Prisma Cloud No Alerts are Generated
8978
Created On 12/31/18 15:42 PM - Last Modified 03/14/22 20:07 PM
Symptom
No alerts can be found in Prisma Cloud platform.
Environment
Prisma Cloud
Cause
There are a number of reasons why alerts do not appear in Prisma Cloud:
- There are no Cloud Accounts defined
- Cloud Accounts do not belong to any Account Groups
- Alert Rules do not exist or are not defined properly
- Policies have been disabled
- Metadata Collector or Config Scanner did not run yet
Resolution
There are no Cloud Accounts defined
- Login to Prisma Cloud
- Go to Settings (top-right, gear symbol) > Cloud Accounts
- Check if any Cloud Accounts are defined. If not, then create New Cloud Accounts and assign it to at least one Account Group (recommended: Default Account Group)
- Wait for Prisma Cloud to scan and generate alerts
Cloud Accounts do not belong to any Account Groups
- Login to Prisma Cloud
- Go to Settings (top-right, gear symbol) > Account Groups
- Check if Cloud Accounts have been assigned to any Account Groups. If not, then edit or create an Account Group to include your Cloud Accounts
- Wait for Prisma Cloud to scan and generate alerts
Alert Rules do not exist or are not defined properly
- Login to Prisma Cloud
- Go to Alerts > Alert Rules
- Ensure that at least one Alert Rule exists. If not, then create a new one.
- Check the Alert Rules to make sure that:
- Desired Account Group(s) are selected
- Advanced settings are not configured to exclude your account
- Advanced settings are not configured to disable relevant regions
- Desired policies are selected
- Wait for Prisma Cloud to scan and generate alerts
Policies have been disabled
- Login to Prisma Cloud
- Go to Policies
- Ensure that the policies are enabled. If not, enable them
- Wait for Prisma Cloud to scan and generate alerts
Metadata Collector or Config Scanner did not run yet
Prisma Cloud needs to run Metadata Collector to scan resources, then Config Scanner to generate the alerts. The entire process can take up to two hours to run (depending on load). If all configuration has been verified and no alerts generate after two hours, please contact Palo Alto Networks support.
Tip: Run RQL statements in Investigate page or check Dashboard -> Asset Inventory page to determine if resources have been ingested or not. This can help with isolating the root cause.