Suppress Alerts for Prisma Cloud Anomaly Policies

Exclude resources from generating anomaly alerts on Prisma Cloud.
Use the Anomaly Trusted List to include the list of resources for which you do not want to generate alerts against the Prisma Cloud Anomaly Policies that detect unusual network activity or unusual user activity on your network.
Within a list, you can choose the resource type or identifier such as cloud service name, IP address, machine image ID, port, resource ID, subject name, or tag for which you want to suppress alerts and apply the list to a set of anomaly policies.
  1. Select
    Settings
    Anomaly Settings
    Anomaly Trusted List
    .
    You must have the correct role, such as the System Administrator role, on Prisma Cloud to view or edit the Anomaly Settings page. See Prisma Cloud Administrator Permissions for the roles that have access.
  2. +Add New
  3. Select the resource type and click
    Next
    .
    Choose the resource type or identifier such as cloud service name, IP address, machine image ID, port, resource ID, subject name, or tag. For adding an IP address to the list, see Trusted IP Addresses on Prisma Cloud.
  4. Enter a
    Trusted List Name
    and, optionally a
    Description
    .
  5. Select the Anomaly Policies for which you do not want to generate alerts.
  6. Enter the value for the resource type you selected.
    For each resource type, refer to the Resource Syntax for Trusted List for details on the supported values. By default, the entries you add to the trusted list are excluded from generating alerts against any (all) cloud accounts that are onboarded to Prisma Cloud. If you want to select a specific cloud account, toggle
    Hide Advanced Settings
    to select an
    Account ID
    and
    VPC ID
    or set it to Any to exclude any account that is added to Prisma Cloud.
  7. Save
    the list.
    When you save the list, for the selected anomaly policies Prisma Cloud will not generate alerts for the resources included in this list.
    Only the administrator who created the list can modify the name, description, Account ID and VPC ID; Other administrators with the correct role can add or delete entries on the trusted list.

Resource Syntax for Trusted List

Use RQL to view the resource configuration meta data on the
Investigate
page. The following table gives you a few examples.
Resource Type
Resource URL
Value in the Trusted List
Description
Resource ID
AWS Resource ID
/investigate/details?resourceId=rrn::instance:us-east-1:349006084872::i-05c2e0a4cbc970575
i-05c2e0a4cbc970575
Last value in resource URL
GCP Resource ID
/investigate/details?resourceId=rrn::instance:us-central1:lilit-3:ee45f1eebc4f436939f89374e8d9c33fe4485718:7923637926488106011
7923637926488106011
Last value in resource URL
Azure Resource ID
/investigate/details?resourceId=rrn::instance:eastus:06f9b271-fa8f-44c3-b597-f3af54ca770d::282b247f-9a03-412a-91e2-afc0c4bbadfb-%2Fsubscriptions%2F06f9b271-fa8f-44c3-b597-f3af54ca770d%2FresourceGroups%2Flilit-ds-resources%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2Fds-dnd-lilit-NSG
282b247f-9a03-412a-91e2-afc0c4bbadfb-/subscriptions/06f9b271-fa8f-44c3-b597-f3af54ca770d/resourceGroups/lilit-ds-resources/providers/Microsoft.Compute/virtualMachines/ds-dnd-lilit-NSG
URL Decoded version of last value in resource URL
Machine Image ID
AWS Machine Image ID
"imageId": "ami-0a0ddd875a1ea2c7f"
"ami-0a0ddd875a1ea2c7f"
value for the key imageId in resource json
GCP Machine Image ID
NOT SUPPORTED
NOT SUPPORTED
NOT SUPPORTED
Azure Machine Image ID
"properties.storageProfile": { "imageReference": { ""sku"": "2019-Datacenter", "offer": "WindowsServer", "version": "latest", "publisher": "MicrosoftWindowsServer" } }"
MicrosoftWindowsServer-WindowsServer-2019-Datacenter-latest
Join the following using a ""-""vm.storageProfile().imageReference().publisher(),vm.storageProfile().imageReference().offer(),vm.storageProfile().imageReference().sku(),vm.storageProfile().imageReference().version());"
Tags
AWS
"""tags"": [ { ""key"": ""Name"", ""value"": ""Flowlogs-Automation-2"" }]"
Key = Name
Value = Flowlogs-Automation-2
Provide the key and value as-is
Azure
"""tags"": { ""items"": [ ""http-server"" ]}"
Key = http-server
Provide the value from items list as the key. Value is not needed
GCP
"""tags"": { ""purpose"": ""ds-flowlogs-bucket"" }"
Key = purpose
Value = ds-flowlogs-bucket
Provide the key from the json element as key and the value from json element as the value
Cloud Service
AWS Service
s3.amazonaws.com
s3.amazonaws.com
as is
GCP Service
compute.googleapis.com
compute.googleapis.com
as is
Azure Service
microsoft.compute
microsoft.compute
as is

Recommended For You