What types of Audit Events does Prisma Cloud capture in the Investigate Page?

What types of Audit Events does Prisma Cloud capture in the Investigate Page?

1760
Created On 02/20/23 21:59 PM - Last Modified 04/17/24 20:07 PM


Question


What types of Audit Events from CloudTrail does Prisma Cloud capture in the Investigate Page?

Environment


  • Prisma Cloud
  • Audit Logs

Answer


Prisma Cloud doesn't ingest read only events. Most of the write events are ingested with a few exceptions.
List is a read only event. 
Write could be a CreateUser event. 
When running the RQL the Investigate Page will not display any results as we do not ingest that data. 

In AWS: CloudTrail > Event History > ListHostedZonesListHostedZones-AWS (2).png

In Prisma Cloud: Investigate Page > Search Audit event 

Screenshot 2024-04-17 at 2.03.55 PM.png
 

Additional Information


View our documentation on Audit Logs here
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kH2vCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail