Create an Alert Rule for Run-Time Checks

After you have deployed your resources on the cloud platform of your choice, alert rules (for run-time checks) enable you to define the policy violations in a selected set of cloud accounts for which you want to trigger alerts. If you want to organically embed security and integrate these checks earlier in the process, see Create an Alert Rule for Build-Time Checks, and Prisma Cloud DevOps Security.

When you create an alert rule for run-time checks, you select the account groups to which the rule applies and the corresponding set of policies for which you want to trigger alerts. You can add more granularity to the rule by excluding some cloud accounts from the selected account groups, by specifying specific regions for which to send alerts, and even by narrowing down the rule to specific cloud resources identified by resource tags. This provides you with flexibility in how you manage alerts and ensures that you can adhere to the administrative boundaries you defined. You can create a single alert rule that alerts on all policy rules or you can define granular alert rules that send very specific sets of alerts for specific cloud accounts, regions, and even resources to specific destinations.

When you create an alert rule, you can Configure Prisma Cloud to Automatically Remediate Alerts, which enables Prisma Cloud to automatically run the CLI command required to remediate the policy violation directly in your cloud environments. Automated remediation is only available for default policies (Config policies only) that are designated as Remediable ( ) on the

Policies

page.

In addition, if you Configure External Integrations on Prisma Cloud with third-party tools, defining granular alert rules enables you to send only the alerts you need to enhance your existing operational, ticketing, notification, and escalation workflows with the addition of Prisma Cloud alerts on policy violations in all your cloud environments. To see any existing integrations, click

Settings

( ) and then select

Integrations

.

Select
Alerts
Alert Rules
and
+Add New
Run
alert.

Enter an
Alert Rule Name
and, optionally, a
Description
to communicate the purpose of the rule and then click
Next
.
Select the
Account Groups
to which you want this alert rule to apply and then click
Next
.
Toggle
View Advanced Settings
to see advanced settings for setting a target.
Exclude Cloud Accounts
from your selected Account Group.
Choose your
Region
.
Add
Tags
to easily manage or identify the type of your resources.
Tags apply only to
Config
and
Network
policies.
Click
Next
.
(
Optional
) If you want to add more granularity for which cloud resources trigger alerts for this alert rule,
View Advanced Settings
and then provide more criteria as needed:
Exclude Cloud Accounts
—If there are some cloud accounts in the selected account groups for which you do not want to trigger alerts, select the accounts from the list.
Regions
—To trigger alerts only for specific regions for the cloud accounts in the selected account group, select one or more regions from the list.
Resource Tags
—To trigger alerts only for specific resources in the selected cloud accounts, enter the
Key
and
Value
of the resource tag you created for the resource in your cloud environment.
Tags apply only to
Config
and
Network
policies. When you add multiple resource tags, it uses the boolean logical OR operator.
When you finish defining the target cloud resources, click
Next
.

Select the policies for which you want this alert rule to trigger alerts and, optionally, Configure Prisma Cloud to Automatically Remediate Alerts.

Either
Select All Policies
or select the specific policies for which you want to trigger alerts on this alert rule.
If you enable
Automated Remediation
, the list of policies shows only Remediable ( ) policies
.
To help you find the specific group of policies for which you want this rule to alert
Filter Results

—Enter a search term to filter the list of policies to those with specific keywords.

Column Picker

—Click

Edit

( ) to modify which columns to display.

Sort

—Click the corresponding

Sort

icon ( ) to sort on a specific column.

Column Filter

—Click the corresponding column

Filter

icon ( ) to filter on a specific value in a column. For example, to filter on compliance standards related to NIST, click the filter for the Compliance Standard column, select NIST standards, and then

Set

that filter.


Click
Next
.
(
Optional
) Send Prisma Cloud Alert Notifications to Third-Party Tools.
By default, all alerts triggered by the alert rule display on the
Alerts
page. If you Configure External Integrations on Prisma Cloud, you can also send Prisma Cloud alerts triggered by this alert rule to third-party tools. For example, you can Send Alert Notifications to Amazon SQS or Send Alert Notifications to Jira. For Prisma Cloud Data Security, see Generate Alerts for Data Policies.
In addition, you can configure the alert rule to Send Alert Notifications Through Email.
(
Optional
) If you want to delay the alert notifications for Config alerts, you can configure the Prisma Cloud to
Trigger notification for Config Alert only after the Alert is Open for
a specific number of minutes.
(
Optional
) Enable alert notifications for all states.
If you want to receive external notifications for when an existing alert status has changed, you can configure Prisma Cloud to generate alerts when an existing alert is
Dismissed
,
Snoozed
, or
Resolved
on the
Set Alert Notification
page. The options for configuring the notification settings:
Notify when alert is
—Select this dialog box to configure the alert states; the
Open
state is enabled by default. After the alert states are selected, select the integration services on the left hand side of the UI that you want to generate alerts for.

Trigger notification for config alert only after the alert is open for
—Specify the length of time (in minutes) for which you want to wait before sending notifications after an alert is generated. This value does not apply for recurring (or scheduled) notifications.
No alerts will be generated for the Jira and Cortex XSOAR integrations.
Save
the alert rule.
To verify that the alert rule triggers the expected alerts, select
Alerts
Overview
and ensure that you see the alerts that you expect to see there.
If you configured the rule to Send Prisma Cloud Alert Notifications to Third-Party Tools, make sure you also see the alert notifications in those tools.