https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-how-to-construct-a-query-to-investigate-on-all-aws-security/m-p/578299#M1181 <P>Reference: <A href="https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html" target="_blank">https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html</A></P> <P>&nbsp;</P> <P>RQL that is not working: config from cloud.resource where cloud.type = 'aws' AND api.name = 'describe-security-groups' AND json.rule = "IpPermissionsEgress[IpRanges[?any (CidrIp equals 0.0.0.0/0)]]"&nbsp;</P> <P>&nbsp;</P> <P>Does not seems to be right. Need RQL expert here! Thanks</P> Mon, 26 Feb 2024 06:43:36 GMT rogerhuang 2024-02-26T06:43:36Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-how-to-construct-a-query-to-investigate-on-all-aws-security/m-p/578299#M1181 <P>Reference: <A href="https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html" target="_blank">https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html</A></P> <P>&nbsp;</P> <P>RQL that is not working: config from cloud.resource where cloud.type = 'aws' AND api.name = 'describe-security-groups' AND json.rule = "IpPermissionsEgress[IpRanges[?any (CidrIp equals 0.0.0.0/0)]]"&nbsp;</P> <P>&nbsp;</P> <P>Does not seems to be right. Need RQL expert here! Thanks</P> Mon, 26 Feb 2024 06:43:36 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-how-to-construct-a-query-to-investigate-on-all-aws-security/m-p/578299#M1181 rogerhuang 2024-02-26T06:43:36Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-how-to-construct-a-query-to-investigate-on-all-aws-security/m-p/578313#M1182 <P>Somehow figure out something like this and so far no error.</P> <DIV data-version="3.0.0" data-hash="9dd880094ebe22e055e26934c7fe3dbb">&nbsp;</DIV> <DIV class="section"> <P class="paragraph text-align-type-left"><SPAN data-font-family="Monaco">config&nbsp;from&nbsp;cloud.resource&nbsp;where&nbsp;api.name&nbsp;=&nbsp;'aws-ec2-describe-security-groups'&nbsp;and&nbsp;json.rule&nbsp;=&nbsp;(($.ipPermissions[?(@.ipProtocol==-1)].ipRanges[*]&nbsp;contains&nbsp;0.0.0.0/0&nbsp;or&nbsp;$.ipPermissions[?(@.ipProtocol==-1)].ipv6Ranges[*].cidrIpv6&nbsp;contains&nbsp;::/0))</SPAN></P> </DIV> <P>&nbsp;</P> Mon, 26 Feb 2024 08:21:47 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-how-to-construct-a-query-to-investigate-on-all-aws-security/m-p/578313#M1182 rogerhuang 2024-02-26T08:21:47Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-how-to-construct-a-query-to-investigate-on-all-aws-security/m-p/578708#M1184 <P>That works.&nbsp; Or a more simplified version of the query to only look for ipv4 outbound to 0.0.0.0/0 could be:<BR /><BR />config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((ipPermissionsEgress[*] equals 0.0.0.0/0))'</P> Wed, 28 Feb 2024 21:34:09 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-how-to-construct-a-query-to-investigate-on-all-aws-security/m-p/578708#M1184 ACurran2 2024-02-28T21:34:09Z