RQL Example Library
Use the Resource Query Language (RQL)
examples in this section to learn how to monitor and detect issues
on your cloud resources.
AWS Examples
DESCRIPTION | RQL |
|---|---|
List EC2 instances with a public IP address. |
|
List EC2 instances that are attached to
a Security Group named ‘allow-all’. |
|
List all EC2 instances that have a publicly
accessible hostname. |
|
List all EC2 instances that have a public IP
address and allows any IP address to connect to it. |
|
List all EC2 instances that associated with
a specific security group. |
|
List all EC2 instances that have a public IP
address and are publicly accessible (The IP range is not restricted
to a set of specific IP addresses). |
|
List all EC2 instances that are not in a specified
destination security group and have traffic flowing from a resource
that does not have a specified tag. (uses the NOT IN operator for
negation) |
|
Find EC2 instances where launch time is more
than 30 days. |
|
Find all EBS volumes that do not have a Data
Classification tag. |
|
Find all RDS snapshots that are shared with
cloud accounts that Prisma Cloud is not monitoring. |
|
Find all Security Groups that opens port 22
to the internet (and are attached to an EC2 instance). |
|
List RDS instances with a public IP address. |
|
List workloads with null value in tags. |
|
List Security Groups with egress 0.0.0.0/0
and with no port limitations. |
|
List Security Groups with egress 0.0.0.0/0
with fromPort =9009 and no toPort. |
|
Identify Security Groups with 0.0.0.0/0 configured
where toPort is NOT 443. |
|
List non-encrypted sda1 and xvda volumes. |
|
Identify VPC's with Internet Gateway attached. |
|
Find traffic from public IP addresses and in
CIDR 169.254.0.0/16, and exclude ICMP and ICMP6 traffic. |
|
Find workloads with vulnerability 'CVE-2015-5600'. |
|
Find membership status of items, such as
Redshift nodes that are tagged as members of the stage or production
environments. |
|
Find EC2 security groups with IP permissions
that allow access to ports other than 443 and 80. |
|
Find "real users" logging in from an IP address
to perform root activities; these are not activities performed by
automation tasks. |
|
Find instances that are in subnets that have
public IPs auto-assigned. |
|
Check for bucket exposed publicly that does
not have a "Data Classification" tag with a value of "Public". |
|
Verify that all S3 buckets have a "Data Classification"
tag with a valid value. | Custom query to find buckets with no Data
Classification tag:
Custom
query to find buckets with invalid Data Classification tag(s)
|
Alert on S3 buckets open to AllUsers except
for ones with a tagSet of: Data Security: Public or Data Security:
blank. |
|
Identify S3 bucket policies that enable write
access to a principal who does not belong to an account in your
organization. This query helps you
find all S3 buckets that allow write action (s3:put) where the Principal
Org ID is anything except what you specify in the query. |
|
Alert on all Amazon ELB's (Elastic Load Balancing)
that have an expiring certificate. | Custom query for ELBs with certificates that'll
expire in less than 90 days:
Custom
query for ELBs with certificates that'll expire in less than 90
days, and with instances attached to ELB:
|
Query that looks for SG with 0.0.0.0/0 access
and is connected to the running instance. |
|
List any AWS instances with GuardDuty or
Inspector Vulnerabilities. |
|
Find someone accessing a specific cloud account,
who has assuming a specific role that includes a specific email
address. | The account in this example is encsharedtest,
the role is AdminSSO and the User email is davidhoffman@abc.com:
|
Count of the images owned by the AWS account |
Add AND cloud.region = '<Region>' to
list a count of images owned per region |
Count of private or shared images for each
region within an AWS account |
Add or replace with json.rule=image.public is false to
include private images |
Azure Examples
DESCRIPTION | RQL |
|---|---|
Azure workloads with no tags. |
|
Azure SQL DB's with Transparent Data Encryption
disabled. |
|
Azure SQL instances that allow any IP address
to connect to it. |
|
Display Azure storage accounts that do not
require HTTPS for access. |
|
Display Azure VM's with Linux OS type in
storage profile. |
|
List Azure Network Watchers (can be used
for Azure flow log checks). |
|
List Azure NSGs (can be used for Azure flow
log checks). |
|
List Azure Storage accounts (can be used
for Azure flow log checks). |
|
Show NSGs. |
|
Instances/VMs Public IP check on Azure. |
|
Find all VMs within a specific cloud account
that are not running. | This query will include instances that are deallocated,
stopped starting, or unknown:
|
Find Azure NSGs that allow inbound traffic. |
|
Find SQL databases deployed on Azure that
are not in the East-US location. |
|
GCP Examples
DESCRIPTION | RQL |
|---|---|
GCP (Google Cloud Platform) workloads with
no tags. |
|
GCP terminated compute instances. |
|
List all VM (Google compute engine) instances
that have a public IP address. |
|
Tag-based filtering—Find resources that are
tagged with a specific value within a specific cloud service API
(within a cloud platform). |
|
Tag-based filtering— Find resources that are
tagged with specific tags across all your cloud platforms that are
monitored by Prisma Cloud. |
|
Common Useful Query Examples
The following are useful queries that can be used as
a good base or when you are looking for examples on how complex
to make an RQL.
DESCRIPTION | RQL |
|---|---|
List all network traffic from the Internet or
from Suspicious IPs with over 100Kb data transferred to a network
interface (on any cloud environment). |
|
All network traffic that is greater than 1GB
and destined to Internet or Suspicious IPs (allows you to identify
data exfiltration attempt on any cloud environment). |
|
All network traffic from Suspicious IPs
to instances that have Host Vulnerabilities. |
|
List VPCs that do not have Flow Logs enabled. |
|
List all instances that have a Public IP assigned,
and are associated to an NSG that is open to the public. |
|
List all security groups that are open to the
public on port 3389 that are on a VPC that contains an IGW. |
|
List all security groups that are open to the
public on port 22 that are on a VPC that contains an IGW with an
EC2 instance attached. |
|
List all security groups that are open to the
public, unless they are Tagged as a Mailserver and are open on ports
25, 110, or 443. |
|
Detect AMI images older than 90 days. |
|
Detect EC2 instances running AMIs older than
30 days. |
|
Detect KMS keys with no key rotation. |
|
Detect CloudFormation Templates (CFTs) that
created public Security Groups. |
|
Detect S3 buckets that are open to Internet
but don't contain specific tag key/value pairs. |
|
Detect security groups except for specific
tag key/value pairs. |
|
Find VPC Flow Logs of VPCs that have EC2
instances in it (to verify if there should be network flowlog or
not). |
|
Find EC2 instances that are not attached to
security groups. |
|
Find ENIs that are not associated with security
groups. |
|
Recommended For You
Recommended Videos
Recommended videos not found.
