* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Posture Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/)
* Enhancing UEBA with Compu...

# Enhancing UEBA with Compute Provisioning Anomaly Detection

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcompute-provisioning-anomaly-detection%2F)  
[](https://twitter.com/share?text=Enhancing+UEBA+with+Compute+Provisioning+Anomaly+Detection&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcompute-provisioning-anomaly-detection%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcompute-provisioning-anomaly-detection%2F&title=Enhancing+UEBA+with+Compute+Provisioning+Anomaly+Detection&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/compute-provisioning-anomaly-detection/&ts=markdown)  
\[\](mailto:?subject=Enhancing UEBA with Compute Provisioning Anomaly Detection)  
Link copied  
By [Rachel Deng](https://www.paloaltonetworks.com/blog/author/rachel-deng/?ts=markdown "Posts by Rachel Deng")  
Jun 10, 2021  
5 minutes  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown)  
[UEBA](https://www.paloaltonetworks.com/blog/tag/ueba/?ts=markdown)

While we tend to talk about them as if they were a single entity, cloud environments are typically composed of multiple accounts across different global regions, with many users that have varying levels of privileged access. It's this complexity that heightens the risk of compromised credentials and insider threats.

[User and Entity Behavior Analytics (UEBA)](https://blog.paloaltonetworks.com/2020/01/cloud-ueba/) is one of the components that help reduce those risks. However, traditional [UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba) tools fail to adapt to users' ever-changing behavioral patterns in multi-cloud environments. Prisma Cloud UEBA functionality addresses these issues with advanced machine learning (ML) techniques that help recognize unusual user activity, [brute force](https://www.paloaltonetworks.com/cyberpedia/brute-force) anomalies and login anomalies.

To further strengthen these efforts, we are introducing compute provisioning anomaly detection, one of the top challenges facing cloud security teams.

## The Challenges of Tracking Increased Compute Usage

Gartner [predicts](https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021) that cloud spending on Infrastructure-as-a-Service (IaaS) will [reach $82 billion in 2021](https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021). Typically, [about ⅔ of the public cloud bill](https://www.parkmycloud.com/blog/cloud-computing-growth/) is spent on compute (VMs), which equals about $54.7 billion.

With that level of spending, it is easy to miss abnormal usage. For example, if an organization is spending $10M a year on VMs, it is easy to overlook when an internal user, either accidentally or maliciously, is spinning up VMs that cost another $50K, since that would represent less than 1% of total spending. Similarly, an attacker could infiltrate an environment and spin up hundreds of VMs at a time without anyone noticing the suspicious activities.

Suspicious provisioning of compute resources is often a precursor to the creation of an unauthorized network of compute instances for [cryptojacking purposes](https://www.paloaltonetworks.com/blog/prisma-cloud/waas-cryptojacking-microservice-based-web-apps/). Cryptojacking is the process of illegally mining cryptocurrencies using systems that are not owned or maintained by the mining operators. As cryptocurrencies such as Bitcoin and Ethereum reach all-time highs, criminal organizations are highly incentivized to cash in on this profitable global market using such means.

Unit 42 researchers have reported that cryptojacking operations are currently estimated to affect [23% of cloud environments](https://unit42.paloaltonetworks.com/highlight-cloud-threat-report-iam/), up from 8% in 2018. What's more, anomalous compute provisioning activities could indicate the potential for further cloud account compromise.

## Detecting Anomalous Compute Provisioning with Prisma Cloud

Prisma Cloud uses audit logs to perform UEBA to identify unusual user activity. Machine Learning algorithms profile user activities and usage of access keys based on the location and the type of cloud resources, which sets the baseline for "normal" user activity patterns. By tying chains of activities together and correlating additional [resource visibility data](https://www.paloaltonetworks.com/prisma/comprehensive-cloud-native-security-demo), Prisma Cloud would categorize an activity as unusual or not.

The key to detecting anomalous compute provisioning activity, then, is to define what constitutes an organization's normal boundaries. In the datacenter world, establishing this "normal compute resource usage" pattern was relatively straightforward -- but it is exponentially more difficult in the cloud world. Thanks to things like cloud bursting, [CI/CD](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security), blue/green deploy or dark deploy, cloud compute resources constantly spun up and down.

Basic ML-based solutions are often tripped up by these usage patterns, generating lots of false positives and ultimately causing alert fatigue. To properly identify either accidental or malicious compute resource provisioning, a sophisticated ML-based solution would need to take multiple other factors into consideration: Did the user try to hide their identity behind the TOR anonymity network? Did the user provision the compute resources from multiple geographical locations in hope to evade detection?

Let's take a look at some real-world examples.

The image below charts an actual attack on a Prisma Cloud customer. Though it only lasted four hours, the new compute provisioning anomaly detection was able to identify it. The attacker used a managed Kubernetes service to create over 2000 cloud instances (with an estimated cost of $55k per day) across 24 global regions, using 40 TOR exit nodes. Prisma Cloud was able to detect this anomaly after learning the normal behavior of the users in the organization.

![Bar chart showing a sudden increase of compute instances](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/06/word-image-61.png)

Another customer example involves a failed attack. An employee accidentally posted his private key on GitHub, and within minutes there were attempts from three TOR nodes to use the key to create 50 compute instances. Luckily, the malicious efforts were blocked by constraints the DevOps team had set on the Google Cloud account, but Prisma Cloud was able to detect the unusual activity and prompt the customer to delete the secret.

## Customizing Prisma Cloud Threat Detection

Prisma Cloud Threat Detection is powered by highly-customizable ML techniques and multiple threat intelligence sources. We understand that the threshold for suspicious activities varies across industries and organizations, so in addition to alert rules and trusted lists, customers can define the alert disposition for anomalous compute provisioning activity. The conservative setting only generates alerts for high severity incidents, moderate will alert for medium and higher severity alerts, and aggressive will generate them for low and high severity incidents.
![Alert disposition options as they appear in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/06/word-image-62.png)
Setting alert disposition for anomalous compute provisioning activity

## Next Steps

Compute provisioning anomaly detection is available now and can be found in the Policies tab of the Prisma Cloud console.

With these enhanced threat detection capabilities, Prisma Cloud provides customers with some of the most comprehensive [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management) capabilities in the industry. To learn more about operationalizing CSPM strategies, check out our white paper, [Guide to CSPM Tools](https://www.paloaltonetworks.com/resources/ebooks/guide-to-cloud-security-posture).

*** ** * ** ***

## Related Blogs

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Demystifying Impossible Traveler Detection](https://www2.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Azure-Specific Policies to Detect Suspicious Operations in the Cloud Environment](https://www2.paloaltonetworks.com/blog/cloud-security/anomaly-detection-policies-azure/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud Provides New Extensive Use Cases for Azure Customers](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-provides-new-extensive-use-cases-for-azure-customers/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown)

[#### Prisma Cloud Now Detects Threats Using the TOR Network](https://www2.paloaltonetworks.com/blog/cloud-security/threat-detection-using-tor-networks/)

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### Network-Based Data Exfiltration Detection Extends Visibility of Threats](https://www2.paloaltonetworks.com/blog/cloud-security/network-based-data-exfiltration-detection/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### How to Set Up Prisma Cloud Threat Detection in 6 Steps](https://www2.paloaltonetworks.com/blog/cloud-security/how-to-set-up-prisma-cloud-threat-detection/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language