Event Query Attributes
Learn about Event Query attributes in RQL.
Review your options when using
event from cloud.audit_logs whereon the
Investigatetab of the Prisma Cloud administrative console:
Each attribute allows you to narrow your search criteria. As you use these attributes, the auto-suggestion feature shows the available expressions and the Operators that are applicable for each attribute.
- alert.idUse thealert.idattribute to view alert details on theInvestigatetab.For example, you can visualize the alert details for a set of alerts such as P-8444, P-8421, P-8420.event from cloud.audit_logs where alert.id IN (‘P-8444’, ‘P-8421’, ‘P-8420’)
- anomaly.typeUse theanomaly.typeto view details on specific anomaly policies. The auto-suggestion displays the different anomaly policies that are supported with this attribute.event from cloud.audit_logs where anomaly.type = 'Excessive Login Failures'
- cloud.accountUse thecloud.accountattribute to narrow down audit search to one or more cloud accounts that you connected to Prisma Cloud.For example, you can list entities or users who deleted security groups from a given cloud account:event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND operation IN ( 'DeleteSecurityGroup' )
- cloud.account.groupUse thecloud.account.groupattribute to narrow your search to only the cloud accounts in your cloud account group.For example, you can list entities or users who deleted Virtual Private Clouds in all your AWS accounts:event from cloud.audit_logs where operation = 'DeleteVpc' AND cloud.account.group = 'All my AWS accounts'event from cloud.audit_logs where cloud.account.group = 'All my AWS accounts' AND cloud.service = 'autoscaling.amazonaws.com' AND user = 'maxusertest__gahp1Tho'
- cloud.typeUse thecloud.typeattribute to narrow your search to a specific cloud platform. Supported options are AWS, Azure, and GCP.For example, you can list all users who deleted S3 buckets:event from cloud.audit_logs where cloud.type = 'aws' AND cloud.service = 's3.amazonaws.com' AND operation = 'DeleteBucket'
- cloud.regionUse thecloud.regionattribute to narrow down audit search to one or more cloud regions.For example, you can list entities or users who deleted access keys from a given cloud account:event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ( 'DeleteAccessKey' )
- cloud.serviceUse thecloud.serviceattribute to search for information using a specific service name in your cloud accounts.For example, you can review details for users who performed operations, such as deleting cloud trail logs or disabling or stopping logging events:event from cloud.audit_logs where cloud.service = 'cloudtrail.amazonaws.com' AND operation IN ( 'DeleteTrail' , 'DisableLogging' , 'StopLogging' )
- crudUse thecrudattribute to search for information for users or entities who performed Create, Read, Update, or Delete operations.You can list all Azure resources that were deleted:event from cloud.audit_logs where cloud.account in ( 'Azure - Microsoft Azure Sponsorship' ) and crud = 'delete'
- has.anomalyUse thehas.anomalyattribute to search for information on events that include anomalies.For example, you can list all events that have identified anomalies for a cloud type:event from cloud.audit_logs where cloud.type = 'azure' AND has.anomaly
- operationAn operation is an action performed by users on resources in a cloud account. Use theoperationattribute to start typing the name of the operation in which you are interested and Prisma Cloud auto-completes a list of operations that match your search criteria.For example, you can list details of delete operations on VPCs, VPC endpoints, and VPC peering connections:event from cloud.audit_logs where operation in ( 'DeleteVpc' , 'DeleteVpcEndpoints' 'DeleteVpcPeeringConnection' )
- SubjectUse this attribute to search for actions that a specific user or an instance performed on your cloud account.For example, you can list console login operations by Ben:event from cloud.audit_logs where operation = 'ConsoleLogin' AND subject = 'ben'
- roleUse this attribute to filter the search results by role.For example, you can look for events performed by the Okta role:event from cloud.audit_logs where role = ’OktaDevReadWriteRole’
- json.ruleUse this attribute to filter specific elements included in the JSON configuration related to a cloud resource. Thejson.ruleattribute enables you to look for specific configurations—parse JSON-encoded values, extract data from JSON, search for value within any configuration policy for cloud accounts that you are monitoring using Prisma Cloud.Use the automatic suggest feature to see the available values forjson.rule.The auto suggest works with the operators=andIN. It is not supported for array objects.Usecloud.typeattribute to refine the search results.For example, you can check for login failures on the console:event from cloud.audit_logs where cloud.account = 'Sandbox' AND json.rule = $.responseElements.ConsoleLogin != 'Success'
Recommended For You
Recommended videos not found.