RQL Example Library
Use the Resource Query Language (RQL) examples in this section to learn how to monitor and detect issues on your cloud resources.
AWS Examples
DESCRIPTION | RQL |
List EC2 instances with a public IP address. |
|
List EC2 instances that are attached to a Security Group named ‘allow-all’. |
|
List all EC2 instances that have a publicly accessible hostname. |
|
List all EC2 instances that have a public IP address and allows any IP address to connect to it. |
|
List all EC2 instances that associated with a specific security group. |
|
List all EC2 instances that have a public IP address and are publicly accessible (The IP range is not restricted to a set of specific IP addresses). |
|
List all EC2 instances that are not in a specified destination security group and have traffic flowing from a resource that does not have a specified tag. (uses the NOT IN operator for negation) |
|
Find EC2 instances where launch time is more than 30 days. |
|
Find all EBS volumes that do not have a Data Classification tag. |
|
Find all RDS snapshots that are shared with cloud accounts that Prisma Cloud is not monitoring. |
|
Find all Security Groups that opens port 22 to the internet (and are attached to an EC2 instance). |
|
List RDS instances with a public IP address. |
|
List workloads with null value in tags. |
|
List Security Groups with egress 0.0.0.0/0 and with no port limitations. |
|
List Security Groups with egress 0.0.0.0/0 with fromPort =9009 and no toPort. |
|
Identify Security Groups with 0.0.0.0/0 configured where toPort is NOT 443. |
|
List non-encrypted sda1 and xvda volumes. |
|
Identify VPC’s with Internet Gateway attached. |
|
Find traffic from public IP addresses and in CIDR 169.254.0.0/16, and exclude ICMP and ICMP6 traffic. |
|
Find workloads with vulnerability 'CVE-2015-5600'. |
|
Find membership status of items, such as Redshift nodes that are tagged as members of the stage or production environments. |
|
Find EC2 security groups with IP permissions that allow access to ports other than 443 and 80. |
|
Find "real users" logging in from an IP address to perform root activities; these are not activities performed by automation tasks. |
|
Find instances that are in subnets that have public IPs auto-assigned. |
|
Check for bucket exposed publicly that does not have a "Data Classification" tag with a value of "Public". |
|
Verify that all S3 buckets have a "Data Classification" tag with a valid value. | Custom query to find buckets with no Data Classification tag:
Custom query to find buckets with invalid Data Classification tag(s)
|
Alert on S3 buckets open to AllUsers except for ones with a tagSet of: Data Security: Public or Data Security: blank. |
|
Identify S3 bucket policies that enable write access to a principal who does not belong to an account in your organization. This query helps you find all S3 buckets that allow write action (s3:put) where the Principal Org ID is anything except what you specify in the query. |
|
Alert on all Amazon ELB’s (Elastic Load Balancing) that have an expiring certificate. | Custom query for ELBs with certificates that’ll expire in less than 90 days:
Custom query for ELBs with certificates that’ll expire in less than 90 days, and with instances attached to ELB:
|
Query that looks for SG with 0.0.0.0/0 access and is connected to the running instance. |
|
List any AWS instances with GuardDuty or Inspector Vulnerabilities. |
|
Find someone accessing a specific cloud account, who has assuming a specific role that includes a specific email address. | The account in this example is encsharedtest, the role is AdminSSO and the User email is davidhoffman@abc.com:
|
Count of the images owned by the AWS account |
Add AND cloud.region = '<Region>' to list a count of images owned per region |
Count of private or shared images for each region within an AWS account |
Add or replace with json.rule=image.public is false to include private images |
Azure Examples
DESCRIPTION | RQL |
Azure workloads with no tags. |
|
Azure SQL DB’s with Transparent Data Encryption disabled. |
|
Azure SQL instances that allow any IP address to connect to it. |
|
Display Azure storage accounts that do not require HTTPS for access. |
|
Display Azure VM’s with Linux OS type in storage profile. |
|
List Azure Network Watchers (can be used for Azure flow log checks). |
|
List Azure NSGs (can be used for Azure flow log checks). |
|
List Azure Storage accounts (can be used for Azure flow log checks). |
|
Show NSGs. |
|
Instances/VMs Public IP check on Azure. |
|
Find all VMs within a specific cloud account that are not running. | This query will include instances that are deallocated, stopped starting, or unknown:
|
Find Azure NSGs that allow inbound traffic. |
|
Find SQL databases deployed on Azure that are not in the East-US location. |
|
GCP Examples
DESCRIPTION | RQL |
GCP (Google Cloud Platform) workloads with no tags. |
|
GCP terminated compute instances. |
|
List all VM (Google compute engine) instances that have a public IP address. |
|
Tag-based filtering—Find resources that are tagged with a specific value within a specific cloud service API (within a cloud platform). |
|
Tag-based filtering— Find resources that are tagged with specific tags across all your cloud platforms that are monitored by Prisma Cloud. |
|
Query for all instances (Google compute engine) Network IP address |
|
Common Useful Query Examples
The following are useful queries that can be used as a good base or when you are looking for examples on how complex to make an RQL.
DESCRIPTION | RQL |
List all network traffic from the Internet or from Suspicious IPs with over 100Kb data transferred to a network interface (on any cloud environment). |
|
All network traffic that is greater than 1GB and destined to Internet or Suspicious IPs (allows you to identify data exfiltration attempt on any cloud environment). |
|
All network traffic from Suspicious IPs to instances that have Host Vulnerabilities. |
|
List VPCs that do not have Flow Logs enabled. |
|
List all instances that have a Public IP assigned, and are associated to an NSG that is open to the public. |
|
List all security groups that are open to the public on port 3389 that are on a VPC that contains an IGW. |
|
List all security groups that are open to the public on port 22 that are on a VPC that contains an IGW with an EC2 instance attached. |
|
List all security groups that are open to the public, unless they are Tagged as a Mailserver and are open on ports 25, 110, or 443. |
|
Detect AMI images older than 90 days. |
|
Detect EC2 instances running AMIs older than 30 days. |
|
Detect KMS keys with no key rotation. |
|
Detect CloudFormation Templates (CFTs) that created public Security Groups. |
|
Detect S3 buckets that are open to Internet but don’t contain specific tag key/value pairs. |
|
Detect security groups except for specific tag key/value pairs. |
|
Find VPC Flow Logs of VPCs that have EC2 instances in it (to verify if there should be network flowlog or not). |
|
Find EC2 instances that are not attached to security groups. |
|
Find ENIs that are not associated with security groups. |
|
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.