Inconsistent results seen for 'Azure Resource Group' in Prisma Cloud

9997

Created On 08/15/24 03:51 AM - Last Modified 08/15/24 06:35 AM

Microsoft Azure

Prisma Cloud Enterprise Edition

Symptom

Inventory (Assets) and Investigate (RQL)

As shown below, Inventory (Assets) and Investigate (RQL) shows 'Azure Resource Group' count = 1637 in a particular environment

Alerts and Compliance = 1493

As shown below, Alerts and Compliance shows 'Azure Resource Group' count = 1493 in a particular environment

Resource List = 1368

As shown below, Resource List shows 'Azure Resource Group' count = 1368 in a particular environment

Inventory (Assets) and Investigate (RQL)

Alerts and Compliance

Resource list

Example

In the above example, Multiple Resource entries for PCCAgentlessScanResourceGroup are seen in Inventory and Investigate tab (Count = 7)
Though they have the same name, they are altogether different assets located in different cloud account regions

Inventory

Investigate

However, under Alerts, Compliance and Resource List tab, you will find only 1 Unique entry for the same

Alerts

Compliance

Resource List

Additionally, you can run a specific RQL Query to find the deleted 'Azure Resource Group' Assets (count is 144)

Alerts associated with active Cloud accounts are currently kept for the duration of the service
When Cloud accounts are deleted from Prisma Cloud, the associated Alerts are held for an additional 24 hours after which they are permanently deleted
Configuration of assets active in the cloud environment is retained for the duration of the service as well
Upon termination of the service, data in live systems is stored for up to 60 days, after which it will be deleted from live systems
Purge of backup data may take up to an additional 60 days

Reference : View and Respond to Prisma Cloud Alerts