Event Query Attributes

Learn about Event Query attributes in RQL.
Review your options when using
event from cloud.audit_logs where
on the
Investigate
tab of the Prisma Cloud administrative console:
Each attribute allows you to narrow your search criteria. As you use these attributes, the auto-suggestion feature shows the available expressions and the Operators that are applicable for each attribute.
  • alert.id
    Use the
    alert.id
    attribute to view alert details on the
    Investigate
    tab.
    For example, you can visualize the alert details for a set of alerts such as P-8444, P-8421, P-8420.
    event from cloud.audit_logs where alert.id IN (‘P-8444’, ‘P-8421’, ‘P-8420’)
  • anomaly.type
    Use the
    anomaly.type
    to view details on specific anomaly policies. The auto-suggestion displays the different anomaly policies that are supported with this attribute.
    event from cloud.audit_logs where anomaly.type = 'Excessive Login Failures'
  • cloud.account
    Use the
    cloud.account
    attribute to narrow down audit search to one or more cloud accounts that you connected to Prisma Cloud.
    For example, you can list entities or users who deleted security groups from a given cloud account:
    event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND operation IN ( 'DeleteSecurityGroup' )
  • cloud.account.group
    Use the
    cloud.account.group
    attribute to narrow your search to only the cloud accounts in your cloud account group.
    For example, you can list entities or users who deleted Virtual Private Clouds in all your AWS accounts:
    event from cloud.audit_logs where operation = 'DeleteVpc' AND cloud.account.group = 'All my AWS accounts'
    event from cloud.audit_logs where cloud.account.group = 'All my AWS accounts' AND cloud.service = 'autoscaling.amazonaws.com' AND user = 'maxusertest__gahp1Tho'
  • cloud.type
    Use the
    cloud.type
    attribute to narrow your search to a specific cloud platform. Supported options are AWS, Azure, and GCP.
    For example, you can list all users who deleted S3 buckets:
    event from cloud.audit_logs where cloud.type = 'aws' AND cloud.service = 's3.amazonaws.com' AND operation = 'DeleteBucket'
  • cloud.region
    Use the
    cloud.region
    attribute to narrow down audit search to one or more cloud regions.
    For example, you can list entities or users who deleted access keys from a given cloud account:
    event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ( 'DeleteAccessKey' )
  • cloud.service
    Use the
    cloud.service
    attribute to search for information using a specific service name in your cloud accounts.
    For example, you can review details for users who performed operations, such as deleting cloud trail logs or disabling or stopping logging events:
    event from cloud.audit_logs where system = 'cloudtrail.amazonaws.com' AND operation IN ( 'DeleteTrail' , 'DisableLogging' , 'StopLogging' )
  • crud
    Use the
    crud
    attribute to search for information for users or entities who performed Create, Read, Update, or Delete operations.
    You can list all Azure resources that were deleted:
    event from cloud.audit_logs where cloud.account in ( 'Azure - Microsoft Azure Sponsorship' ) and crud = 'delete'
  • has.anomaly
    Use the
    has.anomaly
    attribute to search for information on events that include anomalies.
    For example, you can list all events that have identified anomalies for a cloud type:
    event from cloud.audit_logs where cloud.type = 'azure' AND has.anomaly
  • operation
    An operation is an action performed by users on resources in a cloud account. Use the
    operation
    attribute to start typing the name of the operation in which you are interested and Prisma Cloud auto-completes a list of operations that match your search criteria.
    For example, you can list details of delete operations on VPCs, VPC endpoints, and VPC peering connections:
    event from cloud.audit_logs where operation in ( 'DeleteVpc' , 'DeleteVpcEndpoints' 'DeleteVpcPeeringConnection' )
  • Subject
    Use this attribute to search for actions that a specific user or an instance performed on your cloud account.
    For example, you can list console login operations by Ben:
    event from cloud.audit_logs where operation = 'ConsoleLogin' AND subject = 'ben'
  • role
    Use this attribute to filter the search results by role.
    For example, you can look for events performed by the Okta role:
    event from cloud.audit_logs where role = ’OktaDevReadWriteRole’
  • json.rule
    Use this attribute to filter specific elements included in the JSON configuration related to a cloud resource. The
    json.rule
    attribute enables you to look for specific configurations—parse JSON-encoded values, extract data from JSON, search for value within any configuration policy for cloud accounts that you are monitoring using Prisma Cloud.
    Use the automatic suggest feature to see the available values for
    json.rule
    .
    The auto suggest works with the operators
    =
    and
    IN
    . It is not supported for array objects.
    Use
    cloud.type
    attribute to refine the search results.
    For example, you can check for login failures on the console:
    event from cloud.audit_logs where cloud.account = 'Sandbox' AND json.rule = $.responseElements.ConsoleLogin != 'Success'

Recommended For You