RQL Operators

An operator in RQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right, such that only valid results are retrieved and displayed to you. You can use an RQL operator to find a specific term included as a value within an object or an array within a JSON structure.

The following operators and conditions that you can use to compare or validate results:

Operators Within JSON Arrays

Config and Event Operators

Joins

Functions

Operators Within JSON Arrays

OPERATOR	DESCRIPTION	RQL EXAMPLE
@ and ?	@ and ? are expressions used to filter arrays. ? opens the array. @ represents the current item being processed. It is used to hone in on a particular block in the json object so that you are only matching that block and no others.	config from cloud.resource where api.name='aws-ec2-describe-security-groups' AND json.rule='ipPermissions[?(@.fromPort==0)].ipRanges[*] contains 0.0.0.0/0'
&& and \|\|	Combine conditions within json.rule using && and \|\|.	config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' and json.rule = "policy.Statement exists and policy.Statement[?(@.Action=='s3:GetObject' && @.Effect=='Allow' \|\| @.Action=='s3:ListBucket' && @.Effect=='Allow')].Principal contains *"

OPERATOR

DESCRIPTION

RQL EXAMPLE

@ and ?

@ and ? are expressions used to filter arrays.

? opens the array.

@ represents the current item being processed. It is used to hone in on a particular block in the json object so that you are only matching that block and no others.

config from cloud.resource where api.name='aws-ec2-describe-security-groups' AND json.rule='ipPermissions[?(@.fromPort==0)].ipRanges[*] contains 0.0.0.0/0'

&& and ||

Combine conditions within json.rule using && and ||.

config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' and json.rule = "policy.Statement exists and policy.Statement[?(@.Action=='s3:GetObject' && @.Effect=='Allow' || @.Action=='s3:ListBucket' &&  @.Effect=='Allow')].Principal contains *"

Config and Event Operators

OPERATOR	DESCRIPTION	RQL EXAMPLE
Greater than	Compares a path on left-hand side against either a numeric value or another path on the right-hand side.	config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge greater than 20
Less than	Compares a path on left-hand side against either a numeric value or another path on the right-hand side.	config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge less than 100
Equals	Compares a path on left-hand side against either a numeric value or another path on the right-hand side.	config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge equals 90
Does not equal	Compares a path on left-hand side against either a numeric value or another path on the right-hand side.	config from cloud.resource where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge does not equal 90
Starts with	Left-hand side must be a path with a string value.	config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName starts with y
Does not start with	Left-hand side must be a path with a string value.	config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName does not start with y
Ends with	Left-hand side must be a path with a string value.	config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName ends with i
Does not end with	Left-hand side must be a path with a string value.	config from cloud.resource where api.name = 'aws-iam-list-users' and json.rule = userName does not end with i
Contains	The left-hand side may be a single path or a set of paths with numeric or string value.	config from cloud.resource where api.name = 'azure-network-nsg-list' AND json.rule = defaultSecurityRules[*].direction contains outbound
Does not contain	The left-hand side may be a single path or a set of paths with numeric or string value.	config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState does not contain allocated
Is empty	The left-hand side must be a path leading to a string value.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress is empty
Is not empty	The left-hand side must be a path leading to a string value.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress is not empty
Exists	The left-hand side must be a path.	config from cloud.resource where api.name = 'aws-ec2-describe-network-interfaces' AND json.rule = 'association.publicIp exists'
Does not exist	The left-hand side must be a path.	config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = metadata.kind does not exist
Any start with	The left-hand side must be a set of paths leading to string values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any start with vpc-3
None start with	The left-hand side must be a set of paths leading to string values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none start with vpc-323cda
All start with	The left-hand side must be a set of paths leading to string values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all start with vpc-323cda
Any end with	The left-hand side must be a set of paths leading to string values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any end with 49
None end with	The left-hand side must be a set of paths leading to string values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none end with 49
All end with	The left-hand side must be a set of paths leading to string values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all end with 49
Any equal	The left-hand side must be a set of paths leading to string or numeric values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any equal vpc-323cda49
None equal	The left-hand side must be a set of paths leading to string or numeric values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none equal vpc-323cda49
All equal	The left-hand side must be a set of paths leading to string or numeric values.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all equal vpc-323cda49
IN (	The left-hand side must be a string.	event from cloud.audit_logs where crud IN ( 'create' , 'update' ) AND has.anomaly
NOT IN (	The left-hand side must be a string.	config from cloud.resource where finding.severity NOT IN ( 'low', 'informational', 'medium' ) AND cloud.account IN ( 'account_name' )
Size equals	The left-hand side must be an array. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size equals 0
Size does not equal	The left-hand side must be an array. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size does not equal 0
Size greater than	The left-hand side must be an array. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size greater than 1
Size less than	The left-hand side must be an array. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size less than 1
Length equals	The left-hand side is a path with a string value. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length equals 3
Length does not equal	The left-hand side is a path with a string value. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length does not equal 3
Length greater than	The left-hand side is a path with a string value. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length greater than 3
Length less than	The left-hand side is a path with a string value. The right-hand side must be an integer.	config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' and json.rule = snapshot.storageType length less than 4
Number of words equals	The left-hand side is a path with a string value.	config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words equals 3
Number of words does not equal	The left-hand side is a path with a string value.	config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words does not equal 3
Number of words greater than	The left-hand side is a path with a string value.	config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words greater than 2
Number of words less than	The left-hand side is a path with a string value.	config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words less than 3
Any True	The left-hand side is a set of paths with Boolean values.	config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] any true "
None True	The left-hand side is a set of paths with Boolean values.	config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] none true"
All True	The left-hand side is a set of paths with Boolean values.	config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] all true
Any False	The left-hand side is a set of paths with Boolean values.	config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] any false"
None False	The left-hand side is a set of paths with Boolean values.	config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] none false"
All False	The left-hand side is a set of paths with Boolean values.	config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] all false"
Is True	The left-hand side is a Path with Boolean value.	config from cloud.resource where api.name = 'azure-storage-account-list' AND json.rule = encryptionStatuses.Blob is true
Is False	The left-hand side is a Path with Boolean value.	config from cloud.resource where api.name = 'azure-storage-account-list' AND json.rule = encryptionStatuses.Blob is false
Is Not Member of	The left-hand side is a Path with string value, and the right-hand side is a set of values in parentheses and separated with commas	config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[].toPort exists and ipPermissions[].fromPort is not member of (22)
Is Member of	The left-hand side is a Path with string value, and the right-hand side is a set of values in parentheses and separated with commas	config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[].toPort exists and ipPermissions[].toPort is member of (3389,22,5432) config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[].ipProtocol exists and ipPermissions[].ipProtocol is member of (tcp)
Matches Does not Match	For Event queries, use the boolean operators Matches and Does not Match to match or not match field values against simple patterns and not full REGEX. Patterns can have substrings and * for wild character search.	In the following example, the operation MATCHES 'clogin' enables you to list activities that match clogin , cloudlogin , or consolelogin . event from cloud.audit_logs where cloud.type = 'aws' AND cloud.account = 'RedLock Sandbox' AND operation MATCHES 'clogin'

Joins

Joins allow you to get data from two different APIs where you have combined different conditions. You can use Joins only across

config from cloud.resource where

queries, and can include up to three configuration API resources with alias X, Y and Z, and you can optionally include a JSON.rule to match within the API resource alias. When you use the json.rule

Joins across event, network, and config are not supported.

Use resource specific conditions inside json.rule of the alias and use the filter option only for comparison using operators ==, !=, contains, does not contains, not (negation).

Join basic syntax:

config from cloud.resource where api.name = 'a' and json.rule = 'r' as X; config from cloud.resource where api.name ='b' and json.rule ='r2' as Y; show (X;|Y;)

config from cloud.resource where api.name=".." as X; config from cloud.resource where api.name="..." as Y; filter "$.X... <operator> $.Y"; show (X;|Y;)

To find EC2 instances that have public IP addresses assigned at launch use this query:

Steps:

List EC2 instances that have a public IP address as X:

config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress exists and publicIpAddress is not empty as X;

List instances that have security groups which allow unrestricted access from any source as Y:

config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' and json.rule = ipPermissions[*].ipRanges[*] contains 0.0.0.0/0 or ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0 as Y;

Set the filter:

filter '($.X.securityGroups[*].groupName==$.Y.groupName)'; show X;

Complete the query to list all EC2 instances that have a public IP address and are accessible without any source IP restrictions:

config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-subnets' as Y; filter '$.X.subnetId == $.Y.subnetId and $.Y.mapPublicIpOnLaunch is true'; show X;

Examples of Joins:

DESCRIPTION	RQL EXAMPLE
VPCs that are connected to internet gateways.	config from cloud.resource where api.name = 'aws-ec2-describe-internet-gateways' as X; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[].vpcId == $.Y.vpcId and $.Y.tags[].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
CloudTrail logs that are integrated with CloudWatch for all regions.	config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as X; config from cloud.resource where api.name = 'aws-cloudtrail-get-trail-status' as Y; filter '$.X.cloudWatchLogsLogGroupArn != null and ($.Y.status.latestCloudWatchLogsDeliveryTime != null and _DateTime.ageInDays($.Y.status.latestCloudWatchLogsDeliveryTime) > 1) and ($.X.rrn == $.Y.rrn)'; show X;
Show all AWS Lambda functions that are accessible with the RedlockReadOnly IAM role.	config from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = handler contains "lambda" as X;config from cloud.resource where api.name = 'aws-iam-list-roles' AND json.rule = role.roleName contains "RedlockReadOnlyRole" as Y;filter '($.X.role.rolename equals $.Y.role.rolename)' ; show X;
Find all EC2 instances that have a specified name, snapshot ID and image ID.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key contains "Name" as X; config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.snapshotId contains "snap-004b0221589e516d7" as Y; config from cloud.resource where api.name = 'aws-ec2-describe-images' AND json.rule = image.imageId contains "ami-03698559b1d406e89" as Z; show X
Find Azure SQL databases where audit log retention period is less that 90 days.	config from cloud.resource where api.name = 'azure-sql-db-list' as X; config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;

Functions

A function performs a calculation on specific data that matches the clause contained in the function and displays results. Functions support auto-complete when you enter the prefix

in a json.rule or addcolumn attribute.

Prisma Cloud supports following functions:

_DateTime Examples

_AWSCloudAccount.isRedLockMonitored Examples

_IPAddress.inRange Examples

_Port.inRange Examples

_IPAddress.inCIDRRange Examples

_Set Examples

_DateTime Examples

Query time ranges are not part of RQL grammar, and the query time window is passed as a separate argument to the query APIs. The selection of the attributes or columns for a category are not part of the RQL grammar. The function accepts timestamps in the following formats only:

Zulu: "2011-08-13T20:17:46.384Z"

GSON/AWS: "Nov 7, 2016 9:34:21 AM"

ISO: "2011-12-04T10:15:30+01:00"

The query time ranges that are available are

_DateTime.ageInDays

_DateTime.ageInMonths

_DateTime.ageInYears

, and

_DateTime.daysBetween

. The

_DateTime.daysBetween

function looks for any information that falls in between two dates and takes two dates as arguments.

For example, the

_DateTime.ageInDays

returns the number of days until a date as a negative number.

When using the _DateTime function all json parameters are available as auto-complete options, you must select only parameters that have timestamps. Also, the syntax for a function does not support spaces. Remove empty spaces before or after parenthesis, and between comma-separated parameters.

DESCRIPTION	RQL EXAMPLE
List EC2 instances with age greater than 2 days.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays(launchTime) > 2'
List resource names where access keys are not rotated for 90 days.	config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1_active is true and access_key_1_last_rotated != N/A and _DateTime.ageInDays(access_key_1_last_rotated)>90) or (access_key_2_active is true and access_key_2_last_rotated != N/A and _DateTime.ageInDays(access_key_2_last_rotated)>90)'
Use the function today() to return the current day’s date.	config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-cloudtrail-get-trail-status' AND json.rule ="_DateTime.daysBetween($.latestDeliveryTime,today()) ! = 2"

DESCRIPTION

RQL EXAMPLE

List EC2 instances with age greater than 2 days.

config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays(launchTime) > 2'

List resource names where access keys are not rotated for 90 days.

config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1_active is true and access_key_1_last_rotated != N/A and _DateTime.ageInDays(access_key_1_last_rotated)>90) or (access_key_2_active is true and access_key_2_last_rotated != N/A and _DateTime.ageInDays(access_key_2_last_rotated)>90)'

Use the function today() to return the current day’s date.

config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-cloudtrail-get-trail-status' AND json.rule ="_DateTime.daysBetween($.latestDeliveryTime,today()) ! = 2"

_AWSCloudAccount.isRedLockMonitored Examples

When using this function to identify AWS accounts that are or are not monitored on Prisma Cloud, you can provide the AWS account ID in any of the following formats:

Standard AWS 12-digit account number.

For example: 123456789012

Canonical user ID. You can use this ID to identify an AWS account when granting cross-account access to buckets and objects using Amazon S3.

For example, an alpha-numeric identifier: 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be

3. AWS account ID in ARN format.

For example, arn:aws:iam::123456789012:role/test-1240-47

DESCRIPTION	RQL EXAMPLE
List any snapshots that are shared publicly and are not monitored by Prisma Cloud.	config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'createVolumePermissions[] size != 0 and _AWSCloudAccount.isRedLockMonitored(createVolumePermissions[].userId) is false'

DESCRIPTION

RQL EXAMPLE

List any snapshots that are shared publicly and are not monitored by Prisma Cloud.

config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'createVolumePermissions[*] size != 0 and _AWSCloudAccount.isRedLockMonitored(createVolumePermissions[*].userId) is false'

_IPAddress.inRange Examples

To check if a particular IP address is part of an IP address range, use

_IPAddress.inRange

and in the argument specify the octets, along with the

. For example ("172.%d.",16,31) or (”172.10.%d.”,10,255).

DESCRIPTION	RQL EXAMPLE
List AWS Route53 Public Zones that have Private Records.	In this example, the IPAddress.inRange("172.%d.",16,31) allows you to search for IP addresses that are in the range "172.16.x.x" to "172.31.x.x": config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-route53-list-hosted-zones' AND json.rule = resourceRecordSet[].resourceRecords[].value any start with _IPAddress.inRange("172.%d.",16,31)

_Port.inRange Examples

To check if a particular port number is part of a specific range, use class

Port

and method

inRange

. This method takes three arguments

, and you can optionally include an

By default, the <offset> is 1.

DESCRIPTION	RQL EXAMPLE
Use the inRange function with the contains and does not contain operators to check for conditions on a port range. Specify <fromInteger> and <toInteger> to find all ports within the specified range.	Example using contains to check for ports numbers between 22 and 33 with an offset of 1: config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[].toPort exists and ipPermissions[].toPort contains _Port.inRange(22,33,1) The example above checks for all ports between 22 and 33.
	Example using Does not Contain : config from cloud.resource where api.name = 'azure-network-nsg-list' AND json.rule = securityRules[].sourcePortRanges[] does not contain _Port.inRange(350,5400,5) The example above checks for ports 350, 355, 360, .....5390, 5395, 5600.
	Example using no offset, to find all ports within the specified range: config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[].toPort exists and ipPermissions[].toPort contains _Port.inRange(400,500)

_IPAddress.inCIDRRange Examples

To check if a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork, use the

_IPAddress.inCIDRRange

function. This function takes two arguments, the first is the CIDR address or array of CIDR addresses extracted from the JSON payload where you must specify whether it is an

ipv4Ranges

or an

ipv6Ranges

and the second is the CIDR block (either IPv4 or IPv6)

cidrIp

cidripv6

followed by the IP address that you want to match on.The result returns the resources that contain the IP addresses in the JSON payload that fall within the CIDR range you entered, in the case when it is true, and the resources that do not match when it is false.

DESCRIPTION	RQL EXAMPLE
Define multiple CIDR blocks that you want to match on.	config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,10.0.0.0/8) is false and _IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,172.31.0.0/12) is false and _IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,192.168.0.0/16) is true'
Find an IPv6 address within a CIDR block.	config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[].ipv6Ranges[].cidrIpv6,2600:1f18:226b:62fa:ffff:ffff:ffff:ffff/24) is true'
Specify multiple match conditions to find all CIDRs within the JSON metadata.	config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = 'ipPermissions[].ipv4Ranges[].cidrIp does not contain "0.0.0.0/0" and ipPermissions[].ipv4Ranges[].cidrIp size does not equal 0 and _IPAddress.inCIDRRange(ipPermissions[].ipv4Ranges[].cidrIp,192.168.0.0/16) is true'

DESCRIPTION

RQL EXAMPLE

Define multiple CIDR blocks that you want to match on.

config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'

Find an IPv6 address within a CIDR block.

config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv6Ranges[*].cidrIpv6,2600:1f18:226b:62fa:ffff:ffff:ffff:ffff/24) is true'

Specify multiple match conditions to find all CIDRs within the JSON metadata.

config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = 'ipPermissions[*].ipv4Ranges[*].cidrIp does not contain "0.0.0.0/0" and ipPermissions[*].ipv4Ranges[*].cidrIp size does not equal 0 and _IPAddress.inCIDRRange(ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'

_IPAddress.areAllInCIDRRange() Examples

The

_IPAddress.areAllInCIDRRange(Resource, CIDR)

function checks to see if all of the IP addresses assigned to a resource are within a specified CIDR block. The result of executing the function will be a boolean. For example, if you had the question “Do my databases have all IP addresses in the 10.0.0.0./24 IP range,” the answer will be yes or no. The function accepts two arguments which are

Resource

and

CIDR

Resource

describes meta data within the configuration file that contains the IP address(es), and

CIDR

represents the value of the CIDR block that you define.

Description	Example
Find all resources that contain CIDR addresses within the 10.0.0.0/8 range.	config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[].ipv4Ranges[] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,10.0.0.0/8) is true
Find all IP addresses that fall within the a specified range.	config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[].ipv6Ranges[] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[].ipv6Ranges[].cidrIp,fc00::/7) is true
Find all the IPv6 addresses within the CIDR block.	config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = _IPAddress.areAllInCIDRRange(ipPermissions[].ipv6Ranges[].cidrIpv6,2600:1f18:226b:6200::/1) is true

Description

Example

Find all resources that contain CIDR addresses within the 10.0.0.0/8 range.

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipv4Ranges[*] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true

Find all IP addresses that fall within the a specified range.

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipv6Ranges[*] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[*].ipv6Ranges[*].cidrIp,fc00::/7) is true

Find all the IPv6 addresses within the CIDR block.

config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = _IPAddress.areAllInCIDRRange(ipPermissions[*].ipv6Ranges[*].cidrIpv6,2600:1f18:226b:6200::/1) is true

_Set Examples

The

_Set

function enables you to compare the values between lists on the Left Hand Side and Right Hand Side using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set. The methods supported are

_Set.intersection

and

_Set.union

, and you can use the boolean operators

intersects

and

contains

to verify whether the values you want to look for are included in the result or if the result set contains the specified value(s).

If the result dataset is huge, use

limit search records to

at the end of the query.

Description	Example
Compare a list on the RHS [as X] with another dynamic list of items in LHS [as Y] and take the intersection ones into a subset list and then compare this against a static, comma separated list you provide.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X;
	config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X; limit search records to 100
Combine two lists to include all elements of X and Y and find a match against a comma separated list you provide.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show Y; limit search records to 10
Check if a result set contains a specific value.	config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpId,$.Y.vpcId) contains vpc-b8ba2dd0'; show X;
Detects Internet exposed instances with public IP and firewall rule with 0.0.0.0/0 and destination is specified target tags:	GCP:config from cloud.resource where api.name = 'gcloud-compute-instances-list' as X; config from cloud.resource where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[].network contains $.Y.network and $.X.networkInterfaces[].accessConfigs[].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[] contains 0.0.0.0/0 and $.X.tags.items[] intersects $.Y.targetTags[] and $.Y.disabled contains false'; show X;

Document:Prisma™ Cloud Resource Query Language (RQL) Reference

RQL Operators

RQL Operators

Operators Within JSON Arrays

Config and Event Operators

Joins

Functions

_DateTime Examples

_AWSCloudAccount.isRedLockMonitored Examples

_IPAddress.inRange Examples

_Port.inRange Examples

_IPAddress.inCIDRRange Examples

_IPAddress.areAllInCIDRRange() Examples

_Set Examples

Recommended For You

Document:Prisma™ Cloud Resource Query Language (RQL) Reference

RQL Operators

RQL Operators

Operators Within JSON Arrays

Config and Event Operators

Joins

Functions

_DateTime Examples

_AWSCloudAccount.isRedLockMonitored Examples

_IPAddress.inRange Examples

_Port.inRange Examples

_IPAddress.inCIDRRange Examples

_IPAddress.areAllInCIDRRange() Examples

_Set Examples

Recommended For You

Recommended Videos