Palo Alto Networks Knowledgebase: Prisma Cloud Alerts remain open after Policy RQL is modified

Prisma Cloud Alerts remain open after Policy RQL is modified

871
Created On 08/02/19 18:37 PM - Last Updated 08/02/19 18:38 PM
Redlock
Symptom
After making changes to a Policy's RQL, alerts that are not in the new RQL's result set remain in "Open" state.

Environment
Prisma Cloud

Cause
Config Scanner 
Change to policies will not affect their alerts immediately.  The alerts will be updated the next time Prisma Cloud runs Config Scanner.

RQL api.name Changed
The new RQL references a different api.name than the original RQL.  For example, if the policy originally generate alerts for EBS Snapshots, but is subsequently changed to generate alerts for EBS Volumes, then the EBS Snapshot alerts will remain open.


Resolution
Config Scanner 
Wait an hour to give Config Scanner sufficient time to run.  If the alerts remain open, please contact Palo Alto Networks support.

RQL api.name Changed
To close off the open alerts generated by the original RQL, delete and recreate the policy.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmi6CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments