Prisma Cloud can send email alerts when your policies are violated. Audits in
Monitor > Eventsare the result of a policy violation. Prisma Cloud can be configured to notify the appropriate party by email when an entire policy, or even specific rules, are violated.
Because Prisma Cloud Enterprise Edition Compute Console is hosted on Google Cloud Platform, outbound connections to port 25 from Console are blocked. All other ports are available, including ports 587 and 465. For more information, see here.
Configuring alert frequency
You can configure the rate at which alerts are emitted. This is a global setting that controls the spamminess of the alert service. Alerts received during the specified period are aggregated into a single alert. For each alert profile, an alert is sent as soon as the first matching event is received. All subsequent alerts are sent once per period.
- Open Console, and go toManage > Alerts.
- InGeneral settings, select the default frequency for all alerts.You can specifySecond,Minute,Hour,Day.
Sending email alerts
Alert profiles specify which events should trigger the alert machinery, and to which channel alerts are sent. You can send alerts to any combination of channels by creating multiple alert profiles.
Alert profiles consist of two parts:
(1) Alert settings — Who should get the alerts, and on what channel?Configure Prisma Cloud to integrate with your messaging service and specify the people or places where alerts should be sent. For example, configure the email channel and specify a list of all the email addresses where alerts should be sent. Or for JIRA, configure the project where the issue should be created, along with the type of issue, priority, assignee, and so on.
(2) Alert triggers — Which events should trigger an alert to be sent?Specify which of the rules that make up your overall policy should trigger alerts.
If you use multi-factor authentication, you must create an exception or app-specific password to allow Console to authenticate to the service.
Create a new alert profile
- InManage > Alerts, selectAdd profile.
- Enter aProfile name.
- InProvider, select
Configure the triggers
- InSelect triggers, select the events that should trigger an alert to be sent.
- To specify specific rules that should trigger an alert, deselectAll rules, and then select any individual rules.
Configure the channel
- InSMTP address, specify the hostname for your outgoing email server.
- InPort, specify the port for email submissions.
- InCredential, create the credentials required to access the email account that sends alerts. This isn’t a required field.
- SelectAdd new.
- SelectBasic authentication.
- Enter a username and password.
- If you are using SMTPS, where the SMTP connection is encrypted when established, setSSLtoOn.
- Set up your recipients.
- SelectAdd recipient, and enter an email address. Every email alert profile must have at least one recipient, even if you’re using alert labels.
- (Optional) Specify recipients using alert labels.
- Review theSummaryand test the configuration by selectingSend test alert.
Unable to test Email Alerts for 'smtp.office365.com' on port 587.
Prisma Cloud fails to send test alerts to 'smtp.office365.com' on port 587 after enabling
In the SMTP protocol that Prisma Cloud Console uses to send Email Alerts, there is a following standard flow in which the client (Prisma Cloud Console) requests the server to convert an existing plain-text connection to an encrypted connection:
- The client (in this case the PCC console) sends the message “EHLO” to the server (e.g. smtp.office365.com).
- The server responds with available extensions, one of which is “STARTTLS“.
- The client responds with “STARTTLS“.
- The server acknowledges receiving the “STARTTLS”.
- The client issues a TLS handshake with the server.
- Once the handshake is successful, all communication with the server from here on is encrypted.
We support using 'STARTTLS' to encrypt Email Alerts sent over SMTP if the mail server supports it. With 'smtp.office365.com' and 'smtp-legacy.office365.com' using port 587, 'STARTTLS' is used, which encrypts subsequent communication even without 'SSL' toggle being enabled.
- Configure the alert profile settings with the SMTP address on same port '587' withSSLdisabled.