Prisma Cloud : Why is the Custom Audit Event Policy generating Alerts for all Cloud Accounts while only a Specific Cloud Account is mentioned in the RQL query of this Policy?

Prisma Cloud : Why is the Custom Audit Event Policy generating Alerts for all Cloud Accounts while only a Specific Cloud Account is mentioned in the RQL query of this Policy?

6375
Created On 02/04/23 01:47 AM - Last Modified 04/02/23 07:37 AM


Question


Example: The following example is an RQL query of a Custom Audit Event Policy that generates Alerts for all Cloud Accounts and not just for the Specific Cloud Account 'Developer Sandbox' 
cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ('DeleteAccessKey')

Environment


  • Prisma Cloud
  • Cloud Account

Answer


  • The cloud.account and cloud.region attributes are now ignored for Custom and Existing policies and their associated Alerts
  • Only the Target Cloud Accounts and Cloud Regions that you specify in the Alert Rule configuration will be used to scope when Alerts are generated for the Custom Audit Event Policy
Reference: Features Introduced in November 2022

Additional Information


  • To check whether the Alerts are Genuine or False Positives, confirm if the desired Cloud Accounts specified in the RQL query are also specified in the Alert Rule configuration
  • Create an Alert Rule for Run-Time Checks
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sanlCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language