Config Query Attributes

Learn about Config Query attributes in RQL.
Review your options when using
config where
on the
Investigate
tab of the Prisma Cloud administrative console.
config-where-options.png
Each attribute allows you to narrow your search criteria. The auto-suggest feature displays expressions and Operators available for each attribute.
  • api.name
    Cloud APIs are part of cloud platforms and they enable the development of applications and services used for provisioning resources, virtual machines, platforms, and software. Cloud APIs are generally based on a REST framework.
    For each cloud platform, depending on the resource, there are several APIs available. You can use the
    api.name
    attribute to identify a specific configuration for the resource. For a list of all API names available for each cloud platform, see AWS APIs Ingested by Prisma Cloud, Microsoft Azure APIs Ingested by Prisma Cloud, and GCP APIs Ingested by Prisma Cloud.
    The
    api.name
    attribute is required in configuration queries except when you are querying the configuration for host findings.
    When used with the cloud.type attribute, auto-complete displays only the API names that pertain to the cloud type you selected.
    cloud-api-name-query.png
    For example, you can list SQL instances on Google Cloud:
    config where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list'
  • addcolumn
    Use the
    addcolumn
    attribute to add columns to the results displayed on screen. This enables you to view the JSON data for the resources that correspond to your query.
    addcolumn-config-query.png
    For example, you can add columns for key name and image ID for EC2 instances:
    config where api.name = 'aws-ec2-describe-instances' addcolumn keyName hypervisor imageId
  • cloud.type
    Use the
    cloud.type
    attribute to narrow down your search option to specific clouds. Supported options are AWS, Azure, and GCP.
    For example, you can list all EC2 instances in your AWS cloud accounts:
    config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances'
  • cloud.service
    Use the
    cloud.service
    attribute to query configuration for a specific cloud service, such as IAM, S3, or Virtual Machines.
    For example, you can list all S3 storage bucket access control lists (ACLs) in your AWS cloud accounts:
    config where cloud.type = 'aws' AND cloud.service = 'S3' AND api.name = 'aws-s3api-get-bucketacl'
  • cloud.account
    Use the
    cloud.account
    attribute to narrow down a configuration search to one or more cloud accounts that you connected to the Prisma Cloud.
    For example, you can list EC2 instances in your Production AWS account:
    config where cloud.type = 'aws' AND cloud.account = 'Production’ AND api.name = 'aws-ec2-describe-instances'
  • cloud.region
    Use the
    cloud.region
    attribute to narrow down a configuration search to one or more cloud regions.
    For example, you can list all virtual machine instances in your Azure account in the Central US region:
    config where cloud.type = 'azure' and cloud.account = 'RedLock - Azure Subscription' AND cloud.region = 'Azure Central US' AND api.name = 'azure-vm-list'
  • cloud.account.group
    Use the
    cloud.account.group
    attribute to narrow down the configuration to the cloud account in your cloud account group.
    For example, you can list all the Amazon RDS instances in all your AWS accounts:
    config where cloud.account.group = 'All my AWS accounts' AND cloud.region = 'AWS Virginia' AND api.name = 'aws-rds-describe-db-instances'
  • hostfinding.type, hostfinding.severity, hostfinding.source
    Use host finding attributes to query for vulnerabilities on workloads—destination or source resources—that have one or more host-related security findings. Prisma Cloud ingests host vulnerability data from external sources, such as Qualys, Tenable.io, and AWS Inspector and ingests host and IAM users security-related alerts from AWS GuardDuty.
    To leverage
    hostfinding
    attributes, first enable the integration with the host vulnerability providers.
    hostfinding-type-hostfinding-severity-query.png
    For example, you can list all the hosts with a critical host vulnerability:
    config where hostfinding.type = 'Host Vulnerability' AND hostfinding.severity = 'critical'
    Or find potential security issues by source:
    config where hostfinding.source = 'AWS Guard Duty' AND hostfinding.type = 'AWS GuardDuty IAM ' AND api.name= 'aws-iam-list-users'
    Host finding attributes support the following resource types:
    • Prisma Cloud
      —Fetches all resources that have one or more open alerts generated by Prisma Cloud.
    • Host Vulnerability
      —Fetches all resources that have one or more of the host vulnerabilities (such as CVE-2016-8655) reported by external providers such as AWS Inspector, Qualys, or Tenable.io.
    • Compliance
      —Fetches all resources that are in violation of one or more compliance issues reported by external compliance host-scanning systems.
    • AWS Inspector Runtime Behavior Analysis
      —Fetches all resources which are in violation of one or more rules reported by the AWS Runtime Behavior Analysis package.
    • AWS Inspector Security Best Practices
      —Fetches all resources which are in violation of one or more rules reported by the AWS Inspector Security best practices package.
    • AWS GuardDuty
      —Fetches all resources which have one or more findings reported by AWS GuardDuty.
  • hostfinding.name
    Use the
    hostfinding.name
    attribute and enter a string value to find a host vulnerability by the name defined on your host vulnerability provider. Specify the
    hostfinding.type
    for the autocomplete suggestion to specify a
    hostfinding name
    .
    hostfinding-name-type-query.png
    For example, you can list all the hosts with the CVE-2016-8399 vulnerability:
    config where hostfinding.type = 'Host Vulnerability' AND hostfinding.name = 'CVE-2016-8399'
    or,
    config where hostfinding.type = 'AWS GuardDuty IAM' AND hostfinding.name= ‘Recon:IAM/TorIPCaller’
  • json.rule
    Prisma Cloud ingests data and updates events in the JSON format.
    Use the
    json.rule
    attribute to query or filter specific elements included in the JSON configuration related to a cloud resource. The
    json.rule
    attribute enables you to look for specific configurations: parse JSON-encoded values, extract data from JSON, or search for value within any configuration policy for cloud accounts that you are monitoring using Prisma Cloud. This
    json.rule
    attribute allows you to create boolean combinations and find data in selected fields within the JSON data that represents the resource.
    When you include the
    json.rule
    attribute in a configuration query, the auto-complete displays the elements or resources that match your search criteria. Because JSON has a nested structure, you can search for elements at the root level, inside the JSON tree, or in an array object.
    For example, you can list all Azure Linux Virtual Machines where password authentication is disabled:
    config where api.name = 'azure-vm-list' AND json.rule = ['properties.osProfile'].linuxConfiguration.disablePasswordAuthentication is true

Related Documentation