Add an Alert Rule

POST 
/alert/rule

Adds a new alert rule.

By default, all alerts that this alert rule triggers will display on the Alerts page. You can also send Prisma Cloud alerts that this alert rule triggers to one or more third-party tools that you have integrated with the Prisma Cloud service. You can also configure the alert rule to send email notifications.

To send a Prisma Cloud alert to a third-party tool, you must configure an AlertRuleNotificationConfig object as part of your request body parameters. The content of the AlertRuleNotificationConfig object depends on the third-party tool. If the tools require AlertRuleNotificationConfig.id or AlertRuleNotificationConfig.templateId, you can use Get Integrations to get such information.

To add an Alert Rule, the required request body parameters are:

• name
• description
• allowAutoRemediate
• enabled
• target
• target.accountGroups
• scanAll

The default values for the optional boolean parameters are in the table below:

Optional Request Body Parameter	Default
allowAutoRemediate	false
notifyOnDismissed	false
notifyOnOpen	true
notifyOnResolved	false
notifyOnSnoozed	false
deleted	false

You can also specify addition target parameters to narrow the conditions that trigger alerts for this alert rule.

If policies is empty, then Prisma Cloud will scan all policies for violations to trigger alerts.

Under certain circumstances, you can also specify an array of policyLabels to identify policies. The following conditions must be met for you to use the policyLabels parameter:

• The request body parameter scanAll must be false.
• The policy associated with the policy label cannot be included in the request body parameter policies.

Request

application/json; charset=UTF-8

Body

required

Model for Policy Scan Config

alertRuleNotificationConfig object[]
List of data for notifications to third-party tools
Array [
detailedReport boolean
Provide csv detailed report
enabled boolean
Scan enabled
frequency string
Possible values: [as_it_happens, daily, weekly, monthly]
id string
Alert rule notification config ID
includeRemediation boolean
Include remediation in detailed report
lastUpdated int64
Last Updated
last_sent_ts int64
Time of last notification in milliseconds
recipients string[]
• For email notifications: List of unique email addresses to notify
• For integrations without notification templates: List of integration ids
• For integrations with notification templates: List of notification template ids
rruleSchedule string
templateId string
Template ID
type string
Possible values: [email, slack, splunk, amazon_sqs, jira, microsoft_teams, webhook, aws_security_hub, google_cscc, service_now, pager_duty, azure_service_bus_queue, demisto, aws_s3, snowflake]
Integration type
withCompression boolean
Compress detailed report
]
allowAutoRemediate boolean

Allow Auto-Remediation

delayNotificationMs int64

Delay notifications by the specified milliseconds

description string

Rule/Scan description

enabled boolean

Rule/Scan is enabled

name stringrequired

Rule/Scan name

notifyOnDismissed boolean

include dismissed alerts in notification

notifyOnOpen boolean

include open alerts in notification

notifyOnResolved boolean

include resolved alerts in notification

notifyOnSnoozed boolean

include snoozed alerts in notification

policies string[]

List of specific policy IDs to scan

policyLabels string[]

Policy labels

policyScanConfigId string

Policy Scan Config ID

scanAll boolean

Scan all policies

target objectrequired
Model for Target Filter
accountGroups string[]
List of Account group(s)
alertRulePolicyFilter object
Model for Alert Rule Policy Filter
availablePolicyFilters string[]
List of available Alert Rule Policy Filters
cloud.type string[]
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud Type Filter
policy.complianceStandard string[]
Compliance Standard Filter
policy.label string[]
Policy Label Filter
policy.severity string[]
Policy Severity Filter
excludedAccounts string[]
List of excluded accounts
includedResourceLists object
Model for holding the lists resource list ids by resource list type
computeAccessGroupIds string[]
regions string[]
List of regions for which alerts will be triggered for account groups. Alerts not associated with specific regions will be triggered regardless of listed regions. If no regions are specified, then the alerts will be triggered for all regions.
tags object[]
List of TargetTag models (resource tags) for which alerts should be triggered
Array [
key string
Resource tag target
values string[]
List of value(s) for resource tag key
]

Responses

200

successful operation

application/json; charset=UTF-8

Schema

Schema

alertRuleNotificationConfig object[]
List of data for notifications to third-party tools
Array [
dayOfMonth int32
Day of month
daysOfWeek object[]
Days of week
Array [
day string
Possible values: [SU, MO, TU, WE, TH, FR, SA]
offset int32
]
detailedReport boolean
Provide csv detailed report
enabled boolean
Scan enabled
frequency string
Possible values: [as_it_happens, daily, weekly, monthly]
frequencyFromRRule string
Frequency from RRule
hourOfDay int32
Hour of day
id string
Alert rule notification config ID
includeRemediation boolean
Include remediation in detailed report
lastUpdated int64
Last Updated
last_sent_ts int64
Time of last notification in milliseconds
recipients string[]
• For email notifications: List of unique email addresses to notify
• For integrations without notification templates: List of integration ids
• For integrations with notification templates: List of notification template ids
rruleSchedule string
templateId string
Template ID
timezone string
Java time zone ID (e.g. America/Los_Angeles)
type string
Possible values: [email, slack, splunk, amazon_sqs, jira, microsoft_teams, webhook, aws_security_hub, google_cscc, service_now, pager_duty, azure_service_bus_queue, demisto, aws_s3, snowflake]
Integration type
withCompression boolean
Compress detailed report
]
allowAutoRemediate boolean

Allow Auto-Remediation

delayNotificationMs int64

Delay notifications by the specified milliseconds

description string

Rule/Scan description

enabled boolean

Rule/Scan is enabled

lastModifiedBy string

Last modified by

lastModifiedOn int64

Last modified on this date/time in milliseconds

name stringrequired

Rule/Scan name

notifyOnDismissed boolean

include dismissed alerts in notification

notifyOnOpen boolean

include open alerts in notification

notifyOnResolved boolean

include resolved alerts in notification

notifyOnSnoozed boolean

include snoozed alerts in notification

policies string[]

List of specific policy IDs to scan

policyLabels string[]

Policy labels

policyScanConfigId string

Policy Scan Config ID

scanAll boolean

Scan all policies

target objectrequired
Model for Target Filter
accountGroups string[]
List of Account group(s)
alertRulePolicyFilter object
Model for Alert Rule Policy Filter
availablePolicyFilters string[]
List of available Alert Rule Policy Filters
cloud.type string[]
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud Type Filter
policy.complianceStandard string[]
Compliance Standard Filter
policy.label string[]
Policy Label Filter
policy.severity string[]
Policy Severity Filter
excludedAccounts string[]
List of excluded accounts
includedResourceLists object
Model for holding the lists resource list ids by resource list type
computeAccessGroupIds string[]
regions string[]
List of regions for which alerts will be triggered for account groups. Alerts not associated with specific regions will be triggered regardless of listed regions. If no regions are specified, then the alerts will be triggered for all regions.
tags object[]
List of TargetTag models (resource tags) for which alerts should be triggered
Array [
key string
Resource tag target
values string[]
List of value(s) for resource tag key
]

Example (from schema)

{
  "alertRuleNotificationConfig": [
    {
      "dayOfMonth": 0,
      "daysOfWeek": [
        {
          "day": "SU",
          "offset": 0
        }
      ],
      "detailedReport": true,
      "enabled": true,
      "frequency": "as_it_happens",
      "frequencyFromRRule": "string",
      "hourOfDay": 0,
      "id": "string",
      "includeRemediation": true,
      "lastUpdated": 0,
      "last_sent_ts": 0,
      "recipients": [
        "string"
      ],
      "rruleSchedule": "string",
      "templateId": "string",
      "timezone": "string",
      "type": "email",
      "withCompression": true
    }
  ],
  "allowAutoRemediate": true,
  "delayNotificationMs": 0,
  "description": "string",
  "enabled": true,
  "lastModifiedBy": "string",
  "lastModifiedOn": 0,
  "name": "string",
  "notifyOnDismissed": true,
  "notifyOnOpen": true,
  "notifyOnResolved": true,
  "notifyOnSnoozed": true,
  "policies": [
    "string"
  ],
  "policyLabels": [
    "string"
  ],
  "policyScanConfigId": "string",
  "scanAll": true,
  "target": {
    "accountGroups": [
      "string"
    ],
    "alertRulePolicyFilter": {
      "availablePolicyFilters": [
        "string"
      ],
      "cloud.type": [
        "ALL"
      ],
      "policy.complianceStandard": [
        "string"
      ],
      "policy.label": [
        "string"
      ],
      "policy.severity": [
        "string"
      ]
    },
    "excludedAccounts": [
      "string"
    ],
    "includedResourceLists": {
      "computeAccessGroupIds": [
        "string"
      ]
    },
    "regions": [
      "string"
    ],
    "tags": [
      {
        "key": "string",
        "values": [
          "string"
        ]
      }
    ]
  }
}

400

invalid_param_value / auto_remediation_only_for_config_remediable_policies / missing_required_param / non_notification_state_selected / invalid_notification_state / invalid_resource_list_id / snooze_time_must_be_relative / dismissal_reason_required / has_overlaps_in_resource_list_rules / missing_required_param

Loading...