RQL Operators
An operator in RQL is one or more symbols
or words that compare the value of a field on its left with one
or more values on its right, such that only valid results are retrieved
and displayed to you. You can use an RQL operator to find a specific
term included as a value within an object or an array within a JSON
structure.
The following operators and conditions that you can use to compare
or validate results:
Operators Within JSON Arrays
OPERATOR | DESCRIPTION | RQL EXAMPLE |
---|---|---|
@ and ? | @ and ? are expressions used to filter arrays.
|
|
&& and || | Combine conditions within json.rule using
&& and ||. |
|
Config and Event Operators
OPERATOR | DESCRIPTION | RQL EXAMPLE |
---|---|---|
Greater than | Compares a path on left-hand side against
either a numeric value or another path on the right-hand side. |
|
Less than | Compares a path on left-hand side against
either a numeric value or another path on the right-hand side. |
|
Equals | Compares a path on left-hand side against
either a numeric value or another path on the right-hand side. |
|
Does not equal | Compares a path on left-hand side against
either a numeric value or another path on the right-hand side. |
|
Starts with | Left-hand side must be a path with a string value. |
|
Does not start with | Left-hand side must be a path with a string value. |
|
Ends with | Left-hand side must be a path with a string value. |
|
Does not end with | Left-hand side must be a path with a string value. |
|
Contains | The left-hand side may be a single path
or a set of paths with numeric or string value. |
|
Does not contain | The left-hand side may be a single path
or a set of paths with numeric or string value. |
|
Is empty | The left-hand side must be a path leading
to a string value. |
|
Is not empty | The left-hand side must be a path leading
to a string value. |
|
Exists | The left-hand side must be a path. |
|
Does not exist | The left-hand side must be a path. |
|
Any start with | The left-hand side must be a set of paths
leading to string values. |
|
None start with | The left-hand side must be a set of paths
leading to string values. |
|
All start with | The left-hand side must be a set of paths
leading to string values. |
|
Any end with | The left-hand side must be a set of paths
leading to string values. |
|
None end with | The left-hand side must be a set of paths
leading to string values. |
|
All end with | The left-hand side must be a set of paths
leading to string values. |
|
Any equal | The left-hand side must be a set of paths
leading to string or numeric values. |
|
None equal | The left-hand side must be a set of paths
leading to string or numeric values. |
|
All equal | The left-hand side must be a set of paths
leading to string or numeric values. |
|
IN ( | The left-hand side must be a string. |
|
NOT IN ( | The left-hand side must be a string. |
|
Size equals | The left-hand side must be an array. The
right-hand side must be an integer. |
|
Size does not equal | The left-hand side must be an array. The
right-hand side must be an integer. |
|
Size greater than | The left-hand side must be an array. The
right-hand side must be an integer. |
|
Size less than | The left-hand side must be an array. The
right-hand side must be an integer. |
|
Length equals | The left-hand side is a path with a string
value. The right-hand side must be an integer. |
|
Length does not equal | The left-hand side is a path with a string
value. The right-hand side must be an integer. |
|
Length greater than | The left-hand side is a path with a string
value. The right-hand side must be an integer. |
|
Length less than | The left-hand side is a path with a string
value. The right-hand side must be an integer. |
|
Number of words equals | The left-hand side is a path with a string
value. |
|
Number of words does not equal | The left-hand side is a path with a string
value. |
|
Number of words greater than | The left-hand side is a path with a string
value. |
|
Number of words less than | The left-hand side is a path with a string
value. |
|
Any True | The left-hand side is a set of paths with
Boolean values. |
|
None True | The left-hand side is a set of paths with
Boolean values. |
|
All True | The left-hand side is a set of paths with
Boolean values. |
|
Any False | The left-hand side is a set of paths with
Boolean values. |
|
None False | The left-hand side is a set of paths with
Boolean values. |
|
All False | The left-hand side is a set of paths with
Boolean values. |
|
Is True | The left-hand side is a Path with Boolean
value. |
|
Is False | The left-hand side is a Path with Boolean
value. |
|
Is Not Member of | The left-hand side is a Path with string
value, and the right-hand side is a set of values in parentheses
and separated with commas |
|
Is Member of | The left-hand side is a Path
with string value, and the right-hand side is a set of values in
parentheses and separated with commas |
|
Matches Does not Match | For Event queries, use the boolean operators Matches and Does not Match to
match or not match field values against simple patterns and not
full REGEX. Patterns can have substrings and * for
wild character search. | In the following example, the operation
MATCHES 'c*login' enables you to list activities that match clogin , cloudlogin ,
or consolelogin .
|
Joins
Joins allow you to get data from two different APIs
where you have combined different conditions. You can use Joins only
across
config from cloud.resource where
queries,
and can include up to three configuration API resources with alias
X, Y and Z, and you can optionally include a JSON.rule to match
within the API resource alias. When you use the json.rule Joins across event, network, and config are not supported.
Use resource specific conditions inside
json.rule of the alias and use the filter option only for comparison using
operators ==, !=, contains, does not contains, not (negation).
Join basic syntax:
config from cloud.resource where api.name = 'a' and json.rule = 'r' as X; config from cloud.resource where api.name ='b' and json.rule ='r2' as Y; show (X;|Y;)
config from cloud.resource where api.name=".." as X; config from cloud.resource where api.name="..." as Y; filter "$.X... <operator> $.Y"; show (X;|Y;)
To find EC2 instances that have public IP addresses assigned
at launch use this query:
Steps:
- List EC2 instances that have a public IP address as X:config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress exists and publicIpAddress is not empty as X;
- List instances that have security groups which allow unrestricted access from any source as Y:config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' and json.rule = ipPermissions[*].ipRanges[*] contains 0.0.0.0/0 or ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0 as Y;
- Set the filter:filter '($.X.securityGroups[*].groupName==$.Y.groupName)'; show X;
- Complete the query to list all EC2 instances that have a public IP address and are accessible without any source IP restrictions:config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-subnets' as Y; filter '$.X.subnetId == $.Y.subnetId and $.Y.mapPublicIpOnLaunch is true'; show X;
Examples of Joins:
DESCRIPTION | RQL EXAMPLE |
---|---|
VPCs that are connected to internet gateways. |
|
CloudTrail logs that are integrated with CloudWatch
for all regions. |
|
Show all AWS Lambda functions that are accessible
with the RedlockReadOnly IAM role. |
|
Find all EC2 instances that have a specified
name, snapshot ID and image ID. |
|
Find Azure SQL databases where audit log
retention period is less that 90 days. |
|
Functions
A function performs a calculation on specific data that
matches the clause contained in the function and displays results. Functions
support auto-complete when you enter the prefix
_
in
a json.rule or addcolumn attribute. Prisma Cloud supports following functions:
_DateTime Examples
Query time ranges are not part of RQL grammar, and the
query time window is passed as a separate argument to the query
APIs. The selection of the attributes or columns for a category
are not part of the RQL grammar. The function accepts timestamps in
the following formats only:
Zulu: "2011-08-13T20:17:46.384Z"
GSON/AWS: "Nov 7, 2016 9:34:21 AM"
ISO: "2011-12-04T10:15:30+01:00"
The query time ranges that are available are
_DateTime.ageInDays
, _DateTime.ageInMonths
, _DateTime.ageInYears
,
and _DateTime.daysBetween
. The _DateTime.daysBetween
function
looks for any information that falls in between two dates and takes
two dates as arguments. For example, the
_DateTime.ageInDays
returns
the number of days until a date as a negative number.When using the _DateTime function all json parameters
are available as auto-complete options, you must select only parameters
that have timestamps. Also, the syntax for a function does not support
spaces. Remove empty spaces before or after parenthesis, and between
comma-separated parameters.
DESCRIPTION | RQL EXAMPLE |
---|---|
List EC2 instances with age greater than 2
days. |
|
List resource names where access keys are
not rotated for 90 days. |
|
Use the function today() to return the current
day’s date. |
|
_AWSCloudAccount.isRedLockMonitored Examples
When using this function to identify AWS accounts that
are or are not monitored on Prisma Cloud, you can provide the AWS
account ID in any of the following formats:
- Standard AWS 12-digit account number.For example: 123456789012
- Canonical user ID. You can use this ID to identify an AWS account when granting cross-account access to buckets and objects using Amazon S3.For example, an alpha-numeric identifier: 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
- 3. AWS account ID in ARN format.For example, arn:aws:iam::123456789012:role/test-1240-47
DESCRIPTION | RQL EXAMPLE |
---|---|
List any snapshots that are shared publicly
and are not monitored by Prisma Cloud. |
|
_IPAddress.inRange Examples
To check if a particular IP address is part of an IP
address range, use
_IPAddress.inRange
and in
the argument specify the octets, along with the <fromInteger>
, <toInteger>
.
For example ("172.%d.",16,31) or (”172.10.%d.”,10,255).DESCRIPTION | RQL EXAMPLE |
---|---|
List AWS Route53 Public Zones that have
Private Records. | In this example, the IPAddress.inRange("172.%d.",16,31)
allows you to search for IP addresses that are in the range "172.16.x.x"
to "172.31.x.x":
|
_Port.inRange Examples
To check if a particular port number is part of a specific
range, use class
Port
and method inRange
.
This method takes three arguments <fromInteger>
, <toInteger>
,
and you can optionally include an <offset>
.By default, the <offset> is 1.
DESCRIPTION | RQL EXAMPLE |
---|---|
Use the inRange function with
the contains and does not contain operators
to check for conditions on a port range.Specify <fromInteger> and <toInteger> to
find all ports within the specified range. | Example using contains to
check for ports numbers between 22 and 33 with an offset of 1:
The
example above checks for all ports between 22 and 33. |
Example using Does not Contain :
The
example above checks for ports 350, 355, 360, .....5390, 5395, 5600. | |
Example using no offset, to find all ports within
the specified range:
|
_IPAddress.inCIDRRange Examples
To check if a specific IPv4 or IPv6 address or subnet
is a part of a specific CIDR block or supernetwork, use the
_IPAddress.inCIDRRange
function.
This function takes two arguments, the first is the CIDR address
or array of CIDR addresses extracted from the JSON payload where
you must specify whether it is an ipv4Ranges
or
an ipv6Ranges
and the second is the CIDR
block (either IPv4 or IPv6) cidrIp
or cidripv6
followed
by the IP address that you want to match on.The result returns the
resources that contain the IP addresses in the JSON payload that
fall within the CIDR range you entered, in the case when it is true,
and the resources that do not match when it is false.DESCRIPTION | RQL EXAMPLE |
---|---|
Define multiple CIDR blocks that you want
to match on. |
|
Find an IPv6 address within a CIDR block. |
|
Specify multiple match conditions to find all
CIDRs within the JSON metadata. |
|
_IPAddress.areAllInCIDRRange() Examples
The
_IPAddress.areAllInCIDRRange(Resource, CIDR)
function
checks to see if all of the IP addresses assigned to a resource
are within a specified CIDR block. The result of executing the function
will be a boolean. For example, if you had the question “Do my databases
have all IP addresses in the 10.0.0.0./24 IP range,” the answer
will be yes or no. The function accepts two arguments which are Resource
and CIDR
. Resource
describes meta data within the
configuration file that contains the IP address(es), and CIDR
represents
the value of the CIDR block that you define. Description | Example |
---|---|
Find all resources that contain CIDR addresses
within the 10.0.0.0/8 range. |
|
Find all IP addresses that fall within the
a specified range. |
|
Find all the IPv6 addresses within the CIDR
block. |
|
_Set Examples
The
_Set
function enables you
to compare the values between lists on the Left Hand Side and Right
Hand Side using the properties of union or intersection, and identify
whether a specific value or comma separated list of values are included
within that result set. The methods supported are _Set.intersection
and _Set.union
,
and you can use the boolean operators intersects
and contains
to
verify whether the values you want to look for are included in the
result or if the result set contains the specified value(s). If
the result dataset is huge, use
limit search records to
at
the end of the query.Description | Example |
---|---|
Compare a list on the RHS [as
X] with another dynamic list of items in LHS [as Y] and take the
intersection ones into a subset list and then compare this against
a static, comma separated list you provide. | config from cloud.resource where api.name = 'aws-ec2-describe-instances'
as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups'
as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs'
as Z; filter '_Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)';
show X; |
config from cloud.resource where api.name = 'aws-ec2-describe-instances'
as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups'
as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs'
as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)';
show X; limit search records to 100 | |
Combine two lists to include all elements of
X and Y and find a match against a comma separated list you provide. | config from cloud.resource where api.name = 'aws-ec2-describe-instances'
as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups'
as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs'
as Z; filter '_Set.union($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)';
show Y; limit search records to 10 |
Check if a result set contains a specific value. | config from cloud.resource where api.name = 'aws-ec2-describe-instances'
as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups'
as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs'
as Z; filter '_Set.union($.X.vpId,$.Y.vpcId) contains vpc-b8ba2dd0'; show
X; |
Detects Internet exposed instances with public
IP and firewall rule with 0.0.0.0/0 and destination is specified target
tags: | GCP:config from cloud.resource where api.name
= 'gcloud-compute-instances-list' as X; config from cloud.resource where
api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network
contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP
size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains
0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and
$.Y.disabled contains false'; show X; |
Recommended For You
Recommended Videos
Recommended videos not found.