RQL Example Library
Use the Resource Query Language (RQL) examples in this section to learn how to monitor and detect issues on your cloud resources.
List EC2 instances with a public IP address.
List EC2 instances that are attached to a Security Group named ‘allow-all’.
List all EC2 instances that have a publicly accessible hostname.
List all EC2 instances that have a public IP address and allows any IP address to connect to it.
List all EC2 instances that associated with a specific security group.
List all EC2 instances that have a public IP address and are publicly accessible (The IP range is not restricted to a set of specific IP addresses).
List all EC2 instances that are not in a specified destination security group and have traffic flowing from a resource that does not have a specified tag. (uses the NOT IN operator for negation)
Find EC2 instances where launch time is more than 30 days.
Find all EBS volumes that do not have a Data Classification tag.
Find all RDS snapshots that are shared with cloud accounts that Prisma Cloud is not monitoring.
Find all Security Groups that opens port 22 to the internet (and are attached to an EC2 instance).
List RDS instances with a public IP address.
List workloads with null value in tags.
List Security Groups with egress 0.0.0.0/0 and with no port limitations.
List Security Groups with egress 0.0.0.0/0 with fromPort =9009 and no toPort.
Identify Security Groups with 0.0.0.0/0 configured where toPort is NOT 443.
List non-encrypted sda1 and xvda volumes.
Identify VPC's with Internet Gateway attached.
Find traffic from public IP addresses and in CIDR 169.254.0.0/16, and exclude ICMP and ICMP6 traffic.
Find workloads with vulnerability 'CVE-2015-5600'.
Find membership status of items, such as Redshift nodes that are tagged as members of the stage or production environments.
Find EC2 security groups with IP permissions that allow access to ports other than 443 and 80.
Find "real users" logging in from an IP address to perform root activities; these are not activities performed by automation tasks.
Find instances that are in subnets that have public IPs auto-assigned.
Check for bucket exposed publicly that does not have a "Data Classification" tag with a value of "Public".
Verify that all S3 buckets have a "Data Classification" tag with a valid value.
Custom query to find buckets with no Data Classification tag:
Custom query to find buckets with invalid Data Classification tag(s)
Alert on S3 buckets open to AllUsers except for ones with a tagSet of: Data Security: Public or Data Security: blank.
Identify S3 bucket policies that enable write access to a principal who does not belong to an account in your organization.
This query helps you find all S3 buckets that allow write action (s3:put) where the Principal Org ID is anything except what you specify in the query.
Alert on all Amazon ELB's (Elastic Load Balancing) that have an expiring certificate.
Custom query for ELBs with certificates that'll expire in less than 90 days:
Custom query for ELBs with certificates that'll expire in less than 90 days, and with instances attached to ELB:
Query that looks for SG with 0.0.0.0/0 access and is connected to the running instance.
List any AWS instances with GuardDuty or Inspector Vulnerabilities.
Find someone accessing a specific cloud account, who has assuming a specific role that includes a specific email address.
The account in this example is encsharedtest, the role is AdminSSO and the User email is firstname.lastname@example.org:
Count of the images owned by the AWS account
AND cloud.region = '<Region>'to list a count of images owned per region
Count of private or shared images for each region within an AWS account
Add or replace with
json.rule=image.public is falseto include private images
Azure workloads with no tags.
Azure SQL DB's with Transparent Data Encryption disabled.
Azure SQL instances that allow any IP address to connect to it.
Display Azure storage accounts that do not require HTTPS for access.
Display Azure VM's with Linux OS type in storage profile.
List Azure Network Watchers (can be used for Azure flow log checks).
List Azure NSGs (can be used for Azure flow log checks).
List Azure Storage accounts (can be used for Azure flow log checks).
Instances/VMs Public IP check on Azure.
Find all VMs within a specific cloud account that are not running.
This query will include instances that are deallocated, stopped starting, or unknown:
Find Azure NSGs that allow inbound traffic.
Find SQL databases deployed on Azure that are not in the East-US location.
GCP (Google Cloud Platform) workloads with no tags.
GCP terminated compute instances.
List all VM (Google compute engine) instances that have a public IP address.
Tag-based filtering—Find resources that are tagged with a specific value within a specific cloud service API (within a cloud platform).
Tag-based filtering— Find resources that are tagged with specific tags across all your cloud platforms that are monitored by Prisma Cloud.
Common Useful Query Examples
The following are useful queries that can be used as a good base or when you are looking for examples on how complex to make an RQL.
List all network traffic from the Internet or from Suspicious IPs with over 100Kb data transferred to a network interface (on any cloud environment).
All network traffic that is greater than 1GB and destined to Internet or Suspicious IPs (allows you to identify data exfiltration attempt on any cloud environment).
All network traffic from Suspicious IPs to instances that have Host Vulnerabilities.
List VPCs that do not have Flow Logs enabled.
List all instances that have a Public IP assigned, and are associated to an NSG that is open to the public.
List all security groups that are open to the public on port 3389 that are on a VPC that contains an IGW.
List all security groups that are open to the public on port 22 that are on a VPC that contains an IGW with an EC2 instance attached.
List all security groups that are open to the public, unless they are Tagged as a Mailserver and are open on ports 25, 110, or 443.
Detect AMI images older than 90 days.
Detect EC2 instances running AMIs older than 30 days.
Detect KMS keys with no key rotation.
Detect CloudFormation Templates (CFTs) that created public Security Groups.
Detect S3 buckets that are open to Internet but don't contain specific tag key/value pairs.
Detect security groups except for specific tag key/value pairs.
Find VPC Flow Logs of VPCs that have EC2 instances in it (to verify if there should be network flowlog or not).
Find EC2 instances that are not attached to security groups.
Find ENIs that are not associated with security groups.
Recommended For You
Recommended videos not found.