Prisma Cloud: Why False positive alerts occur with Network Analyzer based policy

Prisma Cloud: Why False positive alerts occur with Network Analyzer based policy

1273
Created On 09/17/22 23:17 PM - Last Modified 01/08/24 16:04 PM


Symptom


False positive alert on a Network Analyzer based policy "AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port" 2 Instances were terminated couple days back. 
 
GUI Path: Investigate Page
i-0f53ff9c34872a1da (2).JPG
 

Environment


  • AWS
  • Network Analyzer Policy

Cause


Possible causes for this issue from the user side:

  1. They have some alert rules for AWS with Config Network Analysis (CNA) Policies and added some GCP accounts to it
  2. They have some alert rules for GCP and added some AWS Config Network Analysis (CNA) policies to it

 

Resolution


Our CNA policies are not generic cross cloud providers, the policies have cloud type built in so you can only assign them to cloud accounts from the same provider.

The fix we will do from Prisma Cloud side is just to detect these misconfigurations. So it will actually cause alerts not being raised at all if these misconfigurations are not being fixed on the user side.

To have CNA work as expected, you need to assign CNA policies correctly to cloud accounts with the same cloud type.

Additional Information


View our documentation here to configure alert rules to correct policies as per cloud type. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ9fCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail