Prisma Cloud Compute : Runtime Audit Event not generated when New file uploaded from Webshell

Prisma Cloud Compute : Runtime Audit Event not generated when New file uploaded from Webshell

6246
Created On 11/01/22 03:59 AM - Last Modified 02/22/23 09:58 AM


Symptom


  • Runtime Audit Event not generated when New file uploaded from Webshell.
Example

  • Default Runtime Rule configured to detect any new file uploaded in /var/www/html/hackable/uploads.

 

1.png

  • File is uploaded successfully from GUI.
3.png
  • When the file is modified or new added in CLI, Runtime Event is Detected.
2.png
  • However, same does not work when a new file is uploaded from Webshell of same application.

Environment


  • Prisma Cloud Compute

Cause


  • At this time, Prisma Cloud doesn't detect Move events as part of our detection.
  • We only detect write events to files as moving a file is not really a “write“ event as it does not modify the file content.
  • This behaviour is expected and as per current product design where our main focus with FS runtime detection is to alert on a file being created/changed in a container, which is the root of an attack.

Resolution


  • If there is a requirement of detection of file movement, it will be considered as Enhancement feature request.

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF0OCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language