RQL Operators
A list of operators supported by the resource query language (RQL) that enables you to modify the results.
An operator in RQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right, such that only valid results are retrieved and displayed to you. You can use an RQL operator to find a specific term included as a value within an object or an array within a JSON structure.
You can use the following operators and conditions to compare or validate results:
Operators Within JSON Arrays
OPERATOR | DESCRIPTION | RQL EXAMPLE |
?any | ?any is an expression used to filter arrays. It is used to specify conditions to return results when any single one of the array elements satisfy them. |
|
?none | ?none is an expression used to filter arrays. It is used to specify conditions to return results when none one of the array elements are satisfied. |
|
?all | ?all is an expression used to filter arrays. It is used to specify conditions to return results when all of the array elements satisfy them. |
|
@ and ? | @ and ? are expressions used to filter arrays.
|
|
|
Config and Event Operators
OPERATOR | DESCRIPTION | RQL EXAMPLE |
greater than | Compares a path on the left-hand side against either a numeric value or another path on the right-hand side. |
|
less than | Compares a path on the left-hand side against either a numeric value or another path on the right-hand side. |
|
equals | Compares a path on the left-hand side against either a numeric value or another path on the right-hand side. |
|
does not equal | Compares a path on the left-hand side against either a numeric value or another path on the right-hand side. |
|
equal ignore case | Compares a path on the left-hand side against either a string or value or another path on the right-hand side. The equal ignore case operator works exactly the same as equals , with the only difference that it disregards case sensitivity in the string match. |
|
does not equal ignore case | Compares a path on the left-hand side against either a string or value or another path on the right-hand side. | |
starts with | The left-hand side must be a path with a string value. |
|
does not start with | The left-hand side must be a path with a string value. |
|
ends with | The left-hand side must be a path with a string value. |
|
does not end with | The left-hand side must be a path with a string value. |
|
contains | The left-hand side may be a single path or a set of paths with numeric or string value. |
|
does not contain | The left-hand side may be a single path or a set of paths with numeric or string value. |
|
is empty | The left-hand side must be a path leading to a string value. |
|
is not empty | The left-hand side must be a path leading to a string value. |
|
exists | The left-hand side must be a path. |
|
does not exist | The left-hand side must be a path. |
|
any start with | The left-hand side must be a set of paths leading to string values. |
|
none start with | The left-hand side must be a set of paths leading to string values. |
|
all start with | The left-hand side must be a set of paths leading to string values. |
|
any end with | The left-hand side must be a set of paths leading to string values. |
|
none end with | The left-hand side must be a set of paths leading to string values. |
|
all end with | The left-hand side must be a set of paths leading to string values. |
|
any equal | The left-hand side must be a set of paths leading to string or numeric values. |
|
none equal | The left-hand side must be a set of paths leading to string or numeric values. |
|
all equal | The left-hand side must be a set of paths leading to string or numeric values. |
|
any empty | The left-hand side must be a set of paths leading to string values. |
|
none empty | The left-hand side must be a set of paths leading to string values. |
|
all empty | The left-hand side must be a set of paths leading to string values. |
|
IN ( | The left-hand side must be a string. |
|
NOT IN ( | The left-hand side must be a string. |
|
size equals | The left-hand side must be an array. The right-hand side must be an integer. |
|
size does not equal | The left-hand side must be an array. The right-hand side must be an integer. |
|
size greater than | The left-hand side must be an array. The right-hand side must be an integer. |
|
size less than | The left-hand side must be an array. The right-hand side must be an integer. |
|
length equals | The left-hand side is a path with a string value. The right-hand side must be an integer. |
|
length does not equal | The left-hand side is a path with a string value. The right-hand side must be an integer. |
|
length greater than | The left-hand side is a path with a string value. The right-hand side must be an integer. |
|
length less than | The left-hand side is a path with a string value. The right-hand side must be an integer. |
|
number of words equals | The left-hand side is a path with a string value. |
|
number of words does not equal | The left-hand side is a path with a string value. |
|
number of words greater than | The left-hand side is a path with a string value. |
|
number of words less than | The left-hand side is a path with a string value. |
|
any true | The left-hand side is a set of paths with Boolean values. |
|
none true | The left-hand side is a set of paths with Boolean values. |
|
all true | The left-hand side is a set of paths with Boolean values. |
|
any false | The left-hand side is a set of paths with Boolean values. |
|
none false | The left-hand side is a set of paths with Boolean values. |
|
all false | The left-hand side is a set of paths with Boolean values. |
|
is true | The left-hand side is a path with Boolean value. |
|
is false | The left-hand side is a path with Boolean value. |
|
is not member of | The left-hand side is a path with string value, and the right-hand side is a set of values in parentheses and separated with commas. |
|
is member of | The left-hand side is a path with string value, and the right-hand side is a set of values in parentheses and separated with commas. |
|
matches does not match | For Event queries, use the boolean operators matches and does not match to match or exclude field values against simple patterns and not full regex.Patterns can have substrings and * for wild character search.Use the matches or does not match operator instead of contains/does not contain or exists/does not exist operators. | In the following example, the value 'c*login' enables you to list activities that match clogin , cloudlogin , or consolelogin .
|
intersects does not intersect | Checks if there are common elements between any two lists. Both the left-hand and right-hand sides can be a path with a string or array, a string or IP address/CIDR block, a set of values in parentheses and separated with commas, or a function such as, _Port.inRange() . | The following example shows the _IPAddress.inRange function using the does not intersect operator:
|
like | Checks if the wildcard character (*) is used to grant access permissions at the account level on your cloud service provider. For example, you can check for wildcard permissions granted to delete all EC2 instances in every account. The left-hand side is a path with string value, and the right-hand side is the name of a cloud account. |
|
Joins
Joins allow you to get data from two different APIs where you have combined different conditions. You can use Joins only across
config from cloud.resource where
queries, and can include up to three configuration API resources with alias X, Y and Z, and you can optionally include a json.rule to match within the API resource alias. When you use the json.rule, joins across event, network, and config are not supported.Nested Rules using the
?any
quantifier limit the conditions you write on the elements of an array. For RQL policies that use nested rules, you can add a condition referencing an external JSON path inside the nested rule. This is useful when a Join operator is expressed among two different paths in a JSON specimen, which requires the nested rules to check on values outside the scope of the quantifier. In addition, when a Join is expressed among two different paths in a JSON specimen, which requires the nested rules to check on values outside the scope of the quantifier.Use resource specific conditions inside json.rule of the alias and use the filter option only for comparison using operators ==, !=, contains, does not contains, not (negation).
Join basic syntax:
config from cloud.resource where api.name = 'a' and json.rule = 'r' as X; config from cloud.resource where api.name ='b' and json.rule ='r2' as Y; show (X;|Y;)
config from cloud.resource where api.name=".." as X; config from cloud.resource where api.name="..." as Y; filter "$.X... <operator> $.Y"; show (X;|Y;)
To find EC2 instances that have public IP addresses assigned at launch use this query:
Steps:
- List EC2 instances that have a public IP address as X:config from cloud.resource where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress exists and publicIpAddress is not empty as X;List instances that have security groups which allow unrestricted access from any source as Y:config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' and json.rule = ipPermissions[*].ipRanges[*] contains 0.0.0.0/0 or ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0 as Y;Set the filter:filter '($.X.securityGroups[*].groupName==$.Y.groupName)'; show X;Complete the query to list all EC2 instances that have a public IP address and are accessible without any source IP restrictions:config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-subnets' as Y; filter '$.X.subnetId == $.Y.subnetId and $.Y.mapPublicIpOnLaunch is true'; show X;Examples of Joins:DESCRIPTIONRQL EXAMPLEVPCs that are connected to internet gateways.config from cloud.resource where api.name = 'aws-ec2-describe-internet-gateways' as X; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;CloudTrail logs that are integrated with CloudWatch for all regions.config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as X; config from cloud.resource where api.name = 'aws-cloudtrail-get-trail-status' as Y; filter '$.X.cloudWatchLogsLogGroupArn != null and ($.Y.status.latestCloudWatchLogsDeliveryTime != null and _DateTime.ageInDays($.Y.status.latestCloudWatchLogsDeliveryTime) > 1) and ($.X.rrn == $.Y.rrn)'; show X;Show all AWS Lambda functions that are accessible with the RedlockReadOnly IAM role.config from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = handler contains "lambda" as X;config from cloud.resource where api.name = 'aws-iam-list-roles' AND json.rule = role.roleName contains "RedlockReadOnlyRole" as Y;filter '($.X.role.rolename equals $.Y.role.rolename)' ; show X;Find all EC2 instances that have a specified name, snapshot ID and image ID.config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key contains "Name" as X; config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.snapshotId contains "snap-004b0221589e516d7" as Y; config from cloud.resource where api.name = 'aws-ec2-describe-images' AND json.rule = image.imageId contains "ami-03698559b1d406e89" as Z; show XFind Azure SQL databases where audit log retention period is less that 90 days.config from cloud.resource where api.name = 'azure-sql-db-list' as X; config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;Find where bucket ACL owner ID and grantee ID do not match and display name does not contain awslogsdeliveryconfig from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any( grantee.displayName exists and grantee.displayName does not contain awslogsdelivery and grantee.identifier does not contain $.acl.owner.id)] existsFunctionsA function performs a calculation on specific data that matches the clause contained in the function and displays results. Functions support auto-complete when you enter the prefix_in a json.rule or addcolumn attribute.Prisma Cloud supports following functions:_DateTime ExamplesQuery time ranges are not part of RQL grammar, and the query time window is passed as a separate argument to the query APIs. The selection of the attributes or columns for a category are not part of the RQL grammar. The function accepts timestamps in the following formats only:Zulu: "2011-08-13T20:17:46.384Z"GSON/AWS: "Nov 7, 2016 9:34:21 AM"ISO: "2011-12-04T10:15:30+01:00"The query time ranges that are available are_DateTime.ageInDays,_DateTime.ageInMonths,_DateTime.ageInYears, and_DateTime.daysBetween. The_DateTime.daysBetweenfunction looks for any information that falls in between two dates and takes two dates as arguments.For example, the_DateTime.ageInDaysreturns the number of days until a date as a negative number.When using the _DateTime function all json parameters are available as auto-complete options, you must select only parameters that have timestamps. Also, the syntax for a function does not support spaces. Remove empty spaces before or after parenthesis, and between comma-separated parameters.DESCRIPTIONRQL EXAMPLEList EC2 instances with age greater than 2 days.config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays(launchTime) > 2'List resource names where access keys are not rotated for 90 days.config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1_active is true and access_key_1_last_rotated != N/A and _DateTime.ageInDays(access_key_1_last_rotated) > 90) or (access_key_2_active is true and access_key_2_last_rotated != N/A and _DateTime.ageInDays(access_key_2_last_rotated) > 90)'Use the function today() to return the current day’s date.config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-cloudtrail-get-trail-status' AND json.rule ="_DateTime.daysBetween($.latestDeliveryTime,today()) ! = 2"_AWSCloudAccount.isRedLockMonitored ExamplesWhen using this function to identify AWS accounts that are or are not monitored on Prisma Cloud, you can provide the AWS account ID in any of the following formats:
- Standard AWS 12-digit account number.For example: 123456789012
- Canonical user ID. You can use this ID to identify an AWS account when granting cross-account access to buckets and objects using Amazon S3.For example, an alpha-numeric identifier: 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
- 3. AWS account ID in ARN format.For example, arn:aws:iam::123456789012:role/test-1240-47
DESCRIPTIONRQL EXAMPLEList any snapshots that are shared publicly and are not monitored by Prisma Cloud.config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'createVolumePermissions[*] size != 0 and _AWSCloudAccount.isRedLockMonitored(createVolumePermissions[*].userId) is false'_IPAddress.inRange ExamplesTo check if a particular IP address is part of an IP address range, use_IPAddress.inRangeand in the argument specify the octets, along with the<fromInteger>,<toInteger>. For example ("172.%d.",16,31) or (”172.10.%d.”,10,255).DESCRIPTIONRQL EXAMPLEList AWS Route53 Public Zones that have Private Records.In this example, the IPAddress.inRange("172.%d.",16,31) allows you to search for IP addresses that are in the range "172.16.x.x" to "172.31.x.x":config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-route53-list-hosted-zones' AND json.rule = resourceRecordSet[*].resourceRecords[*].value any start with _IPAddress.inRange("172.%d.",16,31)_Port.inRange ExamplesTo check if a particular port number is part of a specific range, use classPortand methodinRange. This method takes three arguments<fromInteger>,<toInteger>, and you can optionally include an<offset>.By default, the <offset> is 1.DESCRIPTIONRQL EXAMPLEUse theinRangefunction with thecontainsanddoes not containoperators to check for conditions on a port range.Specify<fromInteger>and<toInteger>to find all ports within the specified range.Example usingcontainsto check for ports numbers between 22 and 33 with an offset of 1:config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort contains _Port.inRange(22,33,1)The example above checks for all ports between 22 and 33.Example usingDoes not Contain:config from cloud.resource where api.name = 'azure-network-nsg-list' AND json.rule = securityRules[*].sourcePortRanges[*] does not contain _Port.inRange(350,5400,5)The example above checks for ports 350, 355, 360, …..5390, 5395, 5600.Example using no offset, to find all ports within the specified range:config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort contains _Port.inRange(400,500)_IPAddress.inCIDRRange ExamplesTo check if a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork, use the_IPAddress.inCIDRRangefunction. This function takes two arguments, the first is the CIDR address or array of CIDR addresses extracted from the JSON payload where you must specify whether it is anipv4Rangesor anipv6Rangesand the second is the CIDR block (either IPv4 or IPv6)cidrIporcidripv6followed by the IP address that you want to match on.The result returns the resources that contain the IP addresses in the JSON payload that fall within the CIDR range you entered, in the case when it is true, and the resources that do not match when it is false.DESCRIPTIONRQL EXAMPLEDefine multiple CIDR blocks that you want to match on.config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'Find an IPv6 address within a CIDR block.config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv6Ranges[*].cidrIpv6,2600:1f18:226b:62fa:ffff:ffff:ffff:ffff/24) is true'Specify multiple match conditions to find all CIDRs within the JSON metadata.config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = 'ipPermissions[*].ipv4Ranges[*].cidrIp does not contain "0.0.0.0/0" and ipPermissions[*].ipv4Ranges[*].cidrIp size does not equal 0 and _IPAddress.inCIDRRange(ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'_IPAddress.areAllInCIDRRange() ExamplesThe_IPAddress.areAllInCIDRRange(Resource, CIDR)function checks to see if all of the IP addresses assigned to a resource are within a specified CIDR block. The result of executing the function will be a boolean. For example, if you had the question “Do my databases have all IP addresses in the 10.0.0.0./24 IP range,” the answer will be yes or no. The function accepts two arguments which areResourceandCIDR.Resourcedescribes meta data within the configuration file that contains the IP address(es), andCIDRrepresents the value of the CIDR block that you define.DescriptionExampleFind all resources that contain CIDR addresses within the 10.0.0.0/8 range.config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipv4Ranges[*] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is trueFind all IP addresses that fall within the a specified range.config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipv6Ranges[*] size greater than 0 and _IPAddress.areAllInCIDRRange($.ipPermissions[*].ipv6Ranges[*].cidrIp,fc00::/7) is trueFind all the IPv6 addresses within the CIDR block.config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = _IPAddress.areAllInCIDRRange(ipPermissions[*].ipv6Ranges[*].cidrIpv6,2600:1f18:226b:6200::/1) is true_IPAddress.areAnyOutsideCIDRRange() ExamplesThe_IPAddress.areAnyOutsideCIDRRange()function enables you to write config RQL queries that check if any IP/CIDR addresses are outside of a given list of permitted CIDR blocks. You can use this function to check if any resources have exposure to IP addresses outside of the RFC 1918 private CIDR blocks.The first argument is a JSON expression that evaluates against one or more IP/CIDR addresses. The second and subsequent arguments list the IP/CIDR addresses and/or ranges to test against. You can use IPV4 and IPV6 address formats. However, the two function arguments should be either both in IPV4 or both in IPV6.DescriptionExampleCheck a valid IP against an invalid range to indicate the IP is outside of the range. If the address is not a valid IP or CIDR it is not considered to be a match._IPAddress.areAnyOutsideCIDRRange(ipPermissions[*].ipv4Ranges[*].cidrIp,192.0.0.0/24,172.31.0.0/16)_Set ExamplesThe_Setfunction enables you to compare the values between lists on the Left Hand Side and Right Hand Side using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set. The methods supported are_Set.intersectionand_Set.union, and you can use the boolean operatorsintersectsandcontainsto verify whether the values you want to look for are included in the result or if the result set contains the specified value(s).If the result dataset is huge, uselimit search records toat the end of the query.DescriptionExampleCompare a list on the RHS [as X] with another dynamic list of items in LHS [as Y] and take the intersection ones into a subset list and then compare this against a static, comma separated list you provide.config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X;config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X; limit search records to 100Combine two lists to include all elements of X and Y and find a match against a comma separated list you provide.config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show Y; limit search records to 10Check if a result set contains a specific value.config from cloud.resource where api.name = 'aws-ec2-describe-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as Y; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpcId,$.Y.vpcId) contains vpc-b8ba2dd0'; show X;Detects Internet exposed instances with public IP and firewall rule with 0.0.0.0/0 and destination is specified target tags:config from cloud.resource where api.name = 'gcloud-compute-instances-list' as X; config from cloud.resource where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X;
Most Popular
