PCSUP-10244

docs/en/compute-edition/32/admin-guide/runtime-defense/runtime-defense-containers.adoc

@@ -318,19 +318,19 @@ For these types of events, activity in the attached session won't be allowed if
 
 Prisma Cloud can detect anomalous process activity. You can independently set different effects for each feature.
 
-- *Processes started from modified binaries* -- Detect when binaries from a container image have been modified and executed.
+- *Processes started from modified binaries* -- Detect when a modified process was spawned. A modified process indicates that binaries from a container image were modified and executed after the container was started.
 
 - *Crypto miners* -- Prisma Cloud can detect crypto miners.
 If detected, a xref:../runtime-defense/incident-types/crypto-miners.adoc#[crypto miner incident type] is created in Incident Explorer.
 When this option is enabled, Defender takes action on this type of incident according to the configured <<effect,effect>>.
 
-- *Reverse shell attacks* -- Detect usage of xref:../runtime-defense/incident-types/reverse-shell.adoc[reverse shell].
+- *Reverse shell attacks* -- Detect that a process was identified as running a reverse shell, which is a method used by attackers for gaining access to a victim’s system. If detected, a xref:../runtime-defense/incident-types/reverse-shell.adoc#[Reverse Shell Incident] type is created in Incident Explorer. You can *Enable* and *Disable* this detection using the *Reverse shell attacks* toggle under the Runtime rule Processes/Anti-malware tab.
 
 - *Detect processes used for lateral movement* -- Prisma Cloud can detect processes, such as netcat, known to facilitate lateral movement between resources on a network.
 If detected, a xref:../runtime-defense/incident-types/lateral-movement.adoc#[lateral movement incident type] is created in Incident Explorer.
 When this option is enabled, Defender takes action on this type of incident according to the configured <<effect,effect>>.
 
-- *Processes started with SUID* -- Detect suspicious privilege escalation by watching for binaries with the setuid bit. 
+- *Processes started with SUID* -- Detect suspicious privilege escalation by watching for binaries with the setuid bit that are executed. You can *Enable* and *Disable* this detection using the *Processes started with SUID* toggle under the Runtime rule Processes tab.
 +
 Explicitly allowed processes from your runtime policy and learned processes from your runtime models bypass this control.
 For example, if `ping` is added to the container's runtime model during the learning period, `ping` is permitted to run regardless of how this control is set.