This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About PStypulkowski
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About PStypulkowski
05-23-2022
1Post
0Likes
0Solutions
May 23, 2022Last Visited
User
Activity
User
Profile
Latest posts by PStypulkowski
| Subject | Views | Posted |
|---|---|---|
| 1399 | 05-23-2022 01:36 AM |
User Badges
Community Statistics
| Member Since | 05-23-2022 01:01 AM |
| Date Last Visited | 05-23-2022 07:51 AM |
| Posts | 1 |
05-23-2022
01:36 AM
Hi Folks,
I use that enhanced auto-remediation (https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation#getting-started) trying to auto remediate alerts detected in Prisma. For some reasons some alerts that can not be remediated due to lack of permissions, errors or just deficiency in runbook or any others, constantly trigger associated runbooks in lambda.
I noticed that situation with constantly triggering alert happens when, first time alert is triggered and it can't be fixed due to lack of permissions or just runbook runs correctly but in fact it doesn't fix issue, it triggers lambda(runbook) for some period of time (it looks it is related to parameter Message retention period in SQS) and every 30 minutes (it looks it is related to parameter visibility timeout in SQS ), no matter it is fixed (manually or via improved runbook) or not.
Once alert comes in (first time) and is fixed immediately there are no more triggering as i described as root cause. I suspect that in second scenario runbook returns something it allows remove that alert from queue. How to handle first scenario ?
... View more
Labels:
- Labels:
-
Cloud Security
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-23-2022
07:51 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks