How to Collect Information that will help Identify why the Alert was triggered in Prisma Cloud Console?

• How to Collect Information that will help Identify why the Alert was triggered in Prisma Cloud Console?

• Prisma Cloud

• Alert Details not only help in identifying why the Alert was triggered, but also help in distinguishing between False Positive and Genuine Alerts
• The following procedure provides a step-by-step approach on how to collect this information

I. The Alert Overview
 

• Go to Alerts > Overview page and then click 'Alert Count' of the target policy

• Click the Alert ID to see the Overview tab
• The Details section (as shown below) will provide more information on the current status of the Alert and when it was triggered. The Alert resolution reason will also show up here

II. Alert Rules
 

• On the same page of the Alert Overview, click on Alert Rules tab to see which Alert Rule triggered this Alert
• Clicking on the Alert Rule will redirect you to the Alert Rule details

III. The Resource Config
 

• On the same page of the Alert Overview, click on the Resource Config tab to see the Resource Config ingested by Prisma Cloud
• Copy the content as a JSON/TXT format file as shown below

IV. The Audit Trail of Target Resource
 

• On the same page of the Alert Overview, click on the Resource Name of the Target Alert, or on the View Resource Explorer button on the Alert Detail to check the Audit Trail of the Target Resource.

• This page will redirect you to the Resource Explorer. You can check the change History of the Resource via the Event Timeline
• Further, if you run over the exclamation mark, the related Alerts will also show up

• Clicking on the arrow mark (as shown below) will show you the updated content

Reference:

• How to distinguish between False Positive and Genuine Alerts?
• View and Respond to Prisma Cloud Alerts
• Alert Payload
• Resource Explorer