What is "MDC_REOPEN_FOR_ACCIDENTAL_DELETE" in Prisma Cloud and How to Avoid it?
9605
Created On 12/09/21 03:50 AM - Last Modified 12/22/21 02:56 AM
Question
- What is "MDC_REOPEN_FOR_ACCIDENTAL_DELETE" in Prisma Cloud and How to Avoid it?
Environment
- Prisma Cloud
Answer
- When an Open Alert is resolved, the reason behind the resolution of that Alert is included to help with audits.
- The reason is displayed in the response object in the API, and on the Prisma Cloud administrative console on Alerts Overview when you select a resolved alert and review the alert details for the violating resource.
- One such reason is "MDC_REOPEN_FOR_ACCIDENTAL_DELETE".
- This indicates that the Alert was reopened during Ingestion as resource was rediscovered (snapshot of one such instance shared below).
Cause
- Usually this happens if Prisma Cloud runs into intermittent issues with ingesting resources.
- As the name suggests, with Ingestion marking the resources as deleted by accident, the corresponding Alerts are also resolved.
- However, in the next Ingestion scan, the same resources are rediscovered resulting in all previous Alerts to reopen.
- Likewise, if you manually dismiss an alert for a Network policy rule violation, Prisma Cloud automatically reopens the Alert when it detects the same violation again.
- This being a rare occurrence, the Alerts received are by design.
- If large number of such Alerts are being resolved and reopened, identify what are the most impacted resource types (eg. AWS S3) that are seeing multiple Alerts with reason "MDC_REOPEN_FOR_ACCIDENTAL_DELETE" and open a New Support Case with Palo Alto Networks TAC Support for further investigation.
Additional Information
For more information, refer: Prisma Cloud Alert Resolution Reasons