1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Manage Prisma Cloud Alerts
    6. Configure Prisma Cloud to Automatically Remediate Alerts

    Configure Prisma Cloud to Automatically Remediate Alerts

    To facilitate rapid incident response, configure Prisma™ Cloud to automatically remediate cloud Security policy violations in your cloud environments using multi-step CLI commands in one-click.
    If you want Prisma™ Cloud to automatically resolve policy violations, such as misconfigured security groups, you can configure Prisma Cloud for automated remediation. To automatically resolve a policy violation, Prisma Cloud runs the CLI command associated with the policy in the cloud environments where it discovered the violation. On Prisma Cloud, you can enable automated remediation for default policies (Config policies only) that are designated as remediable (indicated by in the Remediable column) and for any cloned or custom policies that you add.
    To enable automated remediation, identify the set of policies that you want to remediate automatically and verify that Prisma Cloud has the required permissions in the associated cloud environments. Then Create an Alert Rule for Run-Time Checks that enables automated remediation for the set of policies you identified.
    When you enable automated remediation:
    • Prisma Cloud makes changes to the resource configuration in your cloud environment to address security misconfigurations. These changes are executed using CLI commands and can potentially disrupt access to your applications.
    • All applicable open alerts regardless of when they were generated are fixed, and the alert status is updated as
      Resolved
      .
    If you want to use automated remediation using serverless functions for your cloud resources on AWS, use the runbooks on GitHub. The Prisma Cloud platform sends alert messages to an AWS SQS Queue, which in turn invokes a lambda function index_prisma.py. The function then calls the appropriate runbook script to remediate the alert(s). To use AWS Lambda for automatic remediation, you do not need to give Prisma Cloud read-write access to your AWS accounts, and is an alternative way for you to try remediation for violating resources.
    1. Verify that Prisma Cloud has the required privileges to remediate the policies you plan to configure for automated remediation.
      1. To view remediable policies, select
        Policies
         and set the filter to
        Remediable
        True
        .
        If the Remediable column is not displayed on the Policies page, use the
        Column Picker
         ( ) to display it.
      2. Select a policy for which you want to enable remediation.
      3. On the Alerts Overview page, click
        Alerts
        .
      4. You can edit the policy that triggered the alert, view the details on the resources and the policy recommendations in separate tabs. Select the
        Alert ID
         and the slide-out panel provides a better view of the alert details.
      5. You will see the list of resources that triggered the alert under
        Violating Resources
        .
        Review the required privileges in the CLI Command Description to identify which permissions Prisma Cloud requires in the associated cloud environments to be able to remediate violations of the policy.
        You can define up to 5 CLI commands in a sequence for a multi-step automatic remediation workflow. Add the commands in the sequence you want them to execute and separate the commands with a semi colon. If any CLI command included in the sequence fails, the execution stops at that point. See 7.
      6. Click
        Edit Policy
         to access the policy directly from the alert.
      7. Click the
        Recommendations
         tab to view the policy that triggered the alert.
    2. Create an Alert Rule for Run-Time Checks or modify an existing alert rule.
    3. On the
      Select Policies
       page, enable
      Automated Remediation
       and then
      Continue
       to acknowledge the impact of automated remediation on your application.
      The list of available policies updates to show only those policies that are remediable (as indicated by in the Remediable column).
      If you are modifying an existing alert rule that includes non-remediable policies, those policies will no longer be included in the rule. When you modify the rule, Prisma Cloud notifies all account administrators who have access to that rule.
    4. Finish configuring and
      Save
       the new alert rule or
      Confirm
       your changes to an existing alert rule.
      When you save the alert rule, Prisma Cloud automatically runs the remediation CLI to resolve policy violations for all open alerts regardless of when they were generated, and updates the alert status as
      Resolved
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo