, users, and workloads. For example, be alerted if a user without MFA logs into your cloud account and performs malicious actions.

Detect and Respond to Fargate Runtime Security Threats

Detect suspicious activity and conduct incident response for AWS Fargate. Capture detailed activity, including commands, network connections, and file activity.

Detect cryptojacking and behavior anomaly using ML

Avoid hefty bills by early detecting cryptojacking with 99% precision. Detect container anomalies (syscalls, network connections, process, and file activity) with ML-based behavior profiling.

Secure your Linux hosts and VM workloads

Since the Sysdig agent hooks into the Linux kernel, it has visibility into all syscalls. This data can also be used to detect anomalous activity inside of linux hosts or VM-based workloads running on top of the host.

Enable auto-remediation

Automatically remediate incidents by triggering response actions, such as:

- Notifying when a violation occurs
- Pausing the container to quarantine
- Killing the container to stop the attack