Config Query Attributes

api.name
Cloud APIs are part of cloud platforms and they enable the development of applications and services used for provisioning resources, virtual machines, platforms, and software.
For each cloud platform, depending on the resource, there are several APIs available. You can use the
api.name
attribute to identify a specific configuration for the resource. For a list of all API names available for each cloud platform, see AWS APIs Ingested by Prisma Cloud, Microsoft Azure APIs Ingested by Prisma Cloud, GCP APIs Ingested by Prisma Cloud, OCI APIs Ingested by Prisma Cloud, and Alibaba Cloud APIs.
The
api.name
attribute is required in configuration queries except when you are querying the configuration for Config Query Attributes.
When used with the Config Query Attributes attribute, auto-complete displays only the API names that pertain to the cloud type you selected.

For example, you can list SQL instances on Google Cloud:
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list'
addcolumn
Use the
addcolumn
attribute to add columns to the results displayed on screen. This enables you to view the JSON data for the resources that correspond to your query.

For example, you can add columns for key name and image ID for EC2 instances:
config from cloud.resource where api.name = 'aws-ec2-describe-instances' addcolumn keyName hypervisor imageId
The addcolumn attributes works only when the field is present in all matching entries. If all matching entries do not have the selected field in the JSON payload, the column may not display.
azure.resource.group
Use the
azure.resource.group
attribute to find all cloud resources deployed within a specific Azure Resource Group, which is a logical container that groups related resources that are stored within your Azure account. For example:
config from cloud.resource where azure.resource.group = 'azure-resource-group-test' and api.name = 'azure-network-vnet-list'
lists all network-vnet resources that are part of the Azure resourcegroup named azure-resource-group-test.
cloud.account
Use the
cloud.account
attribute to narrow down a configuration search to one or more cloud accounts that you connected to the Prisma Cloud.
For example, you can list EC2 instances in your Production AWS account:
config from cloud.resource where cloud.type = 'aws' AND cloud.account = 'Production’ AND api.name = 'aws-ec2-describe-instances'
cloud.account.group
Use the
cloud.account.group
attribute to narrow down the configuration to the cloud account in your cloud account group.
For example, you can list all the Amazon RDS instances in all your AWS accounts:
config from cloud.resource where cloud.account.group = 'All my AWS accounts' AND cloud.region = 'AWS Virginia' AND api.name = 'aws-rds-describe-db-instances'
cloud.region
Use the
cloud.region
attribute to narrow down a configuration search to one or more cloud regions.
For example, you can list all virtual machine instances in your Azure account in the Central US region:
config from cloud.resource where cloud.type = 'azure' and cloud.account = 'RedLock - Azure Subscription' AND cloud.region = 'Azure Central US' AND api.name = 'azure-vm-list'
cloud.service
Use the
cloud.service
attribute to query configuration for a specific cloud service, such as IAM, S3, or Virtual Machines.
For example, you can list all S3 storage bucket access control lists (ACLs) in your AWS cloud accounts:
config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'S3' AND api.name = 'aws-s3api-get-bucketacl'
cloud.type
Use the
cloud.type
attribute to narrow down your search option to specific clouds. Supported options are AWS, Azure,GCP, Alibaba and OCI.
For example, you can list all EC2 instances in your AWS cloud accounts:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances'
count
Use the
count
attribute for a tally of the number of resources of a specific type.
count
is available for use with the
api.name
attribute as <X, Y or Z>); it is not available with
json.rule
.When the api.name is a global service (such as, aws-iam-get-account-summary), count includes all resources for that service within the cloud account; if the api.name is a regional service (such as, aws-rds-describe-db-instances), the count includes the only resources tied to the cloud region for the cloud account.For example, you can retrieve a count of all the AWS EC2 images available in your AWS account:
config from cloud.resource where api.name = 'aws-ec2-describe-images' as X; count(X) greater than 0
finding.type, finding.severity, finding.source
Use the finding attributes to query for vulnerabilities on workloads—destination or source resources—that have one or more host-related security findings. Prisma Cloud ingests host vulnerability data from external sources, such as Qualys, Tenable.io, AWS Inspector and ingests host and IAM users security-related alerts from AWS GuardDuty, or Prisma Cloud Defenders deployed on your hosts or containers.
To leverage
finding
attributes, you must either enable an integration with the host vulnerability provider such as AWS GuardDuty or have installed Prisma Cloud Defenders in your environment.

For example, you can list all the hosts with a critical host vulnerability:
config from cloud.resource where finding.type = 'Host Vulnerability' AND finding.severity = 'critical'
Or find potential security issues by source:
config from cloud.resource where finding.source = 'AWS Guard Duty' AND finding.type = 'AWS GuardDuty IAM ' AND api.name= 'aws-iam-list-users'
Host finding attributes support the following resource types:
Prisma Cloud Alert
—Fetches all resources that have one or more open alerts generated by Prisma Cloud.
Host Vulnerability
—Fetches all resources that have one or more of the host vulnerabilities (such as CVE-2016-8655) reported by external providers such as AWS Inspector, Qualys, or Tenable.io or Prisma Cloud Defenders.
Compliance
—Fetches all resources that are in violation of one or more compliance issues reported by external compliance host-scanning systems.
AWS Inspector Runtime Behavior Analysis
—Fetches all resources which are in violation of one or more rules reported by the AWS Runtime Behavior Analysis package.
AWS Inspector Security Best Practices
—Fetches all resources which are in violation of one or more rules reported by the AWS Inspector Security best practices package.
AWS GuardDuty
—Fetches all resources which have one or more findings reported by AWS GuardDuty.
For AWS GuardDuty, the finding.type can be IAM or host—AWS GuardDuty IAM or AWS GuardDuty Host.
finding.name
Use the
finding.name
attribute and enter a string value to find a host vulnerability by the name defined on your host vulnerability provider. Specify the
finding.type
for the autocomplete suggestion to specify a
finding.name
query.

For example, you can list all the hosts with the CVE-2016-8399 vulnerability:
config from cloud.resource where finding.type = 'Host Vulnerability' AND finding.name = 'CVE-2016-8399'
or,
config from cloud.resource where finding.type = 'AWS GuardDuty IAM' AND finding.name= ‘Recon:IAM/TorIPCaller’
json.rule
Prisma Cloud ingests data and updates events in the JSON format.
Use the
json.rule
attribute to query or filter specific elements included in the JSON configuration related to a cloud resource. The
json.rule
attribute enables you to look for specific configurations: parse JSON-encoded values, extract data from JSON, or search for value within any configuration policy for cloud accounts that you are monitoring using Prisma Cloud. This
json.rule
attribute allows you to create boolean combinations and find data in selected fields within the JSON data that represents the resource.
When you include the
json.rule
attribute in a configuration query, the auto-complete displays the elements or resources that match your search criteria. Because JSON has a nested structure, you can search for elements at the root level, inside the JSON tree, or in an array object.
For example, you can list all Azure Linux Virtual Machines where password authentication is disabled:
config from cloud.resource where api.name = 'azure-vm-list' AND json.rule = ['properties.osProfile'
.linuxConfiguration.disablePasswordAuthentication is true]
Or define nested rules in Config RQL to query data within JSON arrays, such as find network security groups that include rules that allow TCP traffic on specified destination ports:
config from cloud.resource where api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any( direction equals Inbound and protocol does not equal UDP and access equals Allow and destinationPortRange is member of (22,3389,5432,1521,3306,5000,5984,6379,6380,9042,11211,27017))] exists
or,
config from cloud.resource where api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and sourceAddressPrefix equals Internet and (protocol equals Udp or protocol equals *) and destinationPortRange contains _Port.inRange(137,137) )] exists]
, or
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists ]
JSON Preview
simplifies the
json.rule
building experience by creating a visually interactive experience, where you can see the full JSON configuration schema based on the API you select in your configuration query.
JSON Preview is disabled, by default. Toggle
JSON Preview
on the Investigate page to use it to easily see which parts of your specified APIs configuration you want to query. It displays the full schema configuration, where in you can search for a particular attribute, minimize, and maximize to go to deeper levels. Once you find the attribute you’re looking for, hover over it to see a preview of the path, and click on it to append that path to your query. You can continue building your query by adding paths and JSON conditions.

JSON Preview is only available for Config queries.
It is not currently supported for OCI APIs.
JSON Preview is not displayed when you use a join query with
filter
X, Y, or Z.
resource.status
Use the
resource.status
attribute to find resources that are active or deleted on the cloud platform within the specified time range. The value available are
active
or
deleted
. For example:
config from cloud.resource where resource.status = active
.
The query result is based on whether the specified resource was active during or deleted anytime within the search time range. Resources that were neither created nor deleted within the specified time range are not included in the result.
When
resource.status
is not specified in the query, use the
Resource Explorer
to check whether the
Deleted
status for the resource is True or False.
tag
Use the
tag
attribute to find all resources that have a specific tag name or value. The operators available with
config from cloud.resource where tag
include
('key') = 'value'
,
All
,
Any
,
tag('key') EXISTS
,
tag('key') in ('value1', 'value2', 'value3')
, and the negations !=, does not Exist, not in.
After you define a
tag
in
Settings
Resource List
, you can reference the tag value or key in a config query. The supported operators are
is member of
,
is not member of
,
intersects
, and
does not intersect
. Use curly braces to use them in a JSON rule:
config from cloud.resource where api.name  = 'aws-ec2-describe-instances' AND json.rule = tags[*
.key is member of {'Resource List'.keys}]

Only the tags that are displayed in the Resource Explorer are available for you to match on; all tags in the JSON payload are not available with the tag attribute.
Tag-based filtering allows you to find resources on the
Investigate
page. You cannot save the query as a saved search or use it in custom policy.