Seeing a sudden change in the Number of Alerts and Policy Severities in Prisma Cloud

• Seeing a sudden change in the Number of Alerts and Policy Severities in Prisma Cloud

• Prisma Cloud Enterprise Edition
• SaaS Version 23.4.1 onwards
• Policy

• Prisma Cloud updated the system Default Policies to help identify Critical Alerts and address them effectively
• The Policy Severity levels for some system default policies are re-aligned to use the newly introduced Critical and Informational severities

• Due to this change, the policies now have five levels of severity; Critical, High, Medium, Low, and Informational which may result in a decrease or increase in the number of Alerts

• This is expected behaviour as Changes were introduced in version 23.4.1
• Reference : Features Introduced in April 2023

Note : Future Default Policies with your selected Severities (Low / Medium / High / Critical) will be auto-enabled

FAQs

1. How many Policies are having this change for each severity category? 

We are modifying the severity levels for 633 system default policies that will help you identify the most critical alerts and ensure that you can address them efficiently.

2. How does this impact my Compliance Reports?

When severity of policy is getting changed, the corresponding severity changes will appear in a newly generated compliance report. If you have an Alert rule created with Policy Severity filter criteria, then there is a likely chance of few policies either getting removed / added from the alert rule resulting in reduction / increase in alerts when you generate a new compliance report.

3. Does it cause new Alerts to be generated? 

Yes. This is applicable ONLY If you have an Alert Rule Scope configured based on policy severity filter and the policy is not explicitly assigned to some other alert rule. In this case, any severity update resulting in change in the scope of alert rule may trigger new alerts.

4. How does this impact my existing open tickets (integrations/notifications)? 

If you have Alert Rules integrated with integrators like ServiceNow, JIRA etc., this potential change in number of alerts may result in notifications being sent for the modified alert status.