How to Prevent Alerts for Specific Accounts or Regions in Prisma Cloud?

How to Prevent Alerts for Specific Accounts or Regions in Prisma Cloud?

3095
Created On 04/21/23 08:31 AM - Last Modified 07/10/23 08:58 AM


Objective


  • How to Prevent Alerts for Specific Accounts or Regions in Prisma Cloud?

Environment


  • Prisma Cloud Enterprise Edition

Procedure


  • Occasionally, your business requirement may require Alerts only for Resources present in Specific Accounts or Regions
  • To achieve this, you may create a Custom Policy with RQL using fields such as cloud.account, cloud.accountgroup, cloud.region and tags to exclude the resources
  • However, this may not be recommended for Custom Policy RQL
  • Hence, one can create Alert Rule to Exclude Cloud Accounts and Regions or Include only Specific Resource Tag for the generation of Alerts
Example
  • Let's assume that you want to generate Audit Alerts if there are any new resource created in all regions EXCEPT Singapore
Step1 : Create Custom Policy




Step 2 : Create Alert Rule



Step 3: Under 'Assign Targets', Select the Account group for which which you want to Generate Alert

Step 4: Select the Cloud Account in the 'Exclude Cloud Accounts' and Include Region from the dropdown to exclude the account and region for Alert Generation



Note : In the region dropdown, select all the Regions except Singapore



Step 5 : In 'Assign Policies' section, disable "Select all policies" toggle so that you can deselect all the Policies and Check only the newly created policy. This will ensure the Alert Rule is enabled for the Newly Created Policies. Meanwhile, other policies which you need to exclude, you can Tick those policies in the same Alert rule.



Step 6: Summary will show the Details you have selected




NOTE
  • If you still see Alerts for the excluded region(s) or account(s), check the Alert Rule in the Alert ID
  • If it shows any other Alert Rule, that implies the Alert is generated as per the mentioned Alert Rule
  • In such a scenario, in that Alert Rule, Check All the Policies except your concerned Policies

Additional Information


  • When creating a custom policy, as a best practice do not include cloud.account, cloud.accountgroup, cloud.region or tag attributes in the RQL query
  • If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the Investigate tab, they are ignored when used in a custom policy
Reference : Custom Policy
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHjQCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail