Prisma Cloud Audit Event Alerts remain in Open State despite change in the Policy RQL

Prisma Cloud Audit Event Alerts remain in Open State despite change in the Policy RQL

273

Created On 06/05/23 04:54 AM - Last Modified 01/15/26 20:49 PM

Security Policy

Policy management

Prisma Cloud Audit Event Policy

Policy

Prisma Cloud Policy

Prisma Cloud Enterprise Edition

Prisma Cloud - Cloud Security

Symptom

An Audit Event Policy RQL is modified.
The modified RQL of this Policy in Investigate tab does not give the same resources as observed in Alerts Overview.
As per Prisma Cloud Alert Resolution Reasons, an update in the Policy RQL will be one of the reasons behind an Open Alert to Close.
However, Prisma Cloud Audit Event Alerts remain in Open State despite change in the Policy RQL.

Environment

Prisma Cloud

Cause

Audit Event Alerts are generated for the Events that have already occurred.
Hence, these Open Alerts will never be resolved.
This is expected behaviour as per product design.

Resolution

Dismiss the Open Alerts manually.

Additional Information

Any Policy changes (eg. RQL modified) will be applicable only for New Events.
No New Alerts should be generated for the Events that no more violate the Policy.

Additional References

Prisma Cloud Alert Resolution Reasons