Config Query Attributes

Learn about Config Query attributes in RQL.
Review your options when using
config from
on the
Investigate
tab of the Prisma Cloud administrative console. The
cloud.resource
attribute uses the configuration metadata that Prisma Cloud ingests from the cloud service providers, and you can use it to query the resource configuration and manage the security posture for the asset.
Each attribute allows you to narrow your search criteria. Use the auto-complete to view the expressions and Operators available for each attribute.
  • api.name
    Cloud APIs are part of cloud platforms and they enable the development of applications and services used for provisioning resources, virtual machines, platforms, and software.
    For each cloud platform, depending on the resource, there are several APIs available. You can use the
    api.name
    attribute to identify a specific configuration for the resource. For a list of all API names available for each cloud platform, see AWS APIs Ingested by Prisma Cloud, Microsoft Azure APIs Ingested by Prisma Cloud, GCP APIs Ingested by Prisma Cloud, OCI APIs Ingested by Prisma Cloud, and Alibaba Cloud APIs .
    The
    api.name
    attribute is required in configuration queries except when you are querying the configuration for host findings.
    When used with the cloud.type attribute, auto-complete displays only the API names that pertain to the cloud type you selected.
    For example, you can list SQL instances on Google Cloud:
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list'
  • addcolumn
    Use the
    addcolumn
    attribute to add columns to the results displayed on screen. This enables you to view the JSON data for the resources that correspond to your query.
    For example, you can add columns for key name and image ID for EC2 instances:
    config from cloud.resource where api.name = 'aws-ec2-describe-instances' addcolumn keyName hypervisor imageId
    The addcolumn attributes works only when the field is present in all matching entries. If all matching entries do not have the selected field in the JSON payload, the column may not display.
  • azure.resource.group
    Use the
    azure.resource.group
    attribute to find all cloud resources deployed within a specific Azure Resource Group, which is a logical container that groups related resources that are stored within your Azure account. For example:
    config from cloud.resource where azure.resource.group = 'azure-resource-group-test' and api.name = 'azure-network-vnet-list'
    lists all network-vnet resources that are part of the Azure resourcegroup named azure-resource-group-test.
  • cloud.account
    Use the
    cloud.account
    attribute to narrow down a configuration search to one or more cloud accounts that you connected to the Prisma Cloud.
    For example, you can list EC2 instances in your Production AWS account:
    config from cloud.resource where cloud.type = 'aws' AND cloud.account = 'Production’ AND api.name = 'aws-ec2-describe-instances'
  • cloud.account.group
    Use the
    cloud.account.group
    attribute to narrow down the configuration to the cloud account in your cloud account group.
    For example, you can list all the Amazon RDS instances in all your AWS accounts:
    config from cloud.resource where cloud.account.group = 'All my AWS accounts' AND cloud.region = 'AWS Virginia' AND api.name = 'aws-rds-describe-db-instances'
  • cloud.region
    Use the
    cloud.region
    attribute to narrow down a configuration search to one or more cloud regions.
    For example, you can list all virtual machine instances in your Azure account in the Central US region:
    config from cloud.resource where cloud.type = 'azure' and cloud.account = 'RedLock - Azure Subscription' AND cloud.region = 'Azure Central US' AND api.name = 'azure-vm-list'
  • cloud.service
    Use the
    cloud.service
    attribute to query configuration for a specific cloud service, such as IAM, S3, or Virtual Machines.
    For example, you can list all S3 storage bucket access control lists (ACLs) in your AWS cloud accounts:
    config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'S3' AND api.name = 'aws-s3api-get-bucketacl'
  • cloud.type
    Use the
    cloud.type
    attribute to narrow down your search option to specific clouds. Supported options are AWS, Azure,GCP, Alibaba and OCI.
    For example, you can list all EC2 instances in your AWS cloud accounts:
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances'
  • count
    Use the
    count
    attribute for a tally of the number of resources of a specific type.
    count
    is available for use with the
    api.name
    attribute as <X, Y or Z>); it is not available with
    json.rule
    .When the api.name is a global service (such as, aws-iam-get-account-summary), count includes all resources for that service within the cloud account; if the api.name is a regional service (such as, aws-rds-describe-db-instances), the count includes the only resources tied to the cloud region for the cloud account.For example, you can retrieve a count of all the AWS EC2 images available in your AWS account:
    config from cloud.resource where api.name = 'aws-ec2-describe-images' as X; count(X) greater than 0
  • finding.type, finding.severity, finding.source
    Use the finding attributes to query for vulnerabilities on workloads—destination or source resources—that have one or more host-related security findings. Prisma Cloud ingests host vulnerability data from external sources, such as Qualys, Tenable.io, AWS Inspector and ingests host and IAM users security-related alerts from AWS GuardDuty, or Prisma Cloud Defenders deployed on your hosts or containers.
    To leverage
    finding
    attributes, you must either enable an integration with the host vulnerability provider such as AWS GuardDuty or have installed Prisma Cloud Defenders in your environment.
    For example, you can list all the hosts with a critical host vulnerability:
    config from cloud.resource where finding.type = 'Host Vulnerability' AND finding.severity = 'critical'
    Or find potential security issues by source:
    config from cloud.resource where finding.source = 'AWS Guard Duty' AND finding.type = 'AWS GuardDuty IAM ' AND api.name= 'aws-iam-list-users'
    Host finding attributes support the following resource types:
    • Prisma Cloud Alert
      —Fetches all resources that have one or more open alerts generated by Prisma Cloud.
    • Host Vulnerability
      —Fetches all resources that have one or more of the host vulnerabilities (such as CVE-2016-8655) reported by external providers such as AWS Inspector, Qualys, or Tenable.io or Prisma Cloud Defenders.
    • Compliance
      —Fetches all resources that are in violation of one or more compliance issues reported by external compliance host-scanning systems.
    • AWS Inspector Runtime Behavior Analysis
      —Fetches all resources which are in violation of one or more rules reported by the AWS Runtime Behavior Analysis package.
    • AWS Inspector Security Best Practices
      —Fetches all resources which are in violation of one or more rules reported by the AWS Inspector Security best practices package.
    • AWS GuardDuty
      —Fetches all resources which have one or more findings reported by AWS GuardDuty.
      For AWS GuardDuty, the finding.type can be IAM or host—AWS GuardDuty IAM or AWS GuardDuty Host.
  • finding.name
    Use the
    finding.name
    attribute and enter a string value to find a host vulnerability by the name defined on your host vulnerability provider. Specify the
    finding.type
    for the autocomplete suggestion to specify a
    finding.name
    query.
    For example, you can list all the hosts with the CVE-2016-8399 vulnerability:
    config from cloud.resource where finding.type = 'Host Vulnerability' AND finding.name = 'CVE-2016-8399'
    or,
    config from cloud.resource where finding.type = 'AWS GuardDuty IAM' AND finding.name= ‘Recon:IAM/TorIPCaller’
  • json.rule
    Prisma Cloud ingests data and updates events in the JSON format.
    Use the
    json.rule
    attribute to query or filter specific elements included in the JSON configuration related to a cloud resource. The
    json.rule
    attribute enables you to look for specific configurations: parse JSON-encoded values, extract data from JSON, or search for value within any configuration policy for cloud accounts that you are monitoring using Prisma Cloud. This
    json.rule
    attribute allows you to create boolean combinations and find data in selected fields within the JSON data that represents the resource.
    When you include the
    json.rule
    attribute in a configuration query, the auto-complete displays the elements or resources that match your search criteria. Because JSON has a nested structure, you can search for elements at the root level, inside the JSON tree, or in an array object.
    For example, you can list all Azure Linux Virtual Machines where password authentication is disabled:
    config from cloud.resource where api.name = 'azure-vm-list' AND json.rule = ['properties.osProfile'].linuxConfiguration.disablePasswordAuthentication is true
    Or define nested rules in Config RQL to query data within JSON arrays, such as find network security groups that include rules that allow TCP traffic on specified destination ports:
    config from cloud.resource where api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any( direction equals Inbound and protocol does not equal UDP and access equals Allow and destinationPortRange is member of (22,3389,5432,1521,3306,5000,5984,6379,6380,9042,11211,27017))] exists
    or,
    config from cloud.resource where api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and sourceAddressPrefix equals Internet and (protocol equals Udp or protocol equals *) and destinationPortRange contains _Port.inRange(137,137) )] exists
    , or
    config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists
    JSON Preview
    simplifies the
    json.rule
    building experience by creating a visually interactive experience, where you can see the full JSON configuration schema based on the API you select in your configuration query.
    JSON Preview is disabled, by default. Toggle
    JSON Preview
    on the Investigate page to use it to easily see which parts of your specified APIs configuration you want to query. It displays the full schema configuration, where in you can search for a particular attribute, minimize, and maximize to go to deeper levels. Once you find the attribute you’re looking for, hover over it to see a preview of the path, and click on it to append that path to your query. You can continue building your query by adding paths and JSON conditions.
    • JSON Preview is only available for Config queries.
    • It is not currently supported for OCI APIs.
    • JSON Preview is not displayed when you use a join query with
      filter
      X, Y, or Z.
  • resource.status
    Use the
    resource.status
    attribute to find resources that are active or deleted on the cloud platform within the specified time range. The value available are
    active
    or
    deleted
    . For example:
    config from cloud.resource where resource.status = active
    .
    The query result is based on whether the specified resource was active during or deleted anytime within the search time range. Resources that were neither created nor deleted within the specified time range are not included in the result.
    When
    resource.status
    is not specified in the query, use the
    Resource Explorer
    to check whether the
    Deleted
    status for the resource is True or False.
  • tag
    Use the
    tag
    attribute to find all resources that have a specific tag name or value. The operators available with
    config from cloud.resource where tag
    include
    ('key') = 'value'
    ,
    All
    ,
    Any
    ,
    tag('key') EXISTS
    ,
    tag('key') in ('value1', 'value2', 'value3')
    , and the negations !=, does not Exist, not in.
    After you define a
    tag
    in
    Settings
    Resource List
    , you can reference the tag value or key in a config query. The supported operators are
    is member of
    ,
    is not member of
    ,
    intersects
    , and
    does not intersect
    . Use curly braces to use them in a JSON rule:
    config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key is member of {'Resource List'.keys}
    • Only the tags that are displayed in the Resource Explorer are available for you to match on; all tags in the JSON payload are not available with the tag attribute.
    • Tag-based filtering allows you to find resources on the
      Investigate
      page. You cannot save the query as a saved search or use it in custom policy.

Recommended For You