create-an-alert-rule-cloud-infrastructure.adoc

Create an Alert Rule for Cloud Infrastructure

Prisma™ Cloud begins monitoring your cloud environments as soon as you onboard a cloud account and it includes a default alert rule out-of-the-box. This default alert rule has the default account group attached to it and it includes only the Prisma Cloud Recommended OOTB policies. If you want to view this list of policies, filter the policies with the Prisma_Cloud label.

While you can use this default alert rule, granular alert rules provide you with flexibility in how you manage alerts and help you adhere to the administrative boundaries for your organization. You can send very specific sets of alerts for cloud account groups that you have grouped based on appropriate access levels and business logic and restrict access to information about specific cloud accounts to only those administrators who need it. You can for example, define different alert rules and notification flows for your production and development cloud environment. In addition, you can set up different alert rules for sending specific alerts to your existing SOC visibility tools - you could send one set of alerts to your security information and event management (SIEM) system and another set to Jira for automated ticketing.

In addition, if you Configure External Integrations on Prisma Cloud with third-party tools, defining granular alert rules enables you to send only the alerts you need to enhance your existing operational, ticketing, notification, and escalation workflows with the addition of Prisma Cloud alerts on policy violations in all your cloud environments. To see any existing integrations, select Settings > Integrations & Notifications.

If you want to create an alert rule for workload protection, see Workload Protection.

1. Select Alerts > View Alert Rules > Add Alert Rule.

2. In Add Details, enter a Name for the alert rule and, optionally, a Description to communicate the purpose of the rule.

   1. You can enable the optional Auto-Actions, Alert Notifications, and Auto-Remediation settings up front. If you enable any of these options, they are displayed as additional steps in the alert rule creation process, for example, if you enable Alert Notifications, the options to Configure Notifications is displayed.

      Note	If you enable Automated-Remediation, the list of policies shows only Remediable () policies

   2. Select Next.

      

3. Assign Targets to add more granularity for which cloud resources trigger alerts for this alert rule, and then provide more criteria as needed:

   1. Select the Account Groups to which you want this alert rule to apply.

   2. Exclude Cloud Accounts and Regions from your selected Account Group—If there are some cloud accounts and regions in the selected account groups for which you do not want to trigger alerts, select the accounts and regions from the list.

   3. Select Include Tag Resource Lists to easily manage or identify the type of your resources—To trigger alerts only for specific resources in the selected cloud accounts, enter the Key and Value of the resource tag you created for the resource in your cloud environment. Tags apply only to Config and Network policies. When you add multiple resource tags, it uses the boolean logical OR operator.

   4. After defining the target cloud resources, select Next.

      

4. Select the policies for which you want this alert rule to trigger alerts and, optionally, automatically remediate alerts.

   1. Either Select All Policies or select the specific policies that match the filter criteria for which you want to trigger alerts on this alert rule. Selecting All Policies will create a large volume of alerts. It is recommended that you use granular filtered selection for more relevant and targeted alerts specific to your requirement.

   2. Add Filter () to filter better while selecting policies. You can filter by Policy Severity, Cloud Type, Compliance Standard, and Policy Label. As you select the filters, the results listed the table are refreshed automatically. Reset Filters () to remove the filter selection.

      Note

      Include new policies matching filter criteria is enabled when you select at least one of the filters and then select all rows in the table by selecting the top checkbox in the first column of the table. When enabled, new policies that match the filter criteria will be automatically included and used to scan your cloud accounts.

   3. To help you find the specific group of policies for which you want this rule to alert:

      • Filter Results—Enter a Search term to filter the list of policies to those with specific keywords.

      • Column Picker—Click Edit () to modify which columns to display.

      • Sort—Click the corresponding Sort icon () to sort on a specific column.

      • Fullscreen—Click View in Fullscreen mode ()to see an expanded view of the table.

   4. Next.

      

5. (tt:[Optional]) You can automatically dismiss alerts that have specific tags as defined on the resource and added to the Resource Lists on Prisma Cloud. The details of the reason for dismissal is included in the alert rule L2 view. If you enabled ^tt:[Limited GA]^Auto-Actions in the Add Details screen, when you update an alert rule, all existing alerts with matching tags are auto dismissed. When an alert has been dismissed and you update the alert rule, the alert will continue to stay dismissed. If you are interested, please reach out to Prisma Cloud Customer Support and submit a request to enable this feature on your tenant. The team will promptly review your request and inform you about your tenant’s eligibility for LGA access.

   Add a Reason, Requestor, and Approver for the automatic dismissal and click Next.

6. (tt:[Optional]) Send Prisma Cloud Alert Notifications to Third-Party Tools.

   By default, all alerts triggered by the alert rule display on the Alerts page. If you Configure External Integrations on Prisma Cloud, you can also send Prisma Cloud alerts triggered by this alert rule to third-party tools. For example, you can send to Amazon SQS or Jira.

   If you want to delay the alert notifications for Config alerts, you can configure the Prisma Cloud to Trigger notification for config alert only after the alert is open for a specific number of minutes.

   Note	The alert notifications delay that you configure for Config alerts does not affect the timing of any remediation that might occur with this alert.

7. (tt:[Optional]) Configure Notifications to enable alert notifications for all states.

   If you want to receive external notifications for when an existing alert status has changed, you can configure Prisma Cloud to generate alerts when an existing alert is Dismissed, Snoozed, or Ignored. The options for configuring the notification settings:

   • Notify when alert is—Select this dialog box to configure the alert states; the Open state is enabled by default. After selecting the alert states, select the integration services that you want to generate alerts for.

   • Trigger notification for config alert only after the alert is open for—Specify the length of time (in minutes) for which you want to wait before sending notifications after an alert is generated. This value does not apply for recurring (or scheduled) notifications.

     Note

     The ability to send notifications for all states is limited GA. If you are interested, please reach out to Prisma Cloud Customer Support and submit a request to enable this feature on your tenant. The team will review your request and inform you about your tenant’s eligibility for LGA access. No alerts will be generated for the Jira and Cortex XSOAR integrations.

   

8. View the Summary of all the alert rule. Edit if you want to change any setting and Save the alert rule.

   

9. Verify that the alert rule you created is triggering alert notifications.

   As soon as you save your alert rule, any violation of a policy for which you enabled alerts results in an alert notification on Alerts, as well as in any third-party integrations you designated in the alert rule.