Prisma™ Cloud Resource Query Language (RQL) Reference
    : Event Query Examples
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Resource Query Language (RQL) Reference
    5. Prisma Cloud RQL Reference
    6. Event Query
    7. Event Query Examples
    Download PDF

    Prisma™ Cloud Resource Query Language (RQL) Reference

    Event Query Examples

    Table of Contents

    Event Query Examples

    Some examples for Event Queries for all cloud types.
    Use this section to review examples that show you how to use Event Query Attributes in RQL for investigating issues on each cloud platform:

    AWS—Event Query Examples

    DESCRIPTION
    RQL
    Detect activities from non-automated events and from specific IP addresses.
    event from cloud.audit_logs where ip EXISTS AND ip IN ( 152.1.1.1)
    Detect potentially sensitive or suspicious changes to the network configuration that impact your Security posture.
    event from cloud.audit_logs where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')
    Detect potentially sensitive or suspicious changes to configuration settings.
    event from cloud.audit_logs where operation IN ('DeleteBucket', 'DeleteConfigRule', 'DeleteTrail', 'PutBucketAcl', 'PutBucketLogging', 'PutBucketPolicy')
    event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy', 'AttachGroupPolicy', 'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair', 'DeleteLogGroup' )
    Detect risky changes executed by a root user.
    event from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'
    Exclude results that match a specific string within an array in the event details.
    To exclude results that include a specific string within an array, use the matches or does not match operator instead of contains/does not contain or exists/does not exist.
    event from cloud.audit_logs where operation IN ('AttachGroupPolicy', 'AttachRolePolicy', 'DeleteGroupPolicy', 'DeleteKeyPair', 'DeleteLogGroup') AND json.rule = $.userIdentity.arn does not match "AWSCloudFormationStackSetExecutionRole" or $.userIdentity.arn does not match "INST-SR-EC2-GRAAS-ROLE"

    Azure—Event Query Examples

    DESCRIPTION
    RQL
    List specific operations performed on a specific Microsoft Azure account.
    event from cloud.audit_logs where cloud.account = 'RedLock - Azure Subscription' AND operation IN ( 'AttachRolePolicy', 'AttachLoadBalancers')
    List Classic compute register operations performed by a specific user on a specific Microsoft Azure account.
    event from cloud.audit_logs where cloud.account in ( 'RedLock - Azure Subscription' ) and user = 'abc@redlock.io' and operation IN ('Microsoft.ClassicCompute/register/action (BeginRequest)')

    GCP—Event Query Examples

    DESCRIPTION
    RQL
    View sensitive network configuration updates on GCP
    event from cloud.audit_logs where operation IN ('v1.compute.networks.delete','beta.compute.networks.insert','v1.compute.routes.delete','v1.compute.firewalls.insert','v1.compute.firewalls.delete')
    View sensitive SQL instance updates in GCP.
    event from cloud.audit_logs where operation IN ('cloudsql.instances.update', 'cloudsql.sslCerts.create',' cloudsql.instances.create', 'cloudsql.instances.delete')
    List all events with sensitive user actions on GCP.
    event from cloud.audit_logs where operation IN ('CreateCryptoKey','DestroyCryptoKeyVersion','v1.compute.disks.createSnapshot')

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.