How to Exclude Cloud account via Alert Rule Advanced Settings
6497
Created On 10/26/21 19:04 PM - Last Modified 11/08/24 15:36 PM
Objective
Problem - User is trying to exclude a cloud account on the Investigate page via RQL. He is unable to exclude results from the cloud account when trying to add cloud.account != "XXX" in the query.
Environment
- Prisma Cloud
- Alert Rule
Procedure
The config scanner ignores cloud.account, cloud.accountgroup, cloud.region, and any other conditions that limits accounts or regions. This is because those should be configured by the Alert Rule. So for a custom policy to not generate cloud account, it must be need excluded in the Alert Rule.
To exclude a cloud account in an alert rule go through "Include/Exclude (Optional)". This will add more granularity for which cloud resources trigger alerts for this alert rule: Exclude Cloud Accounts—If there are some cloud accounts in the selected account groups for which you do not want to trigger alerts, select the accounts from the list.
GUI Path: Alerts > View Alert Rules > Add Alert Rule