Prisma Cloud Compute Audit Layout v3

Prisma Cloud Compute by Palo Alto Networks Incident

Details

IDPrisma Cloud Compute Audit Layout v3
Groupincident
Version-1
From Version6.10.0

Layout Structure

Incident Info 7 sections

Case Details

Field IDPosition
type Col 0-2, Height: 22
severity Col 0-2, Height: 22
owner Col 0-2, Height: 22
dbotsource Col 0-2, Height: 22
sourcebrand Col 0-2, Height: 22
sourceinstance Col 0-2, Height: 22
playbookid Col 0-2, Height: 22
externallink Col 0-2, Height: 22
itemowneremail Col 0-2, Height: 22

Team Members

Timeline Information

Field IDPosition
occurred Col 0-1, Height: 24
dbotmodified Col 0-1, Height: 24
dbotduedate Col 0-2, Height: 24
dbotcreated Col 1-2, Height: 24
dbotclosed Col 1-2, Height: 24

Incident Details

Field IDPosition
prismacloudcomputecategory Col 0-4, Height: 53
prismacloudcomputemessage Col 0-4, Height: 53
prismacloudcomputeimage Col 0-4, Height: 53
prismacloudcomputehost Col 0-4, Height: 53
prismacloudcomputefqdn Col 0-4, Height: 53
prismacloudcomputecontainer Col 0-4, Height: 53
prismacloudcomputeuser Col 0-4, Height: 53
prismacloudcomputeinteractive Col 0-4, Height: 53
prismacloudcomputerule Col 0-4, Height: 53
prismacloudcomputefunction Col 0-4, Height: 53
prismacloudcomputeregion Col 0-4, Height: 53
prismacloudcomputeruntime Col 0-4, Height: 53
prismacloudcomputeappid Col 0-4, Height: 53
prismacloudcomputeforensic Col 0-4, Height: 53
prismacloudcomputekubernetesresource Col 0-4, Height: 53
prismacloudcomputecommand Col 0-4, Height: 53
prismacloudcomputeservice Col 0-4, Height: 53
prismacloudcomputelogfile Col 0-4, Height: 53
prismacloudcomputeactivitytype Col 0-4, Height: 53
prismacloudcomputeline Col 0-4, Height: 53
prismacloudcomputelabels Col 0-4, Height: 53

Quick Actions

Quickly block suspected attacker domains and IPs to prevent immediate recomprimise of containers. This is particularly important for attacks against K8s applications. You may also block the runtime process for containers.

Field IDPosition
Col 0-2, Height: 44
Col 0-2, Height: 44
Col 0-2, Height: 44
Col 0-2, Height: 44
Col 0-2, Height: 44
Col 0-2, Height: 44

Wiki

Review the alert type and host details to determine who should be emailed for this particular deployment. Then proceed to 1. Container Alerts - review if there are multiple issues ongoing for the particular exploitation type. Check source IP address reputation and block if needed. 2. Forensics - review the processes currently running on the host and container. MD5s can be blocked via the Quick Action buttons on this page. 3. Compliance - determine if the asset owner needs to be notified of the vulnerabilities and compliance violations present on the system. 4. Policy Review - determine if there needs to be a policy update to make the WaaS more restrictive.

Linked Incidents

Container Alerts 3 sections

Similar Container Alerts

Field IDPosition
prismaaudittable Col 0-6, Height: 44

Linked Incidents

IP and File Indicators

Forensics 4 sections

Defender Logs

Field IDPosition
prismacloudcomputedefenderlogs Col 0-6, Height: 106

Backups and Forensic Bundles

Incident Files

Forensics

Compliance 3 sections

CVEs

Image Compliance Issues

Field IDPosition
prismacloudcomputemarkdown Col 0-4, Height: 44

Actions

The following actions can quickly generate an HTML summary report of the compliance and vulnerability issues for this incident and email it off to the appropriate team

Field IDPosition
Col 0-2, Height: 44
Col 0-2, Height: 44
Policy Review 2 sections

External Alerting Policy

Actions

Use this section to update the WaaS container policy which triggered this incident.

Field IDPosition
prismacloudcomputerule Col 0-2, Height: 22
prismacloudcomputecategory Col 0-2, Height: 22
Col 0-2, Height: 44
War Room 0 sections

No sections defined.

Work Plan 0 sections

No sections defined.

Evidence Board 0 sections

No sections defined.

Related Incidents 0 sections

No sections defined.

Canvas 0 sections

No sections defined.