View and Respond to Prisma Cloud Alerts

As soon as you Enable Prisma™ Cloud Alerts, Prisma Cloud generates an alert when it detects a violation in a policy that is included in an active alert rule. To secure your cloud environments, you must monitor alerts. You can either monitor alerts from Prisma Cloud or you can Send Prisma Cloud Alert Notifications to Third-Party Tools to ensure that policy violations in your cloud environments are resolved. The status of an alert can be one of the following:
  • Open
    —Prisma Cloud identified a policy violation that triggered the alert and the violation is not yet resolved.
  • Resolved
    —When the issue that caused the policy violation is resolved, alerts automatically transition to the Resolved state. Some other reasons for when an alert can transition to the Resolved state include a change in the policy or alert rule that triggered the alert, or when a cloud account with an automatically created account group is modified and re-attached to an account group that you created manually. A resolved alert can also transition back to the open state if the issue resurfaces or there is a policy or alert rule change that causes the alert to trigger again.
  • Snoozed
    —A Prisma Cloud administrator temporarily dismissed an alert for a specified time period. When the timer expires, the alert automatically changes to an Open or Resolved state depending on whether the issue is fixed.
  • Dismissed
    —A Prisma Cloud administrator manually dismissed the alert even though the underlying issue was not resolved. You can manually reopen a dismissed alert if needed. Alerts that are manually dismissed remain in the
    state even when the same policy violation happens again.
    Depending on volume of alerts, the time to update the status of an alert can vary when you update an alert rule. For example, if you remove a policy from an alert rule, all open alerts will transition to a resolved state and the time to reflect this change on the interface can depend on the number of corresponding alerts. In addition, when you modify an alert rule, and the conditions that triggered the alert are no longer valid, the alert is updated as
    Bulk editing actions to resolve, dismiss, or snooze alerts take a while to reflect the updated status.
  1. View alerts from within Prisma Cloud.
    Prisma Cloud displays all alerts for which your role gives you permission to see. Click
    to sort and filter the alerts as follows:
    • To modify which columns display, click ( ) and add or remove columns.
    • To sort on a specific column, click the corresponding
      icon ( ).
    • To filter on specific alert criteria, click the corresponding column
      icon ( ) to filter on a specific value in a column. You can also clear filters ( ) or save a filter ( ) for future use.
    • To modify which filters are available or to perform a keyword search, click ( ) and then either enter search term to
      Filter Results
      or add additional filters. You can use the following filters— Account Group, Alert ID, Alert Rule Name, Alert Status, Cloud Account, Cloud Region, Cloud Service, Cloud Type, Compliance Requirement, Compliance Section, Compliance Standard, Policy Label, Policy Name, Policy Severity, Policy Type, Remediable, Resource ID, Resource Name, Resource Tag, Resource Type, Time Range, Time Range Type.
      The Resource Tag syntax uses a colon to separate the key and value to match. It performs an exact match, and does not support white spaces or wildcard characters. This filter also supports multiple tag key:value pairs; to find all values that match a key, you can enter without key without the
      and an associated value.
      The filters act as a union operator to combine the results from multiple selections.
    • As needed,
      ( ) the filtered list of alert details to a CSV file.
      When you add a cloud account on Prisma Cloud and then delete it, you can no longer view alerts associated with that account on
      , and the alert count does not include alerts for a deleted cloud account. If you add the account back on Prisma Cloud within a 24-hour period, the existing alerts will display again. After 24 hours, the alerts are resolved with the resolution reason
      Account Deleted
      and then permanently deleted.
  2. Address alerts.
    Prisma Cloud generates an alert each time that it finds policy violations in one or more of the account groups that are associated with an alert rule. You can monitor alerts in the cloud accounts for which you are responsible to see any security risks you have and to ensure that any critical issues get resolved or remediated. An alert is resolved when the underlying conditions that generated the alert are fixed or changed such as when the resource is no longer being scanned or the policy is no longer in effect. When you fix the issue on the Cloud Service Provider such as AWS or GCP, the issue is resolved automatically and the resolution reason is displayed on Prisma Cloud. For a list of different reasons, see Prisma Cloud Alert Resolution Reasons.
    You can Send Prisma Cloud Alert Notifications to Third-Party Toolsand Configure Prisma Cloud to Automatically Remediate Alerts, or manually resolve the issues. By reviewing these alerts, you can also decide whether you need to make a change to a policy or alert rule. Depending on the policy type that triggered the alert, you can go directly from the alert to the cloud resource where the violation occurred or you can resolve the issue from the Prisma Cloud
    1. Filter the alerts to show only
      alerts that are
    2. Select the policy for which you want to remediate alerts.
      In the table, select the link in the
      column to review the recommendations for addressing the policy rule violation. You can also click the policy name to go directly to the policy.
    3. Select the alert you want Prisma Cloud to resolve and then click
      To remediate issues, Prisma Cloud requires limited read-write access to your cloud accounts. With the correct permissions, Prisma Cloud can automatically run the CLI command required to remediate the policy violation directly on your cloud platform. Because the action to remediate requires you to assess each alert individually and ensure that it is the appropriate action, you cannot enable automatic remediation for multiple alerts as a bulk action.
  3. Find alerts that are opened or have an updated status within a given time range.
    In conjunction with the Time Range, the Time Range Type filter gives you the ability to view alerts for:
    Alert Opened - Filter on alerts based on when they were opened.
    Alert Status Updated - Filter on alerts based on when the alert status last changed from one state to another.
    Alert Updated - Filter on alerts based on when a resource was updated on the cloud service provider.
  4. View alerts in the NA view.
    The Alert Rule name associated with an alert displays as N/A in the Alerts for Policy View. This N/A state means the match criteria changes because:
    • The alert rule that triggered the alert is disabled or deleted.
    • The cloud account is no longer included in the alert rule that triggered the alert.
    • The policy that triggered the alert is removed from the alert rule.
  5. Pivot from an alert into the cloud resource that triggered the alert to manually resolve the issue.
    Prisma Cloud allows you to pivot directly from an alert to view the violating cloud resource and resolve the issue manually.
    1. Filter the alert list to show alerts with Alert Status
      and select the Policy Type. For example,
    2. Select the policy for which you want to resolve alerts.
      Review the recommendations for resolving the policy violation.
    3. Click
      ( ) to pivot to the cloud resource containing the violation you want to resolve and follow the recommended steps.
      When you click
      , Prisma Cloud redirects the request to the cloud platform. To view the resource details in the cloud platform, you must be logged in to the same account on the cloud platform where you want to further investigate.
  6. View details of an alert on the alerts details page.
    Prisma Cloud enables you to click on alerts so that you can view the details organized in a table. The default values that are displayed in the table are:
    • Alert ID
      —A unique string that corresponds to the alert.
    • Resource Name
      —The name of the violating resource.
    • Account
      —The corresponding cloud account of the violating resource.
    • Region
      —The geographic location of where your cloud account is located.
    • Account Owners
      —The five account owners associated with a cloud account in alphabetical order.

Recommended For You