Prisma Cloud Compute: Resolving Flood of runtime incidents that can occur after disabling CNNS settings from Radar

• When trying to disable the CNNS settings from Radar ( Radar > Settings > Network monitoring  > Container Network Monitoring/ Host Network Monitoring) there are high chances that the runtime incidents floods. 

• Prisma Cloud and Compute

The issue arises due to the mechanism shift in how Defender tracks network activity when Network Monitoring is disabled in Prisma Cloud Radar settings.

•  To understand this , first we need to know How Defender Tracks Network Flow?
   - > Defender uses two mechanisms to monitor network flow:
  • Nfqueue (Active when Network Monitoring is enabled)
  • Perf (Active when Network Monitoring is disabled)
    
    
• Why Did Disabling Network Monitoring Cause a Flood of Runtime Incidents?
  • When Network Monitoring was enabled, Defender was using Nfqueue, and Nfqueue does not track certain events, meaning the Container Model does not have the opportunity to learn them.
  • When disabled Network Monitoring, Defender switched to Perf, In contrast, Perf does track these events, allowing the Container Model to learn and classify them as legitimate over time.
  • Since these events were not learned previously, Defender flagged them as incidents, leading to a spike in Runtime incidents.
• In Nfqueue mode, Defender does not track infrastructure containers, containers using host networking, or other containers where packet flow monitoring is unnecessary.
• In contrast, Perf behaves differently - it tracks additional connections, such as "Container queried kubelet API", and learns these behaviors through the Container Model to classify them as legitimate in the future.
  
  
• This difference creates a potential issue when switching from Nfqueue to Perf:
  • If Defender starts in Nfqueue mode and then, after several hours, switches to Perf mode (due to Network Monitoring being disabled), it may raise false-positive incidents.
  • This occurs because Perf will start detecting network events that were previously not tracked under Nfqueue, meaning Defender did not have the opportunity to learn them during the container’s learning period.

In summary:

The "Container queried kubelet API" event was occurring even before Network Monitoring was disabled. However, since Defender was utilizing Nfqueue, it did not track this event, meaning it had no opportunity to learn it.

Once disabled Network Monitoring, Perf became active, started tracking this event, and flagged it as an incident because it had not been learned previously.

1. First run the API - https://pan.dev/compute/api/post-profiles-container-learn/ to make the Containers in the learning Mode
2. While the Containers are in the 'Learning' mode, now disable the Container Network Monitoring and Host Network Monitoring ( Radars > Settings > Disable Container / Host Network Monitoring )