RQL Operators

An operator in RQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right, such that only valid results are retrieved and displayed to you. You can use an RQL operator to find a specific term included as a value within an object or an array in a JSON.
The following operators and conditions that you can use to compare or validate results:

Operators Within JSON Arrays

OPERATOR
DESCRIPTION
RQL EXAMPLE
@ and ?
@ and ? are expressions used to filter arrays.
  • ? opens the array.
  • @ represents the current item being processed. It is used to hone in on a particular block in the json object so that you are only matching that block and no others.
config where api.name='aws-ec2-describe-security-groups' AND json.rule='ipPermissions[?(@.fromPort==0)].ipRanges[*] contains 0.0.0.0/0'
&& and ||
Combine conditions within json.rule using && and ||.
config where api.name = 'aws-s3api-get-bucket-acl' and json.rule = "policy.Statement exists and policy.Statement[?(@.Action=='s3:GetObject' && @.Effect=='Allow' || @.Action=='s3:ListBucket' && @.Effect=='Allow')].Principal contains *"

Config and Event Operators

OPERATOR
DESCRIPTION
RQL EXAMPLE
Greater than
Compares a path on left-hand side against either a numeric value or another path on the right-hand side.
config where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge greater than 20
Less than
Compares a path on left-hand side against either a numeric value or another path on the right-hand side.
config where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge less than 100
Equals
Compares a path on left-hand side against either a numeric value or another path on the right-hand side.
config where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge equals 90
Does not equal
Compares a path on left-hand side against either a numeric value or another path on the right-hand side.
config where api.name = 'aws-iam-get-account-password-policy' AND json.rule = maxPasswordAge does not equal 90
Starts with
Left-hand side must be a path with a string value.
config where api.name = 'aws-iam-list-users' and json.rule = userName starts with y
Does not start with
Left-hand side must be a path with a string value.
config where api.name = 'aws-iam-list-users' and json.rule = userName does not start with y
Ends with
Left-hand side must be a path with a string value.
config where api.name = 'aws-iam-list-users' and json.rule = userName ends with i
Does not end with
Left-hand side must be a path with a string value.
config where api.name = 'aws-iam-list-users' and json.rule = userName does not end with i
Contains
The left-hand side may be a single path or a set of paths with numeric or string value.
config where api.name = 'azure-network-nsg-list' AND json.rule = defaultSecurityRules[*].direction contains outbound
Does not contain
The left-hand side may be a single path or a set of paths with numeric or string value.
config where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState does not contain allocated
Is empty
The left-hand side must be a path leading to a string value.
config where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress is empty
Is not empty
The left-hand side must be a path leading to a string value.
config where api.name = 'aws-ec2-describe-instances' and json.rule = publicIpAddress is not empty
Exists
The left-hand side must be a path.
config where api.name = 'aws-ec2-describe-network-interfaces' AND json.rule = 'association.publicIp exists'
Does not exist
The left-hand side must be a path.
config where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = metadata.kind does not exist
Any start with
The left-hand side must be a set of paths leading to string values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any start with vpc-3
None start with
The left-hand side must be a set of paths leading to string values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none start with vpc-323cda
All start with
The left-hand side must be a set of paths leading to string values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all start with vpc-323cda
Any end with
The left-hand side must be a set of paths leading to string values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any end with 49
None end with
The left-hand side must be a set of paths leading to string values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none end with 49
All end with
The left-hand side must be a set of paths leading to string values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all end with 49
Any equal
The left-hand side must be a set of paths leading to string or numeric values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId any equal vpc-323cda49
None equal
The left-hand side must be a set of paths leading to string or numeric values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId none equal vpc-323cda49
All equal
The left-hand side must be a set of paths leading to string or numeric values.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = networkInterfaces[*].vpcId all equal vpc-323cda49
Size equals
The left-hand side must be an array.
The right-hand side must be an integer.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size equals 0
Size does not equal
The left-hand side must be an array.
The right-hand side must be an integer.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size does not equal 0
Size greater than
The left-hand side must be an array.
The right-hand side must be an integer.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size greater than 1
Size less than
The left-hand side must be an array.
The right-hand side must be an integer.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*] size less than 1
Length equals
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length equals 3
Length does not equal
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length does not equal 3
Length greater than
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.storageType length greater than 3
Length less than
The left-hand side is a path with a string value.
The right-hand side must be an integer.
config where api.name = 'aws-rds-describe-db-snapshots' and json.rule = snapshot.storageType length less than 4
Number of words equals
The left-hand side is a path with a string value.
config where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words equals 3
Number of words does not equal
The left-hand side is a path with a string value.
config where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words does not equal 3
Number of words greater than
The left-hand side is a path with a string value.
config where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words greater than 2
Number of words less than
The left-hand side is a path with a string value.
config where cloud.type = 'gcp' AND cloud.service = 'Compute Engine' and api.name = 'gcloud-compute-instances-list' AND json.rule = cpuPlatform number of words less than 3
Any True
The left-hand side is a set of paths with Boolean values.
config where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] any true "
None True
The left-hand side is a set of paths with Boolean values.
config where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] none true"
All True
The left-hand side is a set of paths with Boolean values.
config where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] all true
Any False
The left-hand side is a set of paths with Boolean values.
config where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] any false"
None False
The left-hand side is a set of paths with Boolean values.
config where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] none false"
All False
The left-hand side is a set of paths with Boolean values.
config where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = " ['properties.ipConfigurations'][*].['properties.primary'] all false"
Is True
The left-hand side is a Path with Boolean value.
config where api.name = 'azure-storage-account-list' AND json.rule = encryptionStatuses.Blob is true
Is False
The left-hand side is a Path with Boolean value.
config where api.name = 'azure-storage-account-list' AND json.rule = encryptionStatuses.Blob is false
Is Not Member of
The left-hand side is a Path with string value, and the right-hand side is a set of values in parentheses and separated with commas
Config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].fromPort is not member of (22)
Is Member of
The left-hand side is a Path with string value, and the right-hand side is a set of values in parentheses and separated with commas
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort is member of (3389,22,5432)
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].ipProtocol exists and ipPermissions[*].ipProtocol is member of (tcp)
Matches
Does not Match
For Event queries, use the boolean operators
Matches
and
Does not Match
to match or not match field values against simple patterns and not full REGEX.
Patterns can have substrings and
*
for wild character search.
In the following example, the operation MATCHES 'c*login' enables you to list activities that match
clogin
,
cloudlogin
, or
consolelogin
.
event where cloud.type = 'aws' AND cloud.account = 'RedLock Sandbox' AND operation MATCHES 'c*login'

Joins

Joins allow you to get data from two different APIs where you have combined different conditions. You can use Joins only across
config where
queries, and can include up to three configuration API resources with alias X, Y and Z.
Joins across event, network, and config are not supported.
Join basic syntax:
config where api.name=".." as X; config where api.name="..." as Y; filter "$.X... <operator> $.Y"; show (X;|Y;)
To find EC2 instances that have public IP addresses assigned at launch use this query:
Steps:
  1. List EC2 instances as X:
    config where api.name = 'aws-ec2-describe-instances' as X;
  2. List subnets as Y:
    config where api.name = 'aws-ec2-describe-subnets' as Y;
  3. Set the filter:
    filter '$.X.subnetId == $.Y.subnetId and $.Y.mapPublicIpOnLaunch is true'; show X;
  4. Complete the query to list instances in subnets which have public IP addresses auto-assigned:
    config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-subnets' as Y; filter '$.X.subnetId == $.Y.subnetId and $.Y.mapPublicIpOnLaunch is true'; show X;
Examples of Joins:
DESCRIPTION
RQL EXAMPLE
VPCs that are connected to internet gateways.
config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
CloudTrail logs that are integrated with CloudWatch for all regions.
config where api.name = 'aws-cloudtrail-describe-trails' as X; config where api.name = 'aws-cloudtrail-get-trail-status' as Y; filter '$.X.cloudWatchLogsLogGroupArn != null and ($.Y.status.latestCloudWatchLogsDeliveryTime != null and _DateTime.ageInDays($.Y.status.latestCloudWatchLogsDeliveryTime) > 1) and ($.X.rrn == $.Y.rrn)'; show X;

Functions

A function performs a calculation on specific data that matches the clause contained in the function and displays results. Functions support auto-complete when you enter the prefix
_
in a json.rule or addcolumn attribute.
Prisma Cloud supports following functions:

_DateTime Examples

Query time ranges are not part of RQL grammar, and the query time window is passed as a separate argument to the query APIs. The selection of the attributes or columns for a category are not part of the RQL grammar.
The query time ranges that are available are
_DateTime.ageInDays
,
_DateTime.ageInMonths
,
_DateTime.ageInYears
, and
_DateTime.daysBetween
. The
_DateTime.daysBetween
function looks for any information that falls in between two dates and takes two dates as arguments.
For example, the
_DateTime.ageInDays
returns the number of days until a date as a negative number.
When using the _DateTime function all json parameters are available as auto-complete options, you must select only parameters that have timestamps. Also, the syntax for a function does not support spaces. Remove empty spaces before or after parenthesis, and between comma-separated parameters.
DESCRIPTION
RQL EXAMPLE
List EC2 instances with age greater than 2 days.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays(launchTime) > 2'
List resource names where access keys are not rotated for 90 days.
config where api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1_active is true and access_key_1_last_rotated != N/A and _DateTime.ageInDays(access_key_1_last_rotated)>90) or (access_key_2_active is true and access_key_2_last_rotated != N/A and _DateTime.ageInDays(access_key_2_last_rotated)>90)'
Use the function today() to return the current day’s date.
config where cloud.type = 'aws' and api.name = 'aws-cloudtrail-get-trail-status' AND json.rule ="_DateTime.daysBetween($.latestDeliveryTime,today()) ! = 2"

_AWSCloudAccount.isRedLockMonitored Examples

DESCRIPTION
RQL EXAMPLE
List any snapshots that are shared publicly and are not monitored by Prisma Cloud.
config where api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'createVolumePermissions[*] size != 0 and _AWSCloudAccount.isRedLockMonitored(createVolumePermissions[*].userId) is false'

_IPAddress.inRange Examples

To check if a particular IP address is part of an IP address range, use
_IPAddress.inRange
and in the argument specify the octets, along with the
<fromInteger>
,
<toInteger>
. For example ("172.%d",16,31) or (”172.10.%d”,10,255).
DESCRIPTION
RQL EXAMPLE
List AWS Route53 Public Zones that have Private Records.
In this example, the IPAddress.inRange("172.%d",16,31) allows you to search for IP addresses that are in the range "172.16.x.x" to "172.31.x.x":
config where cloud.type = 'aws' AND api.name = 'aws-route53-list-hosted-zones' AND json.rule = resourceRecordSet[*].resourceRecords[*].value any start with _IPAddress.inRange("172.%d",16,31)

_Port.inRange Examples

To check if a particular port number is part of a specific range, use class
Port
and method
inRange
. This method takes three arguments
<fromInteger>
,
<toInteger>
, and you can optionally include an
<offset>
.
By default, the <offset> is 1.
DESCRIPTION
RQL EXAMPLE
Use the
inRange
function with the
contains
and
does not contain
operators to check for conditions on a port range.
Specify
<fromInteger>
and
<toInteger>
to find all ports within the specified range.
Example using
contains
to check for ports numbers between 22 and 33 with an offset of 1:
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort contains _Port.inRange(22,33,1)
The example above checks for all ports between 22 and 33.
Example using
Does not Contain
:
config where api.name = 'azure-network-nsg-list' AND json.rule = securityRules[*].sourcePortRanges[*] does not contain _Port.inRange(350,5400,5)
The example above checks for ports 350, 355, 360, .....5390, 5395, 5600.
Example using no offset, to find all ports within the specified range:
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*].toPort exists and ipPermissions[*].toPort contains _Port.inRange(400,500)

_IPAddress.inCIDRRange Examples

To check if a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork, use the
_IPAddress.inCIDRRange
function. This function takes two arguments, the first is the CIDR address or array of CIDR addresses extracted from the JSON payload where you must specify whether it is an
ipv4Ranges
or an
ipv6Ranges
and the second is the CIDR block (either IPv4 or IPv6)
cidrIp
or
cidripv6
followed by the IP address that you want to match on.The result returns the resources that contain the IP addresses in the JSON payload that fall within the CIDR range you entered, in the case when it is true, and the resources that do not match when it is false.
DESCRIPTION
RQL EXAMPLE
Define multiple CIDR blocks that you want to match on.
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is false and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'
Find an IPv6 address within a CIDR block.
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv6Ranges[*].cidrIpv6,2600:1f18:226b:62fa:ffff:ffff:ffff:ffff/24) is true'
Specify multiple match conditions to find all CIDRs within the JSON metadata.
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = 'ipPermissions[*].ipv4Ranges[*].cidrIp does not contain "0.0.0.0/0" and ipPermissions[*].ipv4Ranges[*].cidrIp size does not equal 0 and _IPAddress.inCIDRRange(ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true'

_Set Examples

The
_Set
function enables you to compare the values between lists on the Left Hand Side and Right Hand Side using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set. The methods supported are
_Set.intersection
and
_Set.union
, and you can use the boolean operators
intersects
and
contains
to verify whether the values you want to look for are included in the result or if the result set contains the specified value(s).
If the result dataset is huge, use
limit search records to
at the end of the query.
Description
Example
Compare a list on the RHS [as X] with another dynamic list of items in LHS [as Y] and take the intersection ones into a subset list and then compare this against a static, comma separated list you provide.
config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X;
config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X; limit search records to 100
Combine two lists to include all elements of X and Y and find a match against a comma separated list you provide.
config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show Y; limit search records to 10
Check if a result set contains a specific value.
config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter '_Set.union($.X.vpId,$.Y.vpcId) contains vpc-b8ba2dd0'; show X;
Detects Internet exposed instances with public IP and firewall rule with 0.0.0.0/0 and destination is specified target tags:
GCP:config where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X;

Recommended For You