1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Resource Query Language (RQL) Reference
    5. Prisma Cloud RQL Reference
    6. Network Query
    7. Network Exposure Query Attributes

    Network Exposure Query Attributes

    Learn about Network Query attributes in RQL using Cloud Network Analyzer.
    Prisma Cloud’s cloud network analyzer engine calculates the external exposure of your cloud assets using routing path that exists from
    source
     to
    destination
     and the net effectiveness of all network security policies in that network path. You can use
    config from network where
     query on the
    Investigate
     page of the Prisma Cloud administrative console and if the search expression is valid and complete, a green checkmark displays along with your query results.
    You can save the searches that you have created in
    My Saved Searches
    , which enables you to use the same query at a later time, instead of typing the query again. You can also use the saved search to create a policy.
    Each attribute allows you to narrow your search criteria. As you use these attributes, the auto-suggestion capability shows the available expressions, and Operators that are applicable for each attribute. In order for the network exposure query to be valid, you need to specify at least one
    source
     , one
    dest
     (destination), and one
    cloud.type
     attribute. You can only use the
    and
     operator in the RQL query. Use
    =
     to specify a single value and
    in
     to specify comma separated value (csv).
    Any IP addresses or CIDR that you have not defined as Trusted IP Addresses on Prisma Cloud and are not part of your cloud environment are considered as UNTRUST_INTERNET.
    • source/dest.network
      Use the
      source/dest.network
       attribute to search for all public untrusted Internet IPs. Specify it in an IP CIDR format, such as
      1.2.3.4/32
       .
    • address.match.criteria
      The
      address.match.criteria
       attribute is optional to use in combination with the
      source/dest.network
       attribute.
      You can use a
      full_match
       or a
      partial_match
       for IP addresses with this criteria. For example:
      • full_match
        —If you use
        address.match.criteria = 'full_match'
         for the IP range 20.0.0.0/24 then the cloud network analyzer engine will look for all host addresses of 20.0.0.0/24 in security policies to match.
      • partial_match
        -—If you use
        address.match.criteria = 'partial_match'
         for the IP range 20.0.0.0/24 then the cloud network analyzer engine will look for at-least one of host addresses of 20.0.0.0/24 in security policies to match.
        Query example:
        config from network where source.network = '20.0.0.0/24' and address.match.criteria = 'partial_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and protocol.ports in ( 'tcp/0:79', 'tcp/81:442', 'tcp/444:65535' )
    • source/dest.resource.type
      Use the
      source/dest.resource.type
       attribute to search for true network exposure of a particular resource type, such as an instance, interface, PaaS, or service endpoint.
    • source/dest.cloud.type
      Use the
      source/dest.cloud.type
       attribute to narrow down your search option to specific clouds.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS'
    • (Optional)
      source/dest.resource.state
      Use the
      source/dest.resource.state
       attribute to find resources that are Active or Inactive, such as an EC2 instance that has state as running or inactive or an EC2 instance that has state as stopped on Prisma Cloud. If you do not specify
      source/dest.resource.state
       in the query, the RQL query displays both Active and Inactive resources in the result.
      Query example:
      config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active'
    • (Optional)
      source/dest.cloud.account
      Use the
      source/dest.cloud.account
       attribute to narrow down the search to one or more cloud accounts that you connected to Prisma Cloud.
      Query examples:
      config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.cloud.account in ( '345744466724', '667116190384' )
      config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.cloud.account = '345744466724'
    • (Optional)
      source/dest.cloud.region
      Use the
      source/dest.cloud.region
       attribute to narrow down the search based on where the sources are, in one or more cloud regions.
      Query examples:
      config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.cloud.region = 'AWS Virginia'
      config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.cloud.region in ( 'AWS Virginia', 'AWS Ohio' )
    • (Optional)
      source/dest.cloud.instance.id
      Use the
      source/dest.cloud.instance.id
       attribute to search exposure of a specific EC2 instance based on it resource ID.
      Query examples:
      config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.instance.id = 'i-07c6c16595ed9196b'
      config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.instance.id in ( 'i-0a0e018fc73917ba7' , 'i-0a0e018fc73917ba7' )
    • (Optional)
      source/dest.instance.image.id
      Use the
      source/dest.instance.image.id
       attribute to search for virtual machines with specific image ID.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.instance.image.id = 'ami-0fe8c3a9b6b9b3c6e'
    • (Optional)
      source/dest.instance.product.code
      Use the
      source/dest.instance.product.code
       attribute to search for virtual machines with specific product code.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.instance.image.product.code = '5tiyrfb5tasxk9gmnab39b843'
    • (Optional)
      source/dest.cloud.interface.id
      Use the
      source/dest.cloud.interface.id
       attribute to search exposure of a specific EC2 cloud resource based on its ID.
    • (Optional)
      source/dest.network.interface.id
      Use the
      source/dest.network.interface.id
       attribute to search exposure of a specific network interface based on its ID.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.network.interface.id = 'eni-083bb56febfd55383'
    • (Optional)
      source/dest.network.interface.owner
      Use the
      source/dest.network.interface.owner
       attribute to search exposure of a specific network interface based on the owner.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.network.interface.owner = 'amazon-rds'
    • (Optional)
      source/dest.network.interface.type
      Use the
      source/dest.network.interface.type
       attribute to search exposure of a specific network interface based on the interface type.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.network.interface.type = 'Lambda'
    • (Optional)
      source/dest.security.group.id
      Use the
      source/dest.security.group.id
       attribute to search exposure of a specific network interface based on the specific security group associated with it.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.security.group.id = 'sg-04242ff5c55da0c84'
    • (Optional)
      source/dest.service.name
      Use the
      source/dest.service.name
       attribute to search exposure of a specific VPC service endpoint based on the service name.
      Query example:
      config from network where source.resource.type = 'Instance' and dest.resource.type = 'Service Endpoint' and source.vpc.id = 'vpc-079e9bb7bc4ba9db2' and dest.vpc.id = 'vpc-079e9bb7bc4ba9db2' and dest.service.name = 'com.amazonaws.us-east-1.secretsmanager'
    • (Optional)
      source/dest.subnet.id
      Use the
      source/dest.subnet.id
       attribute to search exposure of a specific network interface based on the subnet id.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.network.interface.id = 'subnet-0d8b58217812f9c42'
    • (Optional)
      source/dest.tag
      Use the
      source/dest.tag
       attribute to search exposure of a specific network interface or virtual machine based on the resource tag pair.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.tag = 'env=prod'
    • (Optional)
      source/dest.vpc.id
      Use the
      source/dest.vpc.id
       attribute to search exposure of a specific network interface or virtual machine based on the VPC ID.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.vpc.id = 'vpc-079e9bb7bc4ba9db2'
    • (Optional)
      excluded.networks
      Use the
      excluded.networks
       attribute to exclude certain IP/IPv6 CIDR blocks from Network Path Analysis calculation. This is useful only when you use
      source.network = UNTRUST_INTERNET
       or
      dest.network = UNTRUST_INTERNET
       RQL attribute.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and excluded.networks in ( '1.2.3.4/32', '100.0.0.0/24' )
    • (Optional)
      alert.on
      The
      alert.on
       attribute is only applicable when the RQL query is used as a Policy.
      Query example:
      config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS'  and alert.on = 'DestVPC'
    • (Optional)
      protocol.ports
      Use the
      protocol.ports
       attribute to search for specific protocols and destination ports, which you can specify in following formats:
      • udp
      • tcp
      • tcp/22
      • tcp/20:50
      • icmp/code/type
      • tcp/22,443,3389,1000:5000
    • (Optional)
      effective.action
      Use the
      effective.action
       attribute to search for the net effective action that allows or rejects the network traffic from the specified source to destination. The options are:
      • Allow: A routing path exists and security policies allow the traffic.
      • Deny: A routing path exists, however security policies reject the traffic.
      • Any

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo