1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Alerts
    6. Email alerts

    Email alerts

    Prisma Cloud can send email alerts when your policies are violated. Audits in
    Monitor > Events
     are the result of a policy violation. Prisma Cloud can be configured to notify the appropriate party by email when an entire policy, or even specific rules, are violated.
    Because Prisma Cloud Enterprise Edition Compute Console is hosted on Google Cloud Platform, outbound connections to port 25 from Console are blocked. All other ports are available, including ports 587 and 465. For more information, see here.

    Configuring alert frequency

    You can configure the rate at which alerts are emitted. This is a global setting that controls the spamminess of the alert service. Alerts received during the specified period are aggregated into a single alert. For each alert profile, an alert is sent as soon as the first matching event is received. All subsequent alerts are sent once per period.
    1. Open Console, and go to
      Manage > Alerts
      .
    2. In
      General settings
      , select the default frequency for all alerts.
      You can specify
      Second
      ,
      Minute
      ,
      Hour
      ,
      Day
      .

    Sending email alerts

    Alert profiles specify which events should trigger the alert machinery, and to which channel alerts are sent. You can send alerts to any combination of channels by creating multiple alert profiles.
    Alert profiles consist of two parts:
    (1) Alert settings — Who should get the alerts, and on what channel?
     Configure Prisma Cloud to integrate with your messaging service and specify the people or places where alerts should be sent. For example, configure the email channel and specify a list of all the email addresses where alerts should be sent. Or for JIRA, configure the project where the issue should be created, along with the type of issue, priority, assignee, and so on.
    (2) Alert triggers — Which events should trigger an alert to be sent?
     Specify which of the rules that make up your overall policy should trigger alerts.
    If you use multi-factor authentication, you must create an exception or app-specific password to allow Console to authenticate to the service.

    Create a new alert profile

    1. In
      Manage > Alerts
      , select
      Add profile
      .
    2. Enter a
      Profile name
      .
    3. In
      Provider
      , select
      Email
      .
    4. Select
      Next
      .

    Configure the triggers

    1. In
      Select triggers
      , select the events that should trigger an alert to be sent.
    2. To specify specific rules that should trigger an alert, deselect
      All rules
      , and then select any individual rules.
    3. Click
      Next
      .

    Configure the channel

    1. In
      SMTP address
      , specify the hostname for your outgoing email server.
    2. In
      Port
      , specify the port for email submissions.
    3. In
      Credential
      , create the credentials required to access the email account that sends alerts. This isn’t a required field.
      1. Select
        Add new
        .
      2. Select
        Basic authentication
        .
      3. Enter a username and password.
    4. If you are using SMTPS, where the SMTP connection is encrypted when established, set
      SSL
       to
      On
      .
      To support email alerts for SMTP connections encrypted using the STARTTLS command, disable
      SSL
      .
    5. Set up your recipients.
      1. Select
        Add recipient
        , and enter an email address. Every email alert profile must have at least one recipient, even if you’re using alert labels.
      2. (Optional) Specify recipients using alert labels.
    6. Select
      Next
      .
    7. Review the
      Summary
       and test the configuration by selecting
      Send test alert
      .
    8. Select
      Save
      .

    Troubleshooting

    Unable to test Email Alerts for 'smtp.office365.com' on port 587.

    Prisma Cloud fails to send test alerts to 'smtp.office365.com' on port 587 after enabling
    SSL
    .
    Cause
    :
    In the SMTP protocol that Prisma Cloud Console uses to send Email Alerts, there is a following standard flow in which the client (Prisma Cloud Console) requests the server to convert an existing plain-text connection to an encrypted connection:
    • The client (in this case the PCC console) sends the message “EHLO” to the server (e.g. smtp.office365.com).
    • The server responds with available extensions, one of which is “STARTTLS“.
    • The client responds with “STARTTLS“.
    • The server acknowledges receiving the “STARTTLS”.
    • The client issues a TLS handshake with the server.
    • Once the handshake is successful, all communication with the server from here on is encrypted.
    We support using 'STARTTLS' to encrypt Email Alerts sent over SMTP if the mail server supports it. With 'smtp.office365.com' and 'smtp-legacy.office365.com' using port 587, 'STARTTLS' is used, which encrypts subsequent communication even without 'SSL' toggle being enabled.
    1. Configure the alert profile settings with the SMTP address on same port '587' with
      SSL
       disabled.
    <