Threat Detection

Prisma Cloud detects advanced threats, zero-day attacks, and anomalies across multicloud environments
Threat Detection Front
Threat Detection Back

The dynamic, distributed nature of cloud environments often creates alerts that lack context at a volume that can overwhelm security teams. Attempting to correlate logs, API metadata and signature-driven alerts can quickly flood teams with false positives instead of actionable insight.

Read about our comprehensive approach to Threat Detection.

Threat detection powered by ML and threat intelligence

Prisma Cloud uniquely combines advanced machine learning and threat intelligence such as Palo Alto Networks AutoFocus, TOR exit nodes and other sources to identify various tactics and techniques per MITRE ATT&CK’s Cloud Matrix with high efficacy while minimizing false positives. This allows security teams to focus their investigation and remediation effort on the most critical incidents without getting bogged down by alert storms.
  • Employ unsupervised Machine Learning
  • Integrate with best of breed Threat Intelligence
  • Detect known & unknown threats
  • Network anomaly detection
    Network anomaly detection
  • User and entity behavior analytics
    User and entity behavior analytics
  • Threat intelligence-based threat detection
    Threat intelligence-based threat detection
  • Granular control on false positives and negatives
    Granular control on false positives and negatives


Our approach to Threat Detection

ML-based network anomaly detection

Prisma Cloud employs advanced ML to learn normal network behavior of each customer’s cloud environment to detect network anomalies and zero-day attacks effectively with minimal false positives.

  • Port scan and sweep detection

    Detect common reconnaissance techniques per MITRE ATT&CK Cloud Matrix to facilitate remediation activities such as closing ports opened unintentionally.

  • Unusual port and server activity detection

    Spot unusual activities which adversaries typically employ to evade detection while looking for critical assets such as PII, financial information and others in preparation for data exfiltration.

  • DNS threat detection

    Identify threats attempting to exploit your network with DNS-based attacks such as domain generation algorithm (DGA) and cryptomining – all without changing your DNS infrastructure.

ML-based network anomaly detection

User and entity behavior analytics (UEBA)

Users who access cloud environments can pose a significant threat if not continuously monitored for unusual activities that could signal possible credential or account compromise. Prisma Cloud continuously monitors and learns each user's activities to identify what’s normal, and then alerts on any behaviors that deviate from that baseline.

  • Anomalous compute provisioning detection

    Learn the normal behavior of each user to detect anomalous compute provisioning activities, indicative of either accidental resource misuse or more sinister attacks like cryptojacking

  • Insider threat detection

    Discover suspicious behaviors such as excessive login failures that could signal compromised accounts, brute force attacks, and other behaviors that traditional security tools miss.

  • Suspicious user activity detection

    Identify specific actions and surface correlated account data, both in real time and with historical context.

User and entity behavior analytics (UEBA)

Threat intelligence-based threat detection policies

Leveraging Palo Alto Networks’ AutoFocus threat intelligence and proprietary security research, Prisma Cloud provides a comprehensive set of out of the box policies to detect malicious network and user activities.

  • AutoFocus-based network threat detection

    Out of the box policies to detect advanced and malicious network based attacks such as DDOS, Botnet, Ransomware, Remote Access Trojan, Cryptomining and many more.

  • Policy-based network threat detection

    Detect suspicious network activities such as DB ports receiving internet traffic and Internet connectivity via TCP over insecure port.

  • Policy-based detection of suspicious user activities

    Alert on sensitive IAM and storage configurations which are often steps of a multi-staged attack in motion.

Threat intelligence-based threat detection policies

Granular control on false positives & negatives

Unlike most basic ML-based threat detection solutions in the market, Prisma Cloud provides granular control for customers to make the appropriate tradeoffs between false positives and negatives that fit their business and security needs.

  • Alert Disposition

    Choose Aggressive to minimize false negatives, Moderate for a good balance between false positives and negatives, or Conservative to minimize false positives.

  • Training Model Threshold

    Choose Low to minimize training period, Medium for a good balance between speed of detection and false positives, or High to minimize false positives.

  • Trusted List

    Use TrustedList of Cloud Service, IP, Machine ID, Tag and others to prevent false positive alerts on benign activities.

Granular control on false positives & negatives
Prisma Cloud
Prisma Cloud
Prisma Cloud delivers the industry’s broadest security and compliance coverage—for applications, data, and the entire cloud native technology stack—throughout the development lifecycle and across multi- and hybrid-cloud environments.

Cloud Security Posture Management modules


Continuously monitor all cloud resources for misconfigurations, vulnerabilities and other security threats. Simplify compliance reporting.


Pinpoint the highest risk security issues using ML-powered and threat intelligence-based detection with contextual insights.


Continuously monitor cloud storage for security threats, govern file access and mitigate malware attacks.

Featured Resources

Get more insight into what Prisma Cloud can do for your business