RQL Operators

A list of operators supported by the resource query language (RQL) that enables you to modify the results.
An operator in RQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right, such that only valid results are retrieved and displayed to you. You can use an RQL operator to find a specific term included as a value within an object or an array within a JSON structure.
You can use the following operators and conditions to compare or validate results:

Operators Within JSON Arrays

OPERATOR
DESCRIPTION
RQL EXAMPLE
?any
?any is an expression used to filter arrays.
It is used to specify conditions to return results when
any
single one of the array elements satisfy them.
config from cloud.resource where api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and sourceAddressPrefix equals Internet and (protocol equals Udp or protocol equals *) and destinationPortRange contains _Port.inRange(137,137) )] exists
?none
?none is an expression used to filter arrays.
It is used to specify conditions to return results when
none
one of the array elements are satisfied.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[?none(toPort is member of (10,220,250))] exists
?all
?all is an expression used to filter arrays.
It is used to specify conditions to return results when
all
of the array elements satisfy them.
config from cloud.resource where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?all(egress is true and ruleAction contains deny)] exists
@ and ?
@ and ? are expressions used to filter arrays.
  • ? opens the array.
  • @ represents the current item being processed. It is used to hone in on a particular block in the json object so that you are only matching that block and no others.
config from cloud.resource where api.name='aws-ec2-describe-security-groups' AND json.rule='ipPermissions[?(@.fromPort==0)].ipRanges[*] contains 0.0.0.0/0'
&& and ||
Combine conditions within json.rule using && and ||.
config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' and json.rule = "policy.Statement exists and policy.Statement[?(@.Action=='s3:GetObject' && @.Effect=='Allow' || @.Action=='s3:ListBucket' && @.Effect=='Allow')].Principal contains *"

Config and Event Operators

OPERATOR
DESCRIPTION
RQL EXAMPLE
greater than
Compares a path on the left-hand side against either a numeric value or another path on the right-hand side.
config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge greater than 20
less than
Compares a path on the left-hand side against either a numeric value or another path on the right-hand side.
config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge less than 100
equals
Compares a path on the left-hand side against either a numeric value or another path on the right-hand side.
config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge equals 90
does not equal
Compares a path on the left-hand side against either a numeric value or another path on the right-hand side.
config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge does not equal 90
equal ignore case
Compares a path on the left-hand side against either a string or value or another path on the right-hand side.
The
equal ignore case
operator works exactly the same as
equals
, with the only difference that it disregards case sensitivity in the string match.
config from cloud.resource where cloud.account = 'AWS_prod' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = groupName equal ignore case RQL-auto-SG1
does not equal ignore case
Compares a path on the left-hand side against either a string or value or another path on the right-hand side.
starts with
The left-hand side must be a path with a string value.
config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName starts with y
does not start with
The left-hand side must be a path with a string value.
config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName does not start with y
ends with
The left-hand side must be a path with a string value.
config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName ends with i
does not end with
The left-hand side must be a path with a string value.
config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName does not end with i
contains
The left-hand side may be a single path or a set of paths with numeric or string value.
config from cloud.resource where api.name = 'azure-network-nsg-list' AND json.rule = defaultSecurityRules[*].direction contains outbound
does not contain
The left-hand side may be a single path or a set of paths with numeric or string value.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState does not contain allocated
is empty
The left-hand side must be a path leading to a string value.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress is empty
is not empty
The left-hand side must be a path leading to a string value.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress is not empty
exists
The left-hand side must be a path.
config from cloud.resource where api.name = 'aws-ec2-describe-network-interfaces' AND json.rule = 'association.publicIp exists'
does not exist
The left-hand side must be a path.
config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = metadata.kind does not exist
any start with
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any start with vpc-3
none start with
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none start with vpc-323cda
all start with
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all start with vpc-323cda
any end with
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any end with 49
none end with
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none end with 49
all end with
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all end with 49
any equal
The left-hand side must be a set of paths leading to string or numeric values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any equal vpc-323cda49
none equal
The left-hand side must be a set of paths leading to string or numeric values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none equal vpc-323cda49
all equal
The left-hand side must be a set of paths leading to string or numeric values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all equal vpc-323cda49
any empty
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any empty
none empty
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none empty
all empty
The left-hand side must be a set of paths leading to string values.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all empty
IN (
The left-hand side must be a string.
event from cloud.audit_logs where crud IN ( 'create' , 'update' ) AND has.anomaly
NOT IN (
The left-hand side must be a string.
config from cloud.resource where finding.severity NOT IN ( 'low', 'informational', 'medium' ) AND cloud.account IN ( 'account_name' )
size equals
The left-hand side must be an array.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size equals 0
size does not equal
The left-hand side must be an array.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size does not equal 0
size greater than
The left-hand side must be an array.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size greater than 1
size less than
The left-hand side must be an array.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size less than 1
length equals
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length equals 3
length does not equal
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length does not equal 3
length greater than
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length greater than 3
length less than
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' and json.rule = snapshot.storageType length less than 4
number of words equals
The left-hand side is a path with a string value.
config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words equals 3
number of words does not equal
The left-hand side is a path with a string value.
config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words does not equal 3
number of words greater than
The left-hand side is a path with a string value.
config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words greater than 2
number of words less than
The left-hand side is a path with a string value.
config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words less than 3
any true
The left-hand side is a set of paths with Boolean values.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] any true "
none true
The left-hand side is a set of paths with Boolean values.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] none true"
all true
The left-hand side is a set of paths with Boolean values.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] all true
any false
The left-hand side is a set of paths with Boolean values.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] any false"
none false
The left-hand side is a set of paths with Boolean values.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] none false"
all false
The left-hand side is a set of paths with Boolean values.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] all false"
is true
The left-hand side is a path with Boolean value.
config from cloud.resource where api.name = 'azure-storage-account-list' AND json.rule = encryptionStatuses.Blob is true
is false
The left-hand side is a path with Boolean value.
config from cloud.resource where api.name = 'azure-storage-account-list' AND json.rule = encryptionStatuses.Blob is false
is not member of
The left-hand side is a path with string value, and the right-hand side is a set of values in parentheses and separated with commas.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].fromPort is not member of (22)
is member of
The left-hand side is a path with string value, and the right-hand side is a set of values in parentheses and separated with commas.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort is member of (3389,22,5432)
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipProtocol exists and ipPermissions[*].ipProtocol is member of (tcp)
matches
does not match
For Event queries, use the boolean operators
matches
and
does not match
to match or exclude field values against simple patterns and not full regex.
Patterns can have substrings and
*
for wild character search.
Use the
matches
or
does not match
operator instead of
contains/does not contain
or
exists/does not exist
operators.
In the following example, the value 'c*login' enables you to list activities that match
clogin
,
cloudlogin
, or
consolelogin
.
event from cloud.audit_logs where cloud.type = 'aws' AND cloud.account = 'RedLock Sandbox' AND operation matches 'c*login'
intersects
does not intersect
Checks if there are common elements between any two lists.
Both the left-hand and right-hand sides can be a path with a string or array, a string or IP address/CIDR block, a set of values in parentheses and separated with commas, or a function such as,
_Port.inRange()
.
The following example shows the
_IPAddress.inRange
function using the
does not intersect
operator:
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = firewallRules size > 0 and ((firewallRules[*].endIpAddress does not intersect _IPAddress.inRange("190.100.0.%d",100,130) and firewallRules[*].endIpAddress does not intersect (52.31.43.92, 56.75.42.16, 96.15.20.13))
like
Checks if the wildcard character (*) is used to grant access permissions at the account level on your cloud service provider. For example, you can check for wildcard permissions granted to delete all EC2 instances in every account.
The left-hand side is a path with string value, and the right-hand side is the name of a cloud account.
The
like
operator is currently only supported for
iam
queries; see IAM Query Attributes.
config from iam where dest.cloud.account LIKE 'account-dev-3'

Joins

Joins allow you to get data from two different APIs where you have combined different conditions. You can use Joins only across
config from cloud.resource where
queries, and can include up to three configuration API resources with alias X, Y and Z, and you can optionally include a json.rule to match within the API resource alias. When you use the json.rule, joins across event, network, and config are not supported.
Nested Rules using the
?any
quantifier limit the conditions you write on the elements of an array. For RQL policies that use nested rules, you can add a condition referencing an external JSON path inside the nested rule. This is useful when a Join operator is expressed among two different paths in a JSON specimen, which requires the nested rules to check on values outside the scope of the quantifier. In addition, when a Join is expressed among two different paths in a JSON specimen, which requires the nested rules to check on values outside the scope of the quantifier.
Use resource specific conditions inside json.rule of the alias and use the filter option only for comparison using operators ==, !=, contains, does not contains, not (negation).
Join basic syntax:
config from cloud.resource where api.name = 'a' and json.rule = 'r' as X; config from cloud.resource where api.name ='b' and json.rule ='r2' as Y; show (X;|Y;)
config from cloud.resource where api.name=".." as X; config from cloud.resource where api.name="..." as Y; filter "$.X... <operator> $.Y"; show (X;|Y;)
To find EC2 instances that have public IP addresses assigned at launch use this query:
Steps:
  1. List EC2 instances that have a public IP address as X:
    config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress exists and publicIpAddress is not empty as X;
  2. List instances that have security groups which allow unrestricted access from any source as Y:
    config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' and json.rule = ipPermissions[*].ipRanges[*] contains 0.0.0.0/0 or ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0 as Y;
  3. Set the filter:
    filter '($.X.securityGroups[*].groupName==$.Y.groupName)'; show X;
  4. Complete the query to list all EC2 instances that have a public IP address and are accessible without any source IP restrictions:
    config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-subnets' as Y; filter '$.X.subnetId == $.Y.subnetId and $.Y.mapPublicIpOnLaunch is true'; show X;
Examples of Joins:
DESCRIPTION
RQL EXAMPLE
VPCs that are connected to internet gateways.
config from cloud.resource where api.name = 'aws-ec2-describe-internet-gateways' as X; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
CloudTrail logs that are integrated with CloudWatch for all regions.
config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as X; config from cloud.resource where api.name = 'aws-cloudtrail-get-trail-status' as Y; filter '$.X.cloudWatchLogsLogGroupArn != null and ($.Y.status.latestCloudWatchLogsDeliveryTime != null and _DateTime.ageInDays($.Y.status.latestCloudWatchLogsDeliveryTime) > 1) and ($.X.rrn == $.Y.rrn)'; show X;
Show all AWS Lambda functions that are accessible with the RedlockReadOnly IAM role.
config from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = handler contains "lambda" as X;config from cloud.resource where api.name = 'aws-iam-list-roles' AND json.rule = role.roleName contains "RedlockReadOnlyRole" as Y;filter '($.X.role.rolename equals $.Y.role.rolename)' ; show X;
Find all EC2 instances that have a specified name, snapshot ID and image ID.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key contains "Name" as X; config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.snapshotId contains "snap-004b0221589e516d7" as Y; config from cloud.resource where api.name = 'aws-ec2-describe-images' AND json.rule = image.imageId contains "ami-03698559b1d406e89" as Z; show X
Find Azure SQL databases where audit log retention period is less that 90 days.
config from cloud.resource where api.name = 'azure-sql-db-list' as X; config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;
Find where bucket ACL owner ID and grantee ID do not match and display name does not contain awslogsdelivery
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any( grantee.displayName exists and grantee.displayName does not contain awslogsdelivery and grantee.identifier does not contain $.acl.owner.id)] exists

Functions

A function performs a calculation on specific data that matches the clause contained in the function and displays results. Functions support auto-complete when you enter the prefix
_
in a json.rule or addcolumn attribute.
Prisma Cloud supports following functions:

_DateTime Examples

Query time ranges are not part of RQL grammar, and the query time window is passed as a separate argument to the query APIs. The selection of the attributes or columns for a category are not part of the RQL grammar. The function accepts timestamps in the following formats only:
Zulu: "2011-08-13T20:17:46.384Z"
GSON/AWS: "Nov 7, 2016 9:34:21 AM"
ISO: "2011-12-04T10:15:30+01:00"
The query time ranges that are available are
_DateTime.ageInDays
,
_DateTime.ageInMonths
,
_DateTime.ageInYears
, and
_DateTime.daysBetween
. The
_DateTime.daysBetween
function looks for any information that falls in between two dates and takes two dates as arguments.
For example, the
_DateTime.ageInDays
returns the number of days until a date as a negative number.
When using the _DateTime function all json parameters are available as auto-complete options, you must select only parameters that have timestamps. Also, the syntax for a function does not support spaces. Remove empty spaces before or after parenthesis, and between comma-separated parameters.
DESCRIPTION
RQL EXAMPLE
List EC2 instances with age greater than 2 days.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays(launchTime) > 2'
List resource names where access keys are not rotated for 90 days.
config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1_active is true and access_key_1_last_rotated != N/A and _DateTime.ageInDays(access_key_1_last_rotated) > 90) or (access_key_2_active is true and access_key_2_last_rotated != N/A and _DateTime.ageInDays(access_key_2_last_rotated) > 90)'
Use the function today() to return the current day’s date.
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-cloudtrail-get-trail-status' AND json.rule ="_DateTime.daysBetween($.latestDeliveryTime,today()) ! = 2"

_AWSCloudAccount.isRedLockMonitored Examples

When using this function to identify AWS accounts that are or are not monitored on Prisma Cloud, you can provide the AWS account ID in any of the following formats:
  • Standard AWS 12-digit account number.
    For example: 123456789012
  • Canonical user ID. You can use this ID to identify an AWS account when granting cross-account access to buckets and objects using Amazon S3.
    For example, an alpha-numeric identifier: 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
  • 3. AWS account ID in ARN format.
    For example, arn:aws:iam::123456789012:role/test-1240-47
DESCRIPTION
RQL EXAMPLE
List any snapshots that are shared publicly and are not monitored by Prisma Cloud.
config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'createVolumePermissions[*] size != 0 and _AWSCloudAccount.isRedLockMonitored(createVolumePermissions[*].userId) is false'

_IPAddress.inRange Examples

To check if a particular IP address is part of an IP address range, use
_IPAddress.inRange
and in the argument specify the octets, along with the
<fromInteger>
,
<toInteger>
. For example ("172.%d.",16,31) or (”172.10.%d.”,10,255).
DESCRIPTION
RQL EXAMPLE
List AWS Route53 Public Zones that have Private Records.
In this example, the IPAddress.inRange("172.%d.",16,31) allows you to search for IP addresses that are in the range "172.16.x.x" to "172.31.x.x":
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-route53-list-hosted-zones' AND json.rule = resourceRecordSet[*].resourceRecords[*].value any start with _IPAddress.inRange("172.%d.",16,31)

_Port.inRange Examples

To check if a particular port number is part of a specific range, use class
Port
and method
inRange
. This method takes three arguments
<fromInteger>
,
<toInteger>
, and you can optionally include an
<offset>
.
By default, the <offset> is 1.
DESCRIPTION
RQL EXAMPLE
Use the
inRange
function with the
contains
and
does not contain
operators to check for conditions on a port range.
Specify
<fromInteger>
and
<toInteger>
to find all ports within the specified range.
Example using
contains
to check for ports numbers between 22 and 33 with an offset of 1:
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort contains _Port.inRange(22,33,1)
The example above checks for all ports between 22 and 33.
Example using
Does not Contain
:
config from cloud.resource where api.name = 'azure-network-nsg-list' AND json.rule = securityRules[*].sourcePortRanges[*] does not contain _Port.inRange(350,5400,5)
The example above checks for ports 350, 355, 360, …​..5390, 5395, 5600.
Example using no offset, to find all ports within the specified range:
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort contains _Port.inRange(400,500)

_IPAddress.inCIDRRange Examples

To check if a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork, use the
_IPAddress.inCIDRRange
function. This function takes two arguments, the first is the CIDR address or array of CIDR addresses extracted from the JSON payload where you must specify whether it is an
ipv4Ranges
or an
ipv6Ranges
and the second is the CIDR block (either IPv4 or IPv6)
cidrIp
or
cidripv6
followed by the IP address that you want to match on.The result returns the resources that contain the IP addresses in the JSON payload that fall within the CIDR range you entered, in the case when it is true, and the resources that do not match when it is false.
DESCRIPTION
RQL EXAMPLE
Define multiple CIDR blocks that you want to match on.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'
Find an IPv6 address within a CIDR block.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv6Ranges[*].cidrIpv6,2600:1f18:226b:62fa:ffff:ffff:ffff:ffff/24) is true'
Specify multiple match conditions to find all CIDRs within the JSON metadata.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = 'ipPermissions[*].ipv4Ranges[*].cidrIp does not contain "0.0.0.0/0" and ipPermissions[*].ipv4Ranges[*].cidrIp size does not equal 0 and _IPAddress.inCIDRRange(ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'

_IPAddress.areAllInCIDRRange() Examples

The
_IPAddress.areAllInCIDRRange(Resource, CIDR)
function checks to see if all of the IP addresses assigned to a resource are within a specified CIDR block. The result of executing the function will be a boolean. For example, if you had the question “Do my databases have all IP addresses in the 10.0.0.0./24 IP range,” the answer will be yes or no. The function accepts two arguments which are
Resource
and
CIDR
.
Resource
describes meta data within the configuration file that contains the IP address(es), and
CIDR
represents the value of the CIDR block that you define.
Description
Example
Find all resources that contain CIDR addresses within the 10.0.0.0/8 range.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipv4Ranges[*] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true
Find all IP addresses that fall within the a specified range.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipv6Ranges[*] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[*].ipv6Ranges[*].cidrIp,fc00::/7) is true
Find all the IPv6 addresses within the CIDR block.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = _IPAddress.areAllInCIDRRange(ipPermissions[*].ipv6Ranges[*].cidrIpv6,2600:1f18:226b:6200::/1) is true

_IPAddress.areAnyOutsideCIDRRange() Examples

The
_IPAddress.areAnyOutsideCIDRRange()
function enables you to write config RQL queries that check if any IP/CIDR addresses are outside of a given list of permitted CIDR blocks. You can use this function to check if any resources have exposure to IP addresses outside of the RFC 1918 private CIDR blocks.
The first argument is a JSON expression that evaluates against one or more IP/CIDR addresses. The second and subsequent arguments list the IP/CIDR addresses and/or ranges to test against. You can use IPV4 and IPV6 address formats. However, the two function arguments should be either both in IPV4 or both in IPV6.
Description
Example
Check a valid IP against an invalid range to indicate the IP is outside of the range. If the address is not a valid IP or CIDR it is not considered to be a match.
_IPAddress.areAnyOutsideCIDRRange(ipPermissions[*].ipv4Ranges[*].cidrIp,192.0.0.0/24,172.31.0.0/16)

_Set Examples

The
_Set
function enables you to compare the values between lists on the Left Hand Side and Right Hand Side using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set. The methods supported are
_Set.intersection
,
_Set.union
, and
Set_isSubset
. For [_Set.intersection],
_Set.union
, you can use the boolean operators
intersects
and
contains
to verify whether the values you want to look for are included in the result or if the result set contains the specified value(s).
For
Set_isSubset
, enables you to identify whether a specific value or comma separated list of values returned by the JSON path of the resource is fully contained within the target list. The syntax is:
Set.isSubset(<path>, <targelist>) is [ true | false
] where <path> = JSON path
<target_list> = a set of strings without any whitespace within. For example, neither use of whitepace is valid: _Set.isSubset(<path>, (a, "b1 b2",c)) where there are spaces within the second string, nor _Set.isSubset(<path>, (a, b, c)) with space between the strings in a list.
If the result dataset is huge, use
limit search records to
at the end of the query.
Description
Example
Compare a list on the RHS [as X] with another dynamic list of items in LHS [as Y] and take the intersection ones into a subset list and then compare this against a static, comma separated list you provide.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X;
config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X; limit search records to 100
Combine two lists to include all elements of X and Y and find a match against a comma separated list you provide.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show Y; limit search records to 10
Check if a result set contains a specific value.
config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpcId,$.Y.vpcId) contains vpc-b8ba2dd0'; show X;
Detects Internet exposed instances with public IP and firewall rule with 0.0.0.0/0 and destination is specified target tags:
config from cloud.resource where api.name = 'gcloud-compute-instances-list' as X; config from cloud.resource where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X;
Checks that the SQS policy statement does not include the list of IP addresses specified
config from cloud.resource where cloud.region = 'AWS Ohio' and api.name='aws-sqs-get-queue-attributes' and json.rule = QueueArn contains rql and _Set.isSubset(attributes.Policy.Statement[*].Condition.NotIpAddress.aws:SourceIp[*],(58.307.78.64/28,43.89.2.128/27,3.218.144.244,34.205.176.82,34.228.96.118,14.228.97.64/27)) is false
Checks that for the specified groupName, the IP address ranges in the path ipPermissions[
].ipRanges[
] are fully contained in the target list of strings
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = groupName contains rql and _Set.isSubset(ipPermissions[*].ipRanges[*],(199.167.52.5/32,34.98.203.241/32,192.168.0.0/16,10.0.0.0/24,172.31.0.0/16)) is true

Recommended For You