Suppress Alerts for Prisma Cloud Anomaly Policies

Exclude resources from generating anomaly alerts on Prisma Cloud.
Use the
Anomaly Trusted List
to include the list of resources for which you do not want Prisma Cloud to generate Anomaly Policies alerts.
Within a list, you can choose the resource type or identifier such as cloud service name, domain, IP address, machine image ID, port, protocol, resource ID, subject name, or tag for which you want to suppress alerts and apply the list to a set of anomaly policies.
Only users granted Policies Read permissions are able to view the Anomaly Trusted List on the Prisma Cloud administrative console. Navigate to
Settings > Access Control
to add the required permissions to view the Anomaly Trusted List.
  1. Select
    Anomaly Trusted List
    You must have the correct role, such as the System Administrator role, on Prisma Cloud to view or edit the Anomaly Settings page. See Prisma Cloud Administrator Permissions for the roles that have access.
  2. Click
    Add Trusted List
  3. Select the resource type and click
    Choose the resource type or identifier such as cloud service name, domain, IP address, machine image ID, port, protocol, resource ID, subject name, or tag. For adding an IP address to the list, see Trusted IP Addresses on Prisma Cloud.
  4. Enter a
    Trusted List Name
    and, optionally a
  5. Select the Anomaly Policies for which you do not want to generate alerts.
  6. Enter the value for the resource type you selected.
    For each resource type, refer to the Resource Syntax for Trusted List for details on the supported values. By default, the entries you add to the trusted list are excluded from generating alerts against any (all) cloud accounts that are onboarded to Prisma Cloud. If you want to select a specific cloud account, select an
    Account ID
    and *VPC ID*or set it to Any to exclude any account that is added to Prisma Cloud.
  7. Save
    the list.
    When you save the list, for the selected anomaly policies Prisma Cloud will not generate alerts for the resources included in this list.
    Only the administrator who created the list can modify the name, description, Account ID and VPC ID; other administrators with the correct role can add or delete entries on the trusted list.

Resource Syntax for Trusted List

Use RQL to view the resource configuration meta data on the
page. The following table gives you a few examples.
Resource Type
Resource URL
Value in the Trusted List
Resource ID
AWS Resource ID
Last value in resource URL
GCP Resource ID
Last value in resource URL
Azure Resource ID
URL Decoded version of last value in resource URL
Machine Image ID
AWS Machine Image ID
"imageId": "ami-0a0ddd875a1ea2c7f"
value for the key imageId in resource json
GCP Machine Image ID
Azure Machine Image ID
"properties.storageProfile": { "imageReference": { ""sku"": "2019-Datacenter", "offer": "WindowsServer", "version": "latest", "publisher": "MicrosoftWindowsServer" } }"
Join the following using a ""-""vm.storageProfile().imageReference().publisher(),vm.storageProfile().imageReference().offer(),vm.storageProfile().imageReference().sku(),vm.storageProfile().imageReference().version());"
"""tags"": [ { ""key"": ""Name"", ""value"": ""Flowlogs-Automation-2"" }]"
Key = Name
Value = Flowlogs-Automation-2
Provide the key and value as-is
"""tags"": { ""items"": [ ""http-server"" ]}"
Key = http-server
Provide the value from items list as the key. Value is not needed
"""tags"": { ""purpose"": ""ds-flowlogs-bucket"" }"
Key = purpose
Value = ds-flowlogs-bucket
Provide the key from the json element as key and the value from json element as the value
Cloud Service
AWS Service
as is
GCP Service
as is
Azure Service
as is

Recommended For You