Investigate Config Incidents on Prisma Cloud
Use config queries to investigate configuration incidents so that you can identify misconfigurations and compliance violations.
Prisma Cloud ingests various services and associated configuration data from AWS, Azure, Alibaba, GCP, and OCI cloud services. You can retrieve resource information to identify resource misconfigurations, and detect policy violations that expose your business to undue risk and non-compliance to industry benchmarks. You can also view the audit trail for information on who created, modified, deleted resources on the cloud platform and when the change was made.
To investigate configuration issues ,you can use Config queries. You can enter your query in the Search bar and if the search expression is valid and complete, a green check mark displays along with your query results.
You can choose to save the search queries that you have created for investigating incidents in
My Saved Searches
. A saved search enables you to use the same query at a later time, instead of typing the query again, and it enables you to use the saved search to create a policy. See Why are alerts generated from a policy different from the running the corresponding query (Saved Search) on the Investigate page?Saved Searches
has list of search queries saved by any Prisma Cloud administrator.
Select a record to view additional details about Audit Trail or Host Findings in the Resource Explorer. The alerts are displayed when you select the red exclamation mark.
Hover over the configuration record to see the option to view the details of the resource configuration. You can also search directly within the JSON Resource configuration to easily find something that is part of the metadata ingested on Prisma Cloud, and speed up your investigation.
To analyze your configuration events offline, you can download the event search details in a CSV format, click
Download
on the right hand corner.Why are alerts generated from a policy different from the running the corresponding query (Saved Search) on the Investigate page?
Prisma Cloud enables you to run a query on the Investigate page, and save the query as a saved search so that you can re-run the same search periodically. If you then use this saved search query as match criteria in a policy, the matched issues that trigger alerts can be different from the corresponding results for the same query on the Investigate page.
The reason for this difference in results is that the policy engine functions slightly differently from the Investigate page. To understand the differences you need to know the following:
Criteria for creating a policy using a saved search
- Saved search must be valid to create a policy. For Config queries (config from cloud.resource where), you may see the errorRQL invalid for policy creation. This error indicates that the saves search RQL is not valid to create a policy.
- Currently, to create a policy the saved search must meet these guidelines:
- Does not have theazure.resource.groupattribute
- when atagattribute is within the json.rule, it does not have a resource list (reference with{})
- has either theapi.nameattribute or thefinding.typeattribute
- when it has theapi.nameattribute, it includes ajson.ruleor thegroup byorcountfunction
- when has thefinding.typeattribute the specified values for the attribute do not containPrisma Cloud AlertYou can however, have the operatorNot Equal Prisma Cloud AlertorNot IN (Prisma Cloud Alert, boo, etc.).
Criteria for updating a saved search used in a policy
If you use a saved search to create a policy, you cannot update the following:
- cloud.type
- api.name** For non-join queries,api.namecannot be changed
- For join queries, theapi.namein the clause used forShowcannot be changed.Example query structure:X; Y; Z; filter…; Show Yapi.namein Ycannotbe updated (because X is used for Show)api.namein X, Zcanbe updated
Criteria for what is ignored or replaced when displaying results
The values for the following attributes in a saved search are replaced by the scope you define in an alert rule:
- cloud.accountorcloud.accountgroup
- cloud.region
- tag(tag filter used within thejson.rulewill be ignored)
- cloud.type,cloud.service
- Whenresource.statusis not specified in the query, both the Investigate page and the policy engine will return activeanddeleted resources.However, the deleted resources for the policy engine includes only the resources deleted since the last scan within the search scope, while the Investigate page scans all deleted resources available in the database. Specifically:Resource StatusPolicy EngineInvestigateActiveResources that are running at the time of scan onlyOnly resources that were running at the end time of the interval (creation time before time interval ends and deletion, if any, after the time interval).DeletedResources deleted since the last scan onlyOnly resources that were deleted during the specified time interval (deletion time within the interval).Not SpecifiedRunning resources and resources deleted since the last scanAny resources that existed during the specified time interval.
JOIN queries
- For Investigate queries, cross-account join will be applied by default.For policy engine, all queries are run on a specific account, which means JOIN will be done only within one account at a time.
