Prisma Cloud: Alert Rules - API does not return policy IDs when Alert Rule is configured by selecting all policies using filters

• User has set up an alert rule and selected all policies based on filters.
• When viewing the list of alert rules, the user notices that individual policies are not provided in the response.
  • This is by design. When using filters during alert rule creation and selecting all policies, the API returns the filters used to select the policies.
  • If the user were to select individual policies (but not all), the individual policy IDs are listed in the API response.

• Prisma Cloud
  • Alert Rules
    • New Alert Rule
      • Dashboard > Alerts > Alert Rules > Add Alert Rule > Click Next

• Select at least one Account Group via the dropdown > Click Next

• Select at least one criteria via the provided filters > Click the 'Select All' checkbox next to Name in the policies grid > Click Next

• Click Save to save the new alert rule
• Run an API call to v2/alert/rules. See below for example output. Note that "policies" is blank and that "alertRulePolicyFilter" is populated with the filters "policy.severity" and  "clout.type."

        "policyScanConfigId": "a28d69d5-fb2d-4310-b546-85deca422773",
        "name": "testrule",
        "description": "",
        "enabled": true,
        "scanAll": false,
        "policies": [],
        "policyLabels": [],
        "excludedPolicies": [],
        "target": {
            "accountGroups": [
                "48876052-4b20-4526-9bfd-264aafb2ed85"
            ],
            "excludedAccounts": [],
            "regions": [],
            "tags": [],
            "includedResourceLists": {
                "computeAccessGroupIds": []
            },
            "targetResourceList": {
                "action": "AUTO_DISMISS",
                "reason": "",
                "requestor": "",
                "approver": "",
                "additionalNotes": "",
                "enabled": false,
                "ids": []
            },
            "alertRulePolicyFilter": {
                "policy.severity": [
                    "HIGH",
                    "CRITICAL"
                ],
                "policy.label": [],
                "cloud.type": [
                    "azure"
                ],
                "policy.complianceStandard": []

• This is by design. The Alert Rules API is configured to return the filters of the Alert Rule if all policies are selected and it will not return individual policy IDs.

1. As the API response from v2/alert/rules will not return a list of policies, these can be pulled separately using the List Policies V2 API (see https://pan.dev/prisma-cloud/api/cspm/get-policies-v-2/). 
2. The filter parameters need to be set individually in the request. 
3. Set the parameters similarly to how they are demonstrated in the below screenshot.

List Alert Rules V2 API call
List Policies V2 API call