Investigate Config Incidents on Prisma Cloud

Use config queries to investigate configuration incidents so that you can identify misconfigurations and compliance violations.
Prisma Cloud ingests various services and associated configuration data from AWS, Azure, Alibaba, GCP, and OCI cloud services. You can retrieve resource information to identify resource misconfigurations, and detect policy violations that expose your business to undue risk and non-compliance to industry benchmarks. You can also view the audit trail for information on who created, modified, deleted resources on the cloud platform and when the change was made.
To investigate configuration issues ,you can use Config queries. You can enter your query in the Search bar and if the search expression is valid and complete, a green check mark displays along with your query results.
You can choose to save the search queries that you have created for investigating incidents in
My Saved Searches
. A saved search enables you to use the same query at a later time, instead of typing the query again, and it enables you to use the saved search to create a policy. See Why are alerts generated from a policy different from the running the corresponding query (Saved Search) on the Investigate page?
Saved Searches
has list of search queries saved by any Prisma Cloud administrator.
Select a record to view additional details about Audit Trail or Host Findings in the Resource Explorer. The alerts are displayed when you select the red exclamation mark.
Hover over the configuration record to see the option to view the details of the resource configuration. You can also search directly within the JSON Resource configuration to easily find something that is part of the metadata ingested on Prisma Cloud, and speed up your investigation.
To analyze your configuration events offline, you can download the event search details in a CSV format, click
on the right hand corner.

Why are alerts generated from a policy different from the running the corresponding query (Saved Search) on the Investigate page?

Prisma Cloud enables you to run a query on the Investigate page, and save the query as a saved search so that you can re-run the same search periodically. If you then use this saved search query as match criteria in a policy, the matched issues that trigger alerts can be different from the corresponding results for the same query on the Investigate page.
The reason for this difference in results is that the policy engine functions slightly differently from the Investigate page. To understand the differences you need to know the following:
Criteria for creating a policy using a saved search
  • Saved search must be valid to create a policy. For Config queries (
    config from cloud.resource where
    ), you may see the error
    RQL invalid for policy creation
    . This error indicates that the saves search RQL is not valid to create a policy.
  • Currently, to create a policy the saved search must meet these guidelines:
    • Does not have the
    • when a
      attribute is within the json.rule, it does not have a resource list (reference with
    • has either the
      attribute or the
      • when it has the
        attribute, it includes a
        or the
        group by
      • when has the
        attribute the specified values for the attribute do not contain
        Prisma Cloud Alert
        You can however, have the operator
        Not Equal Prisma Cloud Alert
        Not IN (Prisma Cloud Alert, boo, etc.)
Criteria for updating a saved search used in a policy
If you use a saved search to create a policy, you cannot update the following:
  • cloud.type
    ** For non-join queries,
    cannot be changed
    • For join queries, the
      in the clause used for
      cannot be changed.
      Example query structure:
      X; Y; Z; filter…; Show Y
      in Y
      be updated (because X is used for Show)
      in X, Z
      be updated
Criteria for what is ignored or replaced when displaying results
The values for the following attributes in a saved search are replaced by the scope you define in an alert rule:
  • cloud.account
  • cloud.region
  • tag
    (tag filter used within the
    will be ignored)
  • cloud.type
  • When
    is not specified in the query, both the Investigate page and the policy engine will return active
    deleted resources.
    However, the deleted resources for the policy engine includes only the resources deleted since the last scan within the search scope, while the Investigate page scans all deleted resources available in the database. Specifically:
    Resource Status
    Policy Engine
    Resources that are running at the time of scan only
    Only resources that were running at the end time of the interval (creation time before time interval ends and deletion, if any, after the time interval).
    Resources deleted since the last scan only
    Only resources that were deleted during the specified time interval (deletion time within the interval).
    Not Specified
    Running resources and resources deleted since the last scan
    Any resources that existed during the specified time interval.
JOIN queries
  • For Investigate queries, cross-account join will be applied by default.
    For policy engine, all queries are run on a specific account, which means JOIN will be done only within one account at a time.

Recommended For You