How to Handle Alerts with “Dismiss” Status by Prisma Cloud

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
告知
重要なadvisoryがございます。Customer Advisoryエリアにサインインし、advisoryに添付の日本語PDFファイルをご確認ください。
L3 Networker
100%が役に立ったと言っています (1/1)

Overview of How to Handle Alerts with “Dismiss” Status:

If the status of a certain alert is changed to “Dismiss” on Prisma Cloud, the alert will not be rescanned at all after the status change was done.

This behavior is true even if the API name listed in the RQL making up the Default Policy is changed, and the Alert will not be rescanned.

 

Therefore, once the status of a certain alert has been changed to "Dismiss", it will not be changed to "Resolved" or "Open" by Prisma Cloud in any way.

 

 

Background to the current specifications:

 

The above specification on Prisma Cloud is the common behavior of Alerts 1.0 and Alerts 2.0.

However, due to some circumstances in the past, it was found that a different behavior from the above specification was applied during the transition period from Alerts 1.0 to Alerts 2.0 temporarily.

 

During the time when Alerts 1.0 worked as an Alert Engine, we received several inquiries that the status of Alert did not change to "Resolve" even though the API name listed in the RQL constituting the policy that detected the alert had changed.

To address this issue, we have changed the behavior of the product so that it will rescan when the API name is changed, regardless of the status of Alert.

 

In the specification, Config Scanner compares a set of attributes obtained by the same API name and checks for differences.

However, if the API name itself is changed, there is a possibility based on this specification, that the proper scan will not be performed.

With this in mind, we have decided to change the behavior of the product.

 

 

 

During the development phase of Alerts 2.0, we identified problems with the Alert function, solved the root causes, and implemented an efficient Alert processing mechanism in Alerts 2.0.

We found out the following points

 

- "Rescanning all alerts regardless of the alert status when the API name is changed" would cause a large overload when scanning

- Requests for rescanning when the API name is changed are very few

 

Therefore, it was decided to implement the following specifications as the final form.

******************************************

Specification 1:

API names and Cloud types listed in the RQL constituting the policy cannot be changed for avoiding a situation where Rescanning is required by changing API name.

 

Specification 2:

Exclude any alerts that the status has been changed to "Dismiss" from the scan.

******************************************

 

The above Behavior different from the original specification had been implemented in the product during the 5-months where "20.7.1 ~ 20.11.2" was in effect.

We sincerely apologize for the confusion caused by the inadvertent change in product specifications for customers who have observed this behavior related to the handling of alerts with a "Dismiss" status during this period.

 

Please understand that the behavior implemented on the current version is based on the original Prisma Cloud specification as "how to handle alerts with "Dismiss" status"

 

 

この記事を評価:
(1)
  • 1833 閲覧回数
  • 0 コメント
  • 1 賞賛
Register or Sign-in
寄稿者
ラベル
記事ダッシュボード
バージョン履歴
最終更新日:
‎01-04-2022 09:08 PM
更新者: