- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
I use that enhanced auto-remediation (https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation#getting-started) trying to auto remediate alerts detected in Prisma.
For some reasons some alerts that can not be remediated due to lack of permissions, errors or just deficiency in runbook or any others, constantly trigger associated runbooks in lambda.
I noticed that situation with constantly triggering alert happens when, first time alert is triggered and it can't be fixed due to lack of permissions or just runbook runs correctly but in fact it doesn't fix issue, it triggers lambda(runbook) for some period of time (it looks it is related to parameter Message retention period in SQS) and every 30 minutes (it looks it is related to parameter visibility timeout in SQS ), no matter it is fixed (manually or via improved runbook) or not.
Once alert comes in (first time) and is fixed immediately there are no more triggering as i described as root cause.
I suspect that in second scenario runbook returns something it allows remove that alert from queue. How to handle first scenario ?
Hi @PStypulkowski - In general if the alerts is not fixed and the alert reoccurs, the alert will be trigger again and again. Exact solution for this depends on the reason for the failure of Auto remediation and fix it, like providing the missing permissions, correcting the error (may be api is changed or typo's or change in AWS CLI command, version issue etc).
Best practice would be to fix the issues with Auto Remediation as described above. However, If you do not wish to do that like providing the adequate permission for auto remediation for some internal organisation policy or reason, then other approach would be to dismiss such alerts from the console / API calls. This will suppress the alerts and will not trigger alerts notifications again and again.
If you are still facing any issue with auto remediation, please drop a mail to <PrismaCloudCustomerSuccess@paloaltonetworks.com>, describing your issue with details of policy and alert ID etc, this will help us to debug the issue more in specifically.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!