Suppress Alerts for Prisma Cloud Anomaly Policies

Exclude resources from generating anomaly alerts on Prisma Cloud.
Use the Anomaly Trusted List to include the list of resources for which you do not want to generate alerts against the Prisma Cloud Anomaly Policies that detect unusual network activity or unusual user activity on your network.
Within a list, you can choose the resource type or identifier such as cloud service name, IP address, machine image ID, port, resource ID, subject name, or tag for which you want to suppress alerts and apply the list to a set of anomaly policies.
  1. Select
    Anomaly Settings
    Anomaly Trusted List
    You must have the correct role, such as the System Administrator role, on Prisma Cloud to view or edit the Anomaly Settings page. See Prisma Cloud Administrator Permissions for the roles that have access.
  2. +Add New
  3. Select the resource type and click
    Choose the resource type or identifier such as cloud service name, IP address, machine image ID, port, resource ID, subject name, or tag. For adding an IP address to the list, see Trusted IP Addresses on Prisma Cloud.
  4. Enter a
    Trusted List Name
    and, optionally a
  5. Select the Anomaly Policies for which you do not want to generate alerts.
  6. Enter the value for the resource type you selected.
    For each resource type, refer to the Resource Syntax for Trusted List for details on the supported values. By default, the entries you add to the trusted list are excluded from generating alerts against any (all) cloud accounts that are onboarded to Prisma Cloud. If you want to select a specific cloud account, toggle
    Hide Advanced Settings
    to select an
    Account ID
    VPC ID
    or set it to Any to exclude any account that is added to Prisma Cloud.
  7. Save
    the list.
    When you save the list, for the selected anomaly policies Prisma Cloud will not generate alerts for the resources included in this list.
    Only the administrator who created the list can modify the name, description, Account ID and VPC ID; Other administrators with the correct role can add or delete entries on the trusted list.

Resource Syntax for Trusted List

Use RQL to view the resource configuration meta data on the
page. The following table gives you a few examples.
Resource Type
Resource URL
Value in the Trusted List
Resource ID
AWS Resource ID
Last value in resource URL
GCP Resource ID
Last value in resource URL
Azure Resource ID
URL Decoded version of last value in resource URL
Machine Image ID
AWS Machine Image ID
"imageId": "ami-0a0ddd875a1ea2c7f"
value for the key imageId in resource json
GCP Machine Image ID
Azure Machine Image ID
"properties.storageProfile": { "imageReference": { ""sku"": "2019-Datacenter", "offer": "WindowsServer", "version": "latest", "publisher": "MicrosoftWindowsServer" } }"
Join the following using a ""-""vm.storageProfile().imageReference().publisher(),vm.storageProfile().imageReference().offer(),vm.storageProfile().imageReference().sku(),vm.storageProfile().imageReference().version());"
"""tags"": [ { ""key"": ""Name"", ""value"": ""Flowlogs-Automation-2"" }]"
Key = Name
Value = Flowlogs-Automation-2
Provide the key and value as-is
"""tags"": { ""items"": [ ""http-server"" ]}"
Key = http-server
Provide the value from items list as the key. Value is not needed
"""tags"": { ""purpose"": ""ds-flowlogs-bucket"" }"
Key = purpose
Value = ds-flowlogs-bucket
Provide the key from the json element as key and the value from json element as the value
Cloud Service
AWS Service
as is
GCP Service
as is
Azure Service
as is

Recommended For You