Suppress Alerts for Prisma Cloud Anomaly Policies
Exclude resources from generating anomaly alerts on Prisma Cloud.
Use the
Anomaly Trusted List
to include the list of resources for which you do not want Prisma Cloud to generate Anomaly Policies alerts.Within a list, you can choose the resource type or identifier such as cloud service name, domain, IP address, machine image ID, port, protocol, resource ID, subject name, or tag for which you want to suppress alerts and apply the list to a set of anomaly policies.
Only users granted Policies Read permissions are able to view the Anomaly Trusted List on the Prisma Cloud administrative console. Navigate to
Settings > Access Control
to add the required permissions to view the Anomaly Trusted List.- Select .You must have the correct role, such as the System Administrator role, on Prisma Cloud to view or edit the Anomaly Settings page. See Prisma Cloud Administrator Permissions for the roles that have access.
- ClickAdd Trusted List.
- Select the resource type and clickNext.Choose the resource type or identifier such as cloud service name, domain, IP address, machine image ID, port, protocol, resource ID, subject name, or tag. For adding an IP address to the list, see Trusted IP Addresses on Prisma Cloud.
- Enter aTrusted List Nameand, optionally aDescription.
- Select the Anomaly Policies for which you do not want to generate alerts.
- Enter the value for the resource type you selected.For each resource type, refer to the Resource Syntax for Trusted List for details on the supported values. By default, the entries you add to the trusted list are excluded from generating alerts against any (all) cloud accounts that are onboarded to Prisma Cloud. If you want to select a specific cloud account, select anAccount IDand *VPC ID*or set it to Any to exclude any account that is added to Prisma Cloud.
- Savethe list.
When you save the list, for the selected anomaly policies Prisma Cloud will not generate alerts for the resources included in this list.Only the administrator who created the list can modify the name, description, Account ID and VPC ID; other administrators with the correct role can add or delete entries on the trusted list.
Resource Syntax for Trusted List
Use RQL to view the resource configuration meta data on the
Investigate
page. The following table gives you a few examples.
Resource Type | Resource URL | Value in the Trusted List | Description |
Resource ID | |||
AWS Resource ID | /investigate/details?resourceId=rrn::instance:us-east-1:349006084872::i-05c2e0a4cbc970575 | i-05c2e0a4cbc970575 | Last value in resource URL |
GCP Resource ID | /investigate/details?resourceId=rrn::instance:us-central1:lilit-3:ee45f1eebc4f436939f89374e8d9c33fe4485718:7923637926488106011 | 7923637926488106011 | Last value in resource URL |
Azure Resource ID | /investigate/details?resourceId=rrn::instance:eastus:06f9b271-fa8f-44c3-b597-f3af54ca770d::282b247f-9a03-412a-91e2-afc0c4bbadfb-%2Fsubscriptions%2F06f9b271-fa8f-44c3-b597-f3af54ca770d%2FresourceGroups%2Flilit-ds-resources%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2Fds-dnd-lilit-NSG | 282b247f-9a03-412a-91e2-afc0c4bbadfb-/subscriptions/06f9b271-fa8f-44c3-b597-f3af54ca770d/resourceGroups/lilit-ds-resources/providers/Microsoft.Compute/virtualMachines/ds-dnd-lilit-NSG | URL Decoded version of last value in resource URL |
Machine Image ID | |||
AWS Machine Image ID | "imageId": "ami-0a0ddd875a1ea2c7f" | "ami-0a0ddd875a1ea2c7f" | value for the key imageId in resource json |
GCP Machine Image ID | NOT SUPPORTED | NOT SUPPORTED | NOT SUPPORTED |
Azure Machine Image ID | "properties.storageProfile": { "imageReference": { ""sku"": "2019-Datacenter", "offer": "WindowsServer", "version": "latest", "publisher": "MicrosoftWindowsServer" } }" | MicrosoftWindowsServer-WindowsServer-2019-Datacenter-latest | Join the following using a ""-""vm.storageProfile().imageReference().publisher(),vm.storageProfile().imageReference().offer(),vm.storageProfile().imageReference().sku(),vm.storageProfile().imageReference().version());" |
Tags | |||
AWS | """tags"": [ { ""key"": ""Name"", ""value"": ""Flowlogs-Automation-2"" }]" | Key = Name Value = Flowlogs-Automation-2 | Provide the key and value as-is |
Azure | """tags"": { ""items"": [ ""http-server"" ]}" | Key = http-server | Provide the value from items list as the key. Value is not needed |
GCP | """tags"": { ""purpose"": ""ds-flowlogs-bucket"" }" | Key = purpose Value = ds-flowlogs-bucket | Provide the key from the json element as key and the value from json element as the value |
Cloud Service | |||
AWS Service | s3.amazonaws.com | s3.amazonaws.com | as is |
GCP Service | compute.googleapis.com | compute.googleapis.com | as is |
Azure Service | microsoft.compute | microsoft.compute | as is |
