create-an-alert-rule-cloud-workloads.adoc

Create an Alert Rule for Cloud Workloads

If you want to generate alerts for cloud workload policies, use alert rules to define the target cloud accounts and policies for which you want to generate alerts and send notifications to an external destination.

1. Create a Resource List for Compute Access Group.

   Select "Settings > Resource Lists > Add Resource List". See Compute Access Group.

2. Create an alert rule.

   1. Select "Alerts > Alert Rules > Add Alert Rule".

   2. Add a Name.

      Auto-remediation is not supported for Workload Incident and Workload Vulnerability policy. For details on the other optional settings, see Automations.

   3. Select Compute Access Group and choose one ore more to assign to this rule.

      

   4. Assign policies.

      Only Workload Vulnerability and Workload Incident policies are available for Compute Access Groups. To include other policy types, see run-time checks for other resources.

      

   5. Review the summary and save your changes.

3. Verify that the alert rule is working.

   You must have the Defender installed on the host or container image.

   1. Check for issues on a host or container image.

      To check any vulnerabilities on a host, select Runtime Security > Monitor > Vulnerabilities > Hosts. Find the host name and review the details in the Vulnerabilities column .

      

   2. Check for alerts.

      Select Alerts > Overview, and set the Policy Type filter to Workload Vulnerability and Workload Incident.

      

      View the vulnerabilities count details for the violating resources.

      

Filter for Alerts Related to Workload Policies

After you create an alert rule, when a policy violation occurs, you can view the alert for the workload incidents and vulnerabilities along with all the other policies that detect run-time issues on the Prisma Cloud console.

1. Select "Alerts > Overview".

2. Set the Filters for the alerts related to workload policies.

   Most of the filters are easy to interpret and use. The following include specific for viewing alerts related to workloads, such as container images or hosts, that do not belong to cloud accounts which are onboarded on Prisma Cloud.

   • Cloud Account—Name of the cloud account if account is onboarded on Prisma Cloud; Choose None to filter on-premises workload resources.

   • Cloud Account ID—Cloud Account ID of the cloud account if account is onboarded on Prisma Cloud; Choose None to filter on-premises workload resources.

   • Cloud Service, Cloud Region, Cloud Type—Choose Other to filter container workloads.