Alert mechanism

Prisma Cloud generates alerts to help you focus on the significant events that need your attention. Because alerts surface policy violations, you need to put it in front of the right audience and in a timely manner. To meet this need, you can create alert profiles that send events/notifications to the alert notification providers your internal teams use to triage and address these violations.
Alert profiles are built on the following constructs:
  • Alert provider
    --
    Specifies the notification provider or channel to which you want to send alerts. Prisma Cloud supports multiple options such as email, JIRA, Cortex, PagerDuty.
There are two ways of integrating with alert providers.
  1. Set up once on the platform under
    Settings > Integrations
    for all the supported integrations and use the same integration for sending both CSPM and Compute alerts.
  2. Set it up on
    Compute > Manage > Alerts > Manage
    for integrations that are only available on Compute. For example, if you want to use the IBM Cloud Security Advisor, or Cortex as your alert provider.
You can create any number of alert profiles, where each profile gives you granular control over who should receive the notifications and for what types of alerts.
  • Alert settings
    --
    Specifies the configuration settings required to send the alert to the alert provider or messaging medium.
  • Alert triggers
    --
    Specifies what alerts you want to send to the provider included in the profile. Alerts are generated when the rules included in your policy are violated, and you can choose whether you want to send a notification for the detected issues. For example, on runtime violations, compliance violations, cloud discovery or WAAS.
Not all triggers are available for all alert providers.

Frequency

Most alerts trigger on a policy violation, and are aggregated by the audit aggregation period and the frequency is inherited as a global setting. For Vulnerability, compliance, and cloud discovery alerts, the default frequency varies by integration and is displayed when you select the alert triggers for which you want to send notifications.

Vulnerability alerts

Image vulnerabilities are checked for image in the registry and deployed. The number of known vulnerabilities in a resource is not static over time. As the Prisma Cloud Intelligence Stream is updated with new data, new vulnerabilities might be uncovered in resources that were previously considered clean. The first time a resource (image, container, host, etc.) enters the environment, Prisma Cloud assesses it for vulnerabilities. Thereafter, every resource is periodically rescanned. Prisma Cloud sends an alert that reports on all newly detected vulnerabilities within the last 24 hours.
Vulnerability alerts from registry scans only trigger for the 50 most recent images, as sorted by last modified date. The limit is designed to optimize Console resource consumption in large environments.
  • Immediate alerts
    — You can configure sending alerts immediately when the number of vulnerabilities for the resource increased, which can happen in one of the following scenarios:
    • Deploy a new image/host with vulnerabilities.
    • Detect new vulnerabilities when re-scanning existing image/host, in that case an alert is dispatched again for this resource with all its vulnerabilities.
      Immediate alerts are not supported for registry scan vulnerabilities.
      The ability to send immediate vulnerability alerts is configurable for each alert profile and is disabled by default.
      Immediate alerts do not affect the vulnerabilities report that is generated every 24 hours. The report will include all vulnerabilities that were detected in the last 24 hours, including those sent as an immediate alert.

Compliance alerts

Compliance alerts are sent in one of two ways. Each alert channel that has compliance alert triggers ("Container and image compliance", "Host compliance"), only uses one of these ways.

Compliance reports

This form of compliance alert works under the idea that resources in your system can only be in one of two states: compliant or non-compliant. When your system is non-compliant, Prisma Cloud sends an alert. As long as there are non-compliant resources, Prisma Cloud sends an alert every 24 hours. Compliance reports list each failed check, and the number of resources that failed the check in the latest scan and the previous scan. For detailed information about exactly which resources are non-compliant, use Compliance Explorer.
For example:
  • Scan period 1: You have non-complaint container named crusty_pigeon. You’ll be alerted about the container compliance issues.
  • Scan period 2: Container crusty_pigeon is still running. It’s still non-compliant. You’ll be alerted about the same container compliance issues.
The following screenshot shows an example compliance email alert:
This method applies to the following alert channels: email, Cortex XSOAR.

Compliance scans

This form of compliance alert is emitted whenever there is an increasment in the number of compliance issues detected on a resource. The first time a resource (image, container, host, etc) enters the environment, Prisma Cloud assesses it for compliance issues. If a compliance issue violates a rule in the policy, and the rule has been configured to trigger an alert, an alert is dispatched. Thereafter, every time a resource is rescanned (periodically or manually), and there is an increasment in the resource’s compliance issues, an alert is dispatched again for this resource with all its compliance issues.
This method applies to the following alert channels: Webhook, Splunk, and ServiceNow.

Cloud discovery alerts

Cloud discovery alerts warn you when new cloud native resources are discovered in your environment so that you can inspect and secure them with Prisma Cloud. Cloud discovery alerts are available on the email channel only. For each new resource discovered in a scan, Prisma Cloud lists the cloud provider, region, project, service type (i.e. AWS Lambda, Azure AKS) and resoure name (my-aks-cluster).

WAAS alerts

WAAS alerts are generated for the following—WAAS Firewall (App-Embedded Defender), WAAS Firewall (container), WAAS Firewall (host), WAAS Firewall (serverless), WAAS Firewall (Out-of-band), WAAS health

Management

When you set up alerts for Defender health events. These events tell you when Defender unexpectedly disconnects from Console. Alerts are sent when a Defender has been disconnected for more than 6 hours.

CNNF

Cloud Native Network Firewall (CNNF)

Runtime

Runtime alerts are generated for the following categories—Container runtime, App-Embedded Defender runtime,Host runtime, Serverless runtime, and Incidents.
For runtime audits, there’s a limit of 50 runtime audits per aggregation period (seconds, minutes, hours, days) for all alert providers.

Access

Access alerts are for the audits of users who accessed the management console (Admission audits) and Kubernetes audits.

Code repository

Code repository vulnerabilities

Set up Prisma Cloud Notification Providers

You can set up the external integration with a provider on the Prisma Cloud console under
Settings > Integrations
.. This option enables you set it up once on and use it for both CSPM alerts and for Compute alert notifications.
  1. Set up the integration.
    See detailed instructions here.
  2. Import the integration to send Compute alert notifications
    1. Navigate to
      Compute > Manage > Alerts
    2. Select the
      Audit aggregation period
      .
      You can set the default frequency for sending violation notifications at 10 Minutes, hourly or daily for all alerts with the exception of vulnerability, compliance and cloud discovery. The frequency for vulnerability, compliance and cloud discovery is more granular and is configured within the profile.
  3. Add the provider to whom you want to send notifications.
    1. Select
      Add Profile
      .
    2. From the
      Provider
      drop down, select
      Prisma Cloud
      .
    3. Select the
      Integrations
      that you want to send notifications.
      The list displays the integrations that you have already set up on Prisma cloud.
    4. Select the triggers to be send to this channel.
      The triggers are grouped by category. You must enable at least one trigger within a category to then select the rules to alert on and verify the frequency for alert notifications. For example, with Email, Vulnerability and Compliance alerts are sent every 24 hours and Cloud discovery is real-time.
    5. Save
      your changes.
Test alert notifications are sent immediately to the provider channels regardless of the alert aggregation period chosen.

Supported Prisma Cloud Integrations

  • Email
  • JIRA
  • Slack
  • Splunk
  • PagerDuty
  • Webhooks
  • Google Cloud Security Command Center - Only available for onboarded PC accounts.
  • AWS Security Hub - Only available for onboarded PC accounts.
  • ServiceNow - Only Incident Response
NOTE: * The alert profiles from platform are fetched when you refresh or reload the page. However, when you are logged in, if an integration is deleted from the platform, to see the change you must log out and log in again to the console. The change is not reflected on a browser refresh.
  • Prisma Cloud plaform currently supports a size limit of 1M for alert notifications payload. Hence the notifications set up using Prisma Cloud integration, will be limited to this size. A log message will be added when an alert message of this size is generated on Compute side.

Recommended For You