Config Query Attributes
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
Config Query Attributes
Learn more about Config Query attributes in RQL.
Review your options when using
config from
on the Investigate
tab of the Prisma Cloud administrative console. The cloud.resource
attribute uses the configuration metadata that Prisma Cloud ingests from the cloud service providers, and you can use it to query the resource configuration and manage the security posture for the asset.
Each attribute allows you to narrow your search criteria. Use the auto-complete to view the expressions and Operators available for each attribute.
Results on the Investigate page are optimized to load the initial set of results faster. When you enter the query and click
Search
, the interface loads the first 100 search results. Click the Load More
button to fetch additional results. All config attributes except cloud.account.group, azure.resource.group, limit search records, aggregate functions (count and group by)
, and all finding type attributes such as finding.type, finding.severity
, are currently optimized for faster search results.cloud type
is also supported for event queries. The Get Total Count
button allows you to get a full tally of all heuristic search supported attributes.- api.nameCloud APIs are part of cloud platforms and they enable the development of applications and services used for provisioning resources, virtual machines, platforms, and software.For each cloud platform, depending on the resource, there are several APIs available. You can use theapi.nameattribute to identify a specific configuration for the resource. For a list of all API names available for each cloud platform, see AWS APIs Ingested by Prisma Cloud, Microsoft Azure APIs Ingested by Prisma Cloud, GCP APIs Ingested by Prisma Cloud, OCI APIs Ingested by Prisma Cloud, and Alibaba Cloud APIs.Theapi.nameattribute is required in configuration queries except when you are querying the configuration for Config Query Attributes.When used with the Config Query Attributes attribute, auto-complete displays only the API names that pertain to the cloud type you selected.For example, you can list SQL instances on Google Cloud:config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list'
- addcolumnUse theaddcolumnattribute to add columns to the results displayed on screen. This enables you to view the JSON data for the resources that correspond to your query.For example, you can add columns for key name and image ID for EC2 instances:config from cloud.resource where api.name = 'aws-ec2-describe-instances' addcolumn keyName hypervisor imageIdThe addcolumn attributes works only when the field is present in all matching entries. If all matching entries do not have the selected field in the JSON payload, the column may not display.
- azure.resource.groupUse theazure.resource.groupattribute to find all cloud resources deployed within a specific Azure Resource Group, which is a logical container that groups related resources that are stored within your Azure account. For example:
lists all network-vnet resources that are part of the Azure resourcegroup named azure-resource-group-test.config from cloud.resource where azure.resource.group = 'azure-resource-group-test' and api.name = 'azure-network-vnet-list' - cloud.accountUse thecloud.accountattribute to narrow down a configuration search to one or more cloud accounts that you connected to the Prisma Cloud.For example, you can list EC2 instances in your Production AWS account:config from cloud.resource where cloud.type = 'aws' AND cloud.account = 'Production’ AND api.name = 'aws-ec2-describe-instances'
- cloud.account.groupUse thecloud.account.groupattribute to narrow down the configuration to the cloud account in your cloud account group.For example, you can list all the Amazon RDS instances in all your AWS accounts:config from cloud.resource where cloud.account.group = 'All my AWS accounts' AND cloud.region = 'AWS Virginia' AND api.name = 'aws-rds-describe-db-instances'
- cloud.regionUse thecloud.regionattribute to narrow down a configuration search to one or more cloud regions.For example, you can list all virtual machine instances in your Azure account in the Central US region:config from cloud.resource where cloud.type = 'azure' and cloud.account = 'RedLock - Azure Subscription' AND cloud.region = 'Azure Central US' AND api.name = 'azure-vm-list'
- cloud.serviceUse thecloud.serviceattribute to query configuration for a specific cloud service, such as IAM, S3, or Virtual Machines.For example, you can list all S3 storage bucket access control lists (ACLs) in your AWS cloud accounts:config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'S3' AND api.name = 'aws-s3api-get-bucketacl'
- cloud.typeUse thecloud.typeattribute to narrow down your search option to specific clouds. Supported options are AWS, Azure,GCP, Alibaba and OCI.For example, you can list all EC2 instances in your AWS cloud accounts:config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances'
- countUse thecountattribute for a tally of the number of resources of a specific type.countis available for use with theapi.nameattribute as <X, Y or Z>) or along withjson.ruleto query or filter specific elements included in the JSON configuration related to a cloud resource.When the api.name is a global service (such as, azure-active-directory-app-registration), count includes all resources for that service within the cloud account; if the api.name is a regional service (such as, azure-vm-list), the count includes the only resources tied to the cloud region for the cloud account.For example, you can retrieve a count of all the Azure Linux Virtual Machines available:config from cloud.resource where api.name = 'azure-vm-list' as X; count(X) greater than 0or, in conjunction with thejson.ruleattribute to filter and retrieve a count of all the Azure Linux Virtual Machines where password authentication is disabled:config from cloud.resource where api.name = 'azure-vm-list' AND json.rule = ['properties.osProfile'].linuxConfiguration.disablePasswordAuthentication is true as X; count(X) greater than 1finding.type, finding.severity, finding.sourceUse the finding attributes to query for vulnerabilities on workloads—destination or source resources—that have one or more host-related security findings. Prisma Cloud ingests host vulnerability data from external sources, such as Qualys, Tenable.io, Amazon Inspector and ingests host and IAM users security-related alerts from Amazon GuardDuty, or Prisma Cloud Defenders deployed on your hosts or containers.To leveragefindingattributes, you must either enable an integration with the host vulnerability provider such as Amazon GuardDuty or have installed Prisma Cloud Defenders in your environment.For example, you can list all the hosts with a critical host vulnerability:
Or find potential security issues by source:config from cloud.resource where finding.type = 'Host Vulnerability' AND finding.severity = 'critical'
Host finding attributes support the following resource types:config from cloud.resource where finding.source = 'AWS Guard Duty' AND finding.type = 'AWS GuardDuty IAM ' AND api.name= 'aws-iam-list-users'- Prisma Cloud Alert—Fetches all resources that have one or more open alerts generated by Prisma Cloud.
- Host Vulnerability—Fetches all resources that have one or more of the host vulnerabilities (such as CVE-2016-8655) reported by external providers such as AWS Inspector, Qualys, or Tenable.io or Prisma Cloud Defenders.
- Compliance—Fetches all resources that are in violation of one or more compliance issues reported by external compliance host-scanning systems.
- AWS Inspector Runtime Behavior Analysis—Fetches all resources which are in violation of one or more rules reported by the AWS Runtime Behavior Analysis package.
- AWS Inspector Security Best Practices—Fetches all resources which are in violation of one or more rules reported by the AWS Inspector Security best practices package.
- AWS GuardDuty—Fetches all resources which have one or more findings reported by AWS GuardDuty.For Amazon GuardDuty, the finding.type can be IAM or host—AWS GuardDuty IAM or AWS GuardDuty Host.
finding.nameUse thefinding.nameattribute and enter a string value to find a host vulnerability by the name defined on your host vulnerability provider. Specify thefinding.typefor the autocomplete suggestion to specify afinding.namequery.For example, you can list all the hosts with the CVE-2016-8399 vulnerability:
or,config from cloud.resource where finding.type = 'Host Vulnerability' AND finding.name = 'CVE-2016-8399'config from cloud.resource where finding.type = 'AWS GuardDuty IAM' AND finding.name= ‘Recon:IAM/TorIPCaller’json.rulePrisma Cloud ingests data and updates events in the JSON format.Use thejson.ruleattribute to query or filter specific elements included in the JSON configuration related to a cloud resource. Thejson.ruleattribute enables you to look for specific configurations: parse JSON-encoded values, extract data from JSON, or search for value within any configuration policy for cloud accounts that you are monitoring using Prisma Cloud. Thisjson.ruleattribute allows you to create boolean combinations and find data in selected fields within the JSON data that represents the resource.When you include thejson.ruleattribute in a configuration query, the auto-complete displays the elements or resources that match your search criteria. Because JSON has a nested structure, you can search for elements at the root level, inside the JSON tree, or in an array object.For example, you can list all Azure Linux Virtual Machines where password authentication is disabled:config from cloud.resource where api.name = 'azure-vm-list' AND json.rule = ['properties.osProfile'].linuxConfiguration.disablePasswordAuthentication is trueOr define nested rules in Config RQL to query data within JSON arrays, such as find network security groups that include rules that allow TCP traffic on specified destination ports:config from cloud.resource where api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any( direction equals Inbound and protocol does not equal UDP and access equals Allow and destinationPortRange is member of (22,3389,5432,1521,3306,5000,5984,6379,6380,9042,11211,27017))] existsor,config from cloud.resource where api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and sourceAddressPrefix equals Internet and (protocol equals Udp or protocol equals *) and destinationPortRange contains _Port.inRange(137,137) )] exists], orconfig from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists ]JSON Previewsimplifies thejson.rulebuilding experience by creating a visually interactive experience, where you can see the full JSON configuration schema based on the API you select in your configuration query.JSON Preview is disabled, by default. ToggleJSON Previewon the Investigate page to use it to easily see which parts of your specified APIs configuration you want to query. It displays the full schema configuration, where in you can search for a particular attribute, minimize, and maximize to go to deeper levels. Once you find the attribute you’re looking for, hover over it to see a preview of the path, and click on it to append that path to your query. You can continue building your query by adding paths and JSON conditions.- JSON Preview is only available for Config queries.
- It is not currently supported for OCI APIs.
- JSON Preview is not displayed when you use a join query withfilterX, Y, or Z.
resource.statusUse theresource.statusattribute to find resources that are active or deleted on the cloud platform within the specified time range. The value available areactiveordeleted. For example:config from cloud.resource where resource.status = active.The query result is based on whether the specified resource was active during or deleted anytime within the search time range. Resources that were neither created nor deleted within the specified time range are not included in the result.Whenresource.statusis not specified in the query, use theResource Explorerto check whether theDeletedstatus for the resource is True or False.tagUse thetagattribute to find all resources that have a specific tag name or value. The operators available withconfig from cloud.resource where taginclude('key') = 'value',All,Any,tag('key') EXISTS,tag('key') in ('value1', 'value2', 'value3'), and the negations !=, does not Exist, not in.After you define atagin, you can reference the tag value or key in a config query. The supported operators areSettingsResource Listis member of,is not member of,intersects, anddoes not intersect. Use curly braces to use them in a JSON rule:config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key is member of {'Resource List'.keys}- Only the tags that are displayed in the Resource Explorer are available for you to match on; all tags in the JSON payload are not available with the tag attribute.
- Tag-based filtering allows you to find resources on theInvestigatepage. You cannot save the query as a saved search or use it in custom policy.
Recommended For You