Prisma Cloud Compute Edition Administrator’s Guide
    : Alert Mechanism
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Alerts
    6. Alert Mechanism
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Alert Mechanism

    Table of Contents

    Alert Mechanism

    Prisma Cloud generates alerts to help you focus on the significant events that need your attention. Because alerts surface policy violations, you need to put them in front of the right audience and on time.
    To meet this need, you can create alert profiles that send events/notifications to the alert notification providers your internal teams use to triage and address these violations.
    Alert profiles are built on the following constructs:
    • Alert provider
       --
      Specifies the notification provider or channel to which you want to send alerts. Prisma Cloud supports multiple options such as email, JIRA, Cortex, and PagerDuty.
    You can create any number of alert profiles, where each profile gives you granular control over who should receive the notifications and for what types of alerts.
    • Alert settings
       --
      Specifies the configuration settings required to send the alert to the alert provider or messaging medium.
    • Alert triggers
       --
      Specifies what alerts you want to send to the provider included in the profile. Alerts are generated when the rules included in your policy are violated, and you can choose whether you want to send a notification for the detected issues. For example, on runtime violations, compliance violations, cloud discovery, or WAAS.
    Not all triggers are available for all alert providers.

    Frequency

    Most alerts trigger on a policy violation, and are aggregated by the audit aggregation period or frequency that you define as a global setting. Vulnerability, compliance, and cloud discovery alerts work differently, as described below.

    Vulnerability Alerts

    Image vulnerabilities are checked for images in the registry and deployed images. The number of known vulnerabilities in a resource is not static over time.
    As the Prisma Cloud Intelligence Stream is updated with new data, new vulnerabilities might be uncovered in resources that were previously considered clean. The first time a resource (image, container, host, etc.) enters the environment, Prisma Cloud assesses it for vulnerabilities. Thereafter, every resource is periodically rescanned.
    Daily vulnerability alerts report is sent once in 24 hours and uses a limit of 1000 alerts of similar alert types (such as code repos, registries, images, hosts, and functions) that can be sent to a single profile in batches of 50. The limit is designed to optimize Console resource consumption in large environments.
    • Immediate alerts
       — You can configure sending alerts immediately when the number of vulnerabilities for the resource increases, which can happen in one of the following scenarios:
      • Deploy a new image/host with vulnerabilities.
      • Detect new vulnerabilities when re-scanning existing image/host/registry images, in that case, an immediate alert is dispatched again for this resource with all its vulnerabilities.
        Immediate alerts are not supported for registry scan vulnerabilities.
        The ability to send immediate vulnerability alerts is configurable for each alert profile and is disabled by default.
        Immediate alerts do not affect the vulnerabilities report that is generated every 24 hours. The report will include all vulnerabilities that were detected in the last 24 hours, including those sent as an immediate alert.

    Compliance Alerts

    Compliance alerts are sent in one of two ways. Each alert channel that has compliance alert triggers ("Container and image compliance", "Host compliance"), only uses one of these ways.

    Compliance Reports

    This form of compliance alert works under the idea that resources in your system can only be in one of two states: compliant or non-compliant. When your system is non-compliant, Prisma Cloud sends an alert only when the number of compliance issues in the current scan is larger than the number of issues in the previous scan. The default scan interval is 24 hours.
    Compliance reports list each failed check, and the number of resources that failed the check in the latest scan and the previous scan. For detailed information about exactly which resources are non-compliant, use Compliance Explorer.
    For example:
    • Scan period 1: You have a non-compliant container named crusty_pigeon.
    You’ll be alerted about the container compliance issues.
    • Scan period 2: Container crusty_pigeon is still running. It’s still non-compliant. You’ll be alerted about the same container compliance issues.
    The following screenshot shows an example compliance email alert:
    This method applies to the following alert channels: email and Cortex XSOAR.

    Compliance Scans

    This form of compliance alert is emitted whenever there is an increment in the number of compliance issues detected on a resource.
    The first time a resource (image, container, host, etc) enters the environment, Prisma Cloud assesses it for compliance issues. If a compliance issue violates a rule in the policy, and the rule has been configured to trigger an alert, an alert is dispatched. Thereafter, every time a resource is rescanned (periodically or manually), and there is an increase in the resource’s compliance issues, an alert is dispatched again for this resource with all its compliance issues.
    This method applies to the following alert channels: Webhook, Splunk, and ServiceNow.

    Cloud Discovery Alerts

    Cloud discovery alerts warn you when new cloud-native resources are discovered in your environment so that you can inspect and secure them with Prisma Cloud. Cloud discovery alerts are available on the email and XSOAR channels only.
    For each new resource discovered in a scan, Prisma Cloud lists the cloud provider, region, project, service type (for example, AWS Lambda and Azure AKS), and resource name (such as my-aks-cluster).

    WAAS Alerts

    WAAS alerts are generated for the following—WAAS Firewall (App-Embedded Defender), WAAS Firewall (container), WAAS Firewall (host), WAAS Firewall (serverless), WAAS Firewall (Out-of-band), and WAAS health.

    Management

    When you set up alerts for Defender health events. These events tell you when Defender unexpectedly disconnects from Console. Alerts are sent when a Defender has been disconnected for more than 6 hours.

    CNNS

    Cloud Native Network Segmentation (CNNS)

    Runtime

    Runtime alerts are generated for the following categories: Container runtime, App-Embedded Defender runtime, Host runtime, Serverless runtime, and Incidents.
    For runtime audits, there’s a limit of 50 runtime audits per aggregation period (seconds, minutes, hours, days) for all alert providers.

    Access

    Access alerts are for the audits of users who accessed the management console (Admission audits) and Kubernetes audits.

    Code Repository

    Code repository vulnerabilities

    Set up alert notifications to an external integration using an alert profile

    1. Navigate to
      Compute > Manage > Alerts
      .
    2. Set the default frequency for alert notifications.
      The value you set for
      General Settings
       applies to all alert notifications except for vulnerability, compliance, and cloud discovery.
      For vulnerability, compliance, and cloud discovery, the default frequency varies by integration and is displayed when you select the alert triggers for which you want to send notifications in step 4. The default for all other alert notifications is 1 second, and you can change it to 1 minute, 10 minutes, 1 hour, or 1 day.
    3. Enter a name for the profile.
      Select the provider from the list.
      The supported providers are: Cortex, Email, Google Pub/Sub, Google CSCC, IBM Cloud Security Advisor, Jira, PagerDuty, ServiceNow, AWS Security Hub, Slack, Splunk, and Webhook.
    4. Select the triggers.
      The triggers are grouped by category.
      For each category, you can select the event for which you want to send a notification and select the rules for the respective trigger. The frequency for vulnerability, compliance, and cloud discovery varies by provider and is enabled when you select one or more triggers within the alert category (see above for a description of each category).
    5. Set up the configuration for integrating with the provider.
      Use the instructions for the provider of your choice.
    6. Review the summary.
    7. Send a test alert.
    8. Verify the status of the alert profile.
      Check that the alert profile you created displays in the table and the connection status is green. If not, edit the profile to set it up properly and verify that the test alert is successful.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.