1. Overview

This document explains logic behind runtime event aggregation in Prisma Cloud Compute.

When a high number of events of the same event type are reported on the same image in specific host, Prisma Cloud Compute starts aggregating them to avoid Console inflating with large number of similar audits.

For event aggregation to start, the following conditions must take place:

  • Events are generated on the same resource. Example: a specific image on a host.

  • Events generated are the same "Event Type" category (not specific audit). Example: Network / Unexpected Listening Port, Filesystem / Reg File Access etc.

  • More than 5 events satisfying the above conditions are reported within a 15 minutes timeframe.

When such report aggregation starts, a message with the same is recorded in the Events table.

Example

High rate of reg file access events, reporting aggregation started; last event: /sbin/apk wrote a suspicious file to /usr/lib/node_modules/npm/.apk.f64bd79770d6df713fa07ddeabb044bb3eb76ffb554c2dab. Command: apk add npm

Aggregation happens for 10 minutes, after which a message with the most recent audit is displayed.

Example

In the past 10 minutes, container /aqsa_high_alerts had 3 events of type unexpected listening port; The most recent event was: Container process /usr/local/bin/np is listening on unexpected port 8888

After aggregation period is completed, any new events that occur, are identified uniquely and go through the same logic above for aggregation as applicable.

runtime defense aggregation