Create an Alert Rule for Run-Time Checks
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View and Forward Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Create an Alert Rule for Run-Time Checks
Use alert rules to define the policy rule violations within specific cloud accounts that trigger alert notifications to a particular destination.
If you want to create an alert rule for workload protection, see Workload Protection.
After you have deployed your resources on the cloud platform of your choice, alert rules (for run-time checks) enable you to define the policy violations in a selected set of cloud accounts for which you want to trigger alerts.
When you create an alert rule for run-time checks, you select the account groups to which the rule applies and the corresponding set of policies for which you want to trigger alerts. You can add more granularity to the rule by excluding some cloud accounts from the selected account groups, by specifying specific regions for which to send alerts, and even by narrowing down the rule to specific cloud resources identified by resource tags. This provides you with flexibility in how you manage alerts and ensures that you can adhere to the administrative boundaries you defined. You can create a single alert rule that alerts on all policy rules or you can define granular alert rules that send very specific sets of alerts for specific cloud accounts, regions, and even resources to specific destinations.
Prisma™ Cloud monitors your cloud resources as soon as you onboard a cloud account. However, to receive alerts you have to first enable alerting for each cloud account. If you opt to group cloud accounts into account groups to assign appropriate access levels, account groups must be assigned to an alert and associated with a policy to trigger an alert.
When you create an alert rule, you can Configure Prisma Cloud to Automatically Remediate Alerts, which enables Prisma Cloud to automatically run the CLI command required to remediate the policy violation directly in your cloud environments. Automated remediation is only available for default policies (Config policies only) that are designated as Remediable (
) on the

Policies
page.In addition, if you Configure External Integrations on Prisma Cloud with third-party tools, defining granular alert rules enables you to send only the alerts you need to enhance your existing operational, ticketing, notification, and escalation workflows with the addition of Prisma Cloud alerts on policy violations in all your cloud environments. To see any existing integrations, go to .
Settings
Integrations
- SelectandAlertsAlert RulesAdd Alert Rule.
- InAdd Details, enter aNamefor the alert rule and, optionally, aDescriptionto communicate the purpose of the rule.
- You can enable the optionalAuto-Actions,Alert Notifications, andAuto-Remediationsettings up front. If you enable any of these options, they are displayed as additional steps in the alert rule creation process, for example, if you enableAlert Notifications, theConfigure Notificationsstep is displayed.If you enableAutomated-Remediation, the list of policies shows only Remediable (
) policies
- Next.
- Assign Targetsto add more granularity for which cloud resources trigger alerts for this alert rule, and then provide more criteria as needed:
- Select theAccount Groupsto which you want this alert rule to apply.
- Exclude Cloud Accounts and Regionsfrom your selected Account Group—If there are some cloud accounts and regions in the selected account groups for which you do not want to trigger alerts, select the accounts and regions from the list.
- SelectInclude Tag Resource Liststo easily manage or identify the type of your resources—To trigger alerts only for specific resources in the selected cloud accounts, enter theKeyandValueof the resource tag you created for the resource in your cloud environment. Tags apply only toConfigandNetworkpolicies. When you add multiple resource tags, it uses the boolean logical OR operator.
- After defining the target cloud resources, clickNext.
- Select the policies for which you want this alert rule to trigger alerts and, optionally, Configure Prisma Cloud to Automatically Remediate Alerts.
- EitherSelect All Policiesor select the specific policies that match the filter criteria for which you want to trigger alerts on this alert rule. SelectingAll Policieswill create a large volume of alerts. It is recommended that you use granular filtered selection for more relevant and targeted alerts specific to your requirement.
- Add Filter(
) to filter better while selecting policies. You can filter by
Policy Severity,Cloud Type,Compliance Standard, andPolicy Label. As you select the filters, the results listed the table are refreshed automatically.Reset Filters() to remove the filter selection.
To reduce Alert fatigue, the default alert rule now includes only the Prisma Cloud Recommended OOTB policies, for Prisma Cloud tenants created after the 22.10.1 release. You can filter these policies using thePrisma_Cloudlabel.Include new policies matching filter criteriawill be enabled when you select at least one of the filters and then select all rows in the table by selecting the top checkbox in the first column of the table. Once enabled, new policies that are added later and filtered based on the same criteria will be automatically included. - To help you find the specific group of policies for which you want this rule to alert:
- Filter Results—Enter aSearchterm to filter the list of policies to those with specific keywords.
- Column Picker—ClickEdit(
) to modify which columns to display.
- Sort—Click the correspondingSorticon (
) to sort on a specific column.
- Fullscreen—ClickView in Fullscreen mode(
)to see an expanded view of the table.
- Next.
- (Optional) You can automatically dismiss alerts that have specific tags as defined on the resource and added to the Resource Lists on Prisma Cloud. The details of the reason for dismissal is included in the alert rule L2 view. If you enabled ^Limited GA^Auto-Actionsin theAdd Detailsscreen, when you update an alert rule, all existing alerts with matching tags are auto dismissed. When an alert has been dismissed and you update the alert rule, the alert will continue to stay dismissed. If you are interested, please reach out to Prisma Cloud Customer Support and submit a request to enable this feature on your tenant. The team will promptly review your request and inform you about your tenant’s eligibility for LGA access.Add a Reason, Requestor, and Approver for the automatic dismissal and clickNext.
- By default, all alerts triggered by the alert rule display on theAlertspage. If you Configure External Integrations on Prisma Cloud, you can also send Prisma Cloud alerts triggered by this alert rule to third-party tools. For example, you can Send Alert Notifications to Amazon SQS or Send Alert Notifications to Jira. For Prisma Cloud Data Security, see Generate Alerts for Data Policies. In addition, you can configure the alert rule to Send Alert Notifications Through Email.If you want to delay the alert notifications for Config alerts, you can configure the Prisma Cloud toTrigger notification for config alert only after the alert is open fora specific number of minutes.The alert notifications delay that you configure for Config alerts does not affect the timing of any remediation that might occur with this alert.
- (Optional)Configure Notificationsto enable alert notifications for all states.If you want to receive external notifications for when an existing alert status has changed, you can configure Prisma Cloud to generate alerts when an existing alert isDismissed,Snoozed, orIgnored. The options for configuring the notification settings:
- Notify when alert is—Select this dialog box to configure the alert states; theOpenstate is enabled by default. After selecting the alert states, select the integration services that you want to generate alerts for.
- Trigger notification for config alert only after the alert is open for—Specify the length of time (in minutes) for which you want to wait before sending notifications after an alert is generated. This value does not apply for recurring (or scheduled) notifications.The ability to send notifications for all states is limited GA. If you are interested, please reach out to Prisma Cloud Customer Support and submit a request to enable this feature on your tenant. The team will review your request and inform you about your tenant’s eligibility for LGA access. No alerts will be generated for the Jira and Cortex XSOAR integrations.
- View theSummaryof all the alert rule.Editif you want to change any setting andSavethe alert rule.
- To verify that the alert rule triggers the expected alerts, selectand ensure that you see the alerts that you expect to see there.AlertsOverviewIf you configured the rule to Send Prisma Cloud Alert Notifications to Third-Party Tools, make sure you also see the alert notifications in those tools.