Prisma Cloud : How to distinguish between False Positive and Genuine Alerts?
4799
Created On 11/01/22 00:56 AM - Last Modified 12/08/22 03:30 AM
Objective
- Prisma Cloud : How to distinguish between False Positive and Genuine Alerts?
Environment
- Prisma Cloud
Procedure
Step 1: Copy the RQL query from the Policy for which the Alert was generated (You can filter by adding cloud.account filter).
Step 2 : Paste this RQL query in the Investigate Tab to confirm if the same Resource for which the Alert was generated, shows up.
Step 3 : If it shows up, and the resource configuration in your CSP validates that it's really violating the policy, it is a Genuine Alert.
Step 4 : Else, this could be a False Positive Alert indicating that there is an Ingestion error.
Additional Information
Example
- An Alert is generated for the Resource 'ta02-vpc' from Policy 'AWS VPC Flow Logs not enabled'.
- The RQL Query of this Policy is copied and pasted in 'Investigate' tab, which yields the same resource 'ta02-vpc' (as shown below)
- Further, this resource in CSP validates our finding confirming it to be a Genuine Alert.
- However, if the resource did not show up in Investigate Tab results or, its configuration did not validate this finding, this may indicate an Ingestion error which can be reviewed under Settings > Cloud Accounts > Status.
Note :
- As such, there are no Best Practices to optimize Alert Rule configurations in order to avoid False Positives in the future, as Alert rules don't cause false positives.