Prisma Cloud: Why is a Custom policy that is scoped down to a specific account group generating alerts for accounts outside of the account group?
Question
Why is a Custom policy that is scoped down to a specific account group generating alerts for accounts outside of the account group?
Replication:
-
Policy Name: Manny EC2 Test Policy July
-
Account Group: manny api test
- Custom Policy RQL:
config from cloud. resource where api.name = 'aws-ec2-describe-instances' and cloud.accountgroup = 'manny api test' AND json.rule = securityGroups[*].groupName does not start with "sectag"
Generated Alerts
- Prisma Cloud > Alerts > Manny EC2 Test Policy July
- Prisma Cloud > Investigate
Please note that none of the accounts are associated with my Account Group
- Prisma Cloud > Settings > Account Group > Manny API Test > Edit
Please note, when configuring the Alert Rule “Manny EC2 Alert Rule” I purposely associated all account groups to the rule:
- Prisma Cloud > Alerts > Alert Rules > Add Alert Rule
Environment
- Prisma Cloud
Answer
When creating a custom policy, as a best practice do not include cloud.account, cloud.accountgroup, cloud.region or tag attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the Investigate tab, they are ignored when used in a custom policy.
The above would explain why you are receiving alerts for all cloud accounts/groups in lieu of just the specified account group. In order to remedy this, I would recommend updating your alert rule configuration to only point toward the desired account group.
Ref