Why are alerts generated from a Prisma Cloud policy different from the running the corresponding query (Saved Search) on the Investigate page?

• Why are alerts generated from a Prisma Cloud policy different from the running the corresponding query (Saved Search) on the Investigate page?

• Prisma Cloud

• The reason why the alerts differ from what is seen when running the RQL in the investigate page is because the policy engine functions slightly differently than the Investigate page.
• To better understand why the differences occur, please see below: 

Criteria for creating a policy using a saved search 
Saved search must be valid to create a policy. For Config queries ( config from cloud.resource where ), you may see the error RQL invalid for policy creation. This error indicates that the saves search RQL is not valid to create a policy.

Currently, to create a policy the saved search must meet these guidelines:
Does not have the azure.resource.group attribute

When a tag attribute is within the json.rule, it does not have a resource list (reference with { } )

Has either the api.name attribute or the finding.type attribute

When it has the api.name attribute, it includes a json.rule or the group by or count function

When has the finding.type attribute the specified values for the attribute do not contain Prisma Cloud Alert
You can however, have the operator Not Equal Prisma Cloud Alert or Not IN (Prisma Cloud Alert, boo, etc.)  

Criteria for updating a saved search used in a policy
If you use a saved search to create a policy, you cannot update the following:

cloud.type

api.name ** For non-join queries, api.name cannot be changed.

For join queries, the api.name in the clause used for Show cannot be changed.
Example query structure: X; Y; Z; filter…; Show Y
api.name in Y cannot be updated (because X is used for Show)
api.name in X, Z can be updated

Criteria for what is ignored or replaced when displaying results
The values for the following attributes in a saved search are replaced by the scope you define in an alert rule:
cloud.account or cloud.accountgroup

cloud.region

tag (tag filter used within the json.rule will be ignored)

cloud.type , cloud.service

When resource.status is not specified in the query, both the Investigate page and the policy engine will return active and deleted resources.

However, the deleted resources for the policy engine includes only the resources deleted since the last scan within the search scope, while the Investigate page scans all deleted resources available in the database. Specifically:

JOIN queries
For Investigate queries, cross-account join will be applied by default.
For policy engine, all queries are run on a specific account, which means JOIN will be done only within one account at a time.

• One way to validate this would be, if you run the original policy RQL within the Investigate page but specify a specific cloud account, the results should more closely resemble the alerts that were produced by said account.