Email alerts

Prisma Cloud can send email alerts when your policies are violated. Audits in
Monitor > Events
are the result of a policy violation. Prisma Cloud can be configured to notify the appropriate party by email when an entire policy, or even specific rules, are violated.
Because Prisma Cloud Enterprise Edition Compute Console is hosted on Google Cloud Platform, outbound connections to port 25 from Console are blocked. All other ports are available, including ports 587 and 465. For more information, see here.

Configuring alert frequency

You can configure the rate at which alerts are emitted. This is a global setting that controls the spamminess of the alert service. Alerts received during the specified period are aggregated into a single alert. For each alert profile, an alert is sent as soon as the first matching event is received. All subsequent alerts are sent once per period.
  1. Open Console, and go to
    Manage > Alerts
    .
  2. In
    General settings
    , select the default frequency for all alerts.
    You can specify
    Second
    ,
    Minute
    ,
    Hour
    ,
    Day
    .

Sending email alerts

Alert profiles specify which events should trigger the alert machinery, and to which channel alerts are sent. You can send alerts to any combination of channels by creating multiple alert profiles.
Alert profiles consist of two parts:
(1) Alert settings — Who should get the alerts, and on what channel?
Configure Prisma Cloud to integrate with your messaging service and specify the people or places where alerts should be sent. For example, configure the email channel and specify a list of all the email addresses where alerts should be sent. Or for JIRA, configure the project where the issue should be created, along with the type of issue, priority, assignee, and so on.
(2) Alert triggers — Which events should trigger an alert to be sent?
Specify which of the rules that make up your overall policy should trigger alerts.
If you use multi-factor authentication, you must create an exception or app-specific password to allow Console to authenticate to the service.

Create a new alert profile

  1. In
    Manage > Alerts
    , select
    Add profile
    .
  2. Enter a
    Profile name
    .
  3. In
    Provider
    , select
    Email
    .
  4. Select
    Next
    .

Configure the triggers

  1. In
    Select triggers
    , select the events that should trigger an alert to be sent.
  2. To specify specific rules that should trigger an alert, deselect
    All rules
    , and then select any individual rules.
  3. Click
    Next
    .

Configure the channel

  1. In
    SMTP address
    , specify the hostname for your outgoing email server.
  2. In
    Port
    , specify the port for email submissions.
  3. In
    Credential
    , create the credentials required to access the email account that sends alerts. This isn’t a required field.
    1. Select
      Add new
      .
    2. Select
      Basic authentication
      .
    3. Enter a username and password.
  4. If you are using SMTPS, where the SMTP connection is encrypted when established, set
    SSL
    to
    On
    .
    To support email alerts for SMTP connections encrypted using the STARTTLS command, disable
    SSL
    .
  5. Set up your recipients.
    1. Select
      Add recipient
      , and enter an email address. Every email alert profile must have at least one recipient, even if you’re using alert labels.
    2. (Optional) Specify recipients using alert labels.
  6. Select
    Next
    .
  7. Review the
    Summary
    and test the configuration by selecting
    Send test alert
    .
  8. Select
    Save
    .

Troubleshooting

Unable to test Email Alerts for 'smtp.office365.com' on port 587.

Prisma Cloud fails to send test alerts to 'smtp.office365.com' on port 587 after enabling
SSL
.
Cause
:
In the SMTP protocol that Prisma Cloud Console uses to send Email Alerts, there is a following standard flow in which the client (Prisma Cloud Console) requests the server to convert an existing plain-text connection to an encrypted connection:
  • The client (in this case the PCC console) sends the message “EHLO” to the server (e.g. smtp.office365.com).
  • The server responds with available extensions, one of which is “STARTTLS“.
  • The client responds with “STARTTLS“.
  • The server acknowledges receiving the “STARTTLS”.
  • The client issues a TLS handshake with the server.
  • Once the handshake is successful, all communication with the server from here on is encrypted.
We support using 'STARTTLS' to encrypt Email Alerts sent over SMTP if the mail server supports it. With 'smtp.office365.com' and 'smtp-legacy.office365.com' using port 587, 'STARTTLS' is used, which encrypts subsequent communication even without 'SSL' toggle being enabled.
  1. Configure the alert profile settings with the SMTP address on same port '587' with
    SSL
    disabled.
<