Prisma Cloud: A false positive for may occur for "Instances exposed to network traffic from the internet" for VPC flow logs

Prisma Cloud: A false positive for may occur for "Instances exposed to network traffic from the internet" for VPC flow logs

2304
Created On 09/22/21 02:35 AM - Last Modified 07/02/25 15:22 PM


Symptom


A false positive alert might happen on new added resources.

Environment


  • Prisma Cloud Enterprise Edition
  • Network RQL

Cause


In case you created new resources on your public cloud. Prisma Cloud will be able to recognize it at the next scan.
But if Prisma Cloud ingested a flow log including some alerts before the next scan was done, a false positive might happen.

Ex. The following policy excludes some resources like 'AWS NAT Gateway'. If the alert happens before the scan is done, a false positive happens because Prisma Cloud can't decide whether the resource is 'AWS NAT Gateway'.

Policy name: Instances exposed to network traffic from the internet
RQL: 
network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB', 'AZURE ELB', 'GCP ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' ) AND accepted.bytes > 0

Resolution


This is a specification so that we can't change this behavior at any settings. Please check your resources whether the alert is a false positive. In addition, the same issue will not happen again after Prisma Cloud decides resources at the next scan.

Additional Information


Other resources may have the same issue in the future because alerts are managed by each resource.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMX2CAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language