How To Identify and Validate False Positives in Prisma Cloud CSPM for Configuration Policies
443
Created On 10/10/25 15:00 PM - Last Modified 01/14/26 21:47 PM
Objective
- To provide a step-by-step process for troubleshooting and validating a potential false positive alert for a configuration-based policy in Prisma Cloud CSPM. This guide helps determine if an alert is incorrect by verifying the resource's configuration state against the data ingested by Prisma Cloud.
Environment
- Prisma Cloud
- Cloud Security Posture Management (CSPM)
- RQL (Resource Query Language)
- Cloud Service Provider (AWS, Azure, GCP, etc.) Console/CLI
Procedure
- A false positive occurs when Prisma Cloud generates an alert for a misconfiguration that does not actually exist on the cloud resource. This procedure focuses on verifying the data used by the policy's RQL query.
- Understand the Alert and Policy Query:
- Navigate to the alert in Prisma Cloud and identify the policy that triggered it.
- Examine the policy's RQL (Resource Query Language) query. This query defines the "bad" state that the policy is designed to detect.
- Take note of the specific resource and the configuration attributes the RQL is checking.
- Verify Prisma Cloud's Inventory Data:
- Go to the Investigate tab in Prisma Cloud.
- Use an RQL query to look up the current configuration data that Prisma Cloud has for the resource in question. For example, to check the data for a specific AWS S3 bucket, you might use a query like:
config from cloud.resource where api.name = 'aws-s3-bucket-details' AND json.rule = 'name equals my-bucket-name' - Analyze the JSON output of this query. This shows you the exact configuration data that was evaluated by the policy at the time of the alert.
- Compare with Live Cloud Provider Data:
- Log in to your cloud service provider's console (e.g., AWS Management Console, Azure Portal).
- Navigate to the specific resource that triggered the alert.
- Manually inspect the configuration attributes that the policy is checking. For example, if the alert is for public S3 access, check the "Block public access" settings for that S3 bucket.
- Compare the live configuration in the cloud provider's console with the inventory data you retrieved from Prisma Cloud in the previous step.
- Draw a Conclusion:
- If the data matches (i.e., the configuration is incorrect in both Prisma Cloud and the cloud provider), the alert is a True Positive. The resource is genuinely misconfigured.
- If the data does not match (i.e., the configuration is correct in the cloud provider's console, but Prisma Cloud's data shows it as misconfigured), the alert is likely a False Positive. This often points to an issue with data ingestion or processing.
- Understand the Alert and Policy Query:
Additional Information
- Data to collect for a Support Case (If False Positive is Confirmed):
- The Alert ID(s).
- The name of the policy that is alerting.
- The full RQL query from the policy.
- The Resource ID and Resource Name.
- The asset JSON from Prisma CloudÂ
- A screenshot from the Investigate query (from Step 2).
- A screenshot or command output from the cloud provider's console showing the correct configuration (from Step 3).