Prisma Cloud Alerts remain open after Policy RQL is modified
7913
Created On 02/01/19 19:30 PM - Last Modified 12/03/19 18:41 PM
Symptom
After making changes to a Policy's RQL, alerts that are not in the new RQL's result set remain in "Open" state.
Environment
Prisma Cloud
Cause
Config Scanner
Change to policies will not affect their alerts immediately. The alerts will be updated the next time Prisma Cloud runs Config Scanner.
RQL api.name Changed
The new RQL references a different api.name than the original RQL. For example, if the policy originally generate alerts for EBS Snapshots, but is subsequently changed to generate alerts for EBS Volumes, then the EBS Snapshot alerts will remain open.
Resolution
Config Scanner
Wait an hour to give Config Scanner sufficient time to run. If the alerts remain open, please contact Palo Alto Networks support.
RQL api.name Changed
To close off the open alerts generated by the original RQL, delete and recreate the policy.