https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-to-check-all-the-virtual-machines-and-service-accounts-in/m-p/581216#M1199 <P>After worked with CES palo alto. I found the below RQLs:&nbsp;<BR /><BR /><SPAN>The RQLs for the four cloud types would be (Virtual Machine):</SPAN><BR /><SPAN>1- event from cloud.audit_logs where cloud.type = 'aws' AND crud IN ( 'create', 'update', 'delete' ) and operation matches 'Instance'</SPAN><BR /><BR /><SPAN>2- event from cloud.audit_logs where cloud.type = 'azure' AND crud IN ( 'create', 'update', 'delete' ) AND operation matches 'virtual machine'</SPAN><BR /><BR /><SPAN>3- event from cloud.audit_logs where cloud.type = 'gcp' AND crud IN ( 'create', 'update', 'delete' ) and operation matches 'compute.instance'</SPAN><BR /><BR /><SPAN>4- OCI does not support even based RQLs, hence the RQL that we could come up with is:</SPAN><BR /><SPAN>config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-compute-instance'</SPAN></P> <P>&nbsp;</P> <P><SPAN>And Service Accounts:&nbsp;<BR /></SPAN></P> <P><SPAN>OCI:<BR />config from cloud.resource where cloud.type = 'oci' AND cloud.service = 'OCI IAM' AND api.name = 'oci-iam-user' AND json.rule = (apiKeys[*] is not empty or authTokens[*] is not empty)<BR />Azure:<BR />config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-app-registration' AND json.rule = servicePrincipalLockConfiguration exists</SPAN></P> Thu, 21 Mar 2024 17:43:23 GMT jquijada 2024-03-21T17:43:23Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-to-check-all-the-virtual-machines-and-service-accounts-in/m-p/577659#M1193 <P>Hello Community.&nbsp;<BR /><BR />I need your help. I need a RQL in prisma cloud to check ALL my virtual machines and service accounts. The RQL should be work to GCP, AWS, Azure and OCI cloud.&nbsp;<BR />It's possible? I wanna check in a new custom policy all my VMs and service accounts. Hope you can help me.&nbsp;<BR />Regards.&nbsp;</P> Mon, 19 Feb 2024 13:37:54 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-to-check-all-the-virtual-machines-and-service-accounts-in/m-p/577659#M1193 jquijada 2024-02-19T13:37:54Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-to-check-all-the-virtual-machines-and-service-accounts-in/m-p/581209#M1198 <P>Hello, not via RQL, but with the newly revamped platform, you can choose a asset-based query within investigate and perform that. (screenshot below)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bpachauli_0-1711039912188.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58505i61D6446A925E39B1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bpachauli_0-1711039912188.png" alt="bpachauli_0-1711039912188.png" /></span></P> <P>&nbsp;</P> Thu, 21 Mar 2024 16:52:07 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-to-check-all-the-virtual-machines-and-service-accounts-in/m-p/581209#M1198 bpachauli 2024-03-21T16:52:07Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-to-check-all-the-virtual-machines-and-service-accounts-in/m-p/581216#M1199 <P>After worked with CES palo alto. I found the below RQLs:&nbsp;<BR /><BR /><SPAN>The RQLs for the four cloud types would be (Virtual Machine):</SPAN><BR /><SPAN>1- event from cloud.audit_logs where cloud.type = 'aws' AND crud IN ( 'create', 'update', 'delete' ) and operation matches 'Instance'</SPAN><BR /><BR /><SPAN>2- event from cloud.audit_logs where cloud.type = 'azure' AND crud IN ( 'create', 'update', 'delete' ) AND operation matches 'virtual machine'</SPAN><BR /><BR /><SPAN>3- event from cloud.audit_logs where cloud.type = 'gcp' AND crud IN ( 'create', 'update', 'delete' ) and operation matches 'compute.instance'</SPAN><BR /><BR /><SPAN>4- OCI does not support even based RQLs, hence the RQL that we could come up with is:</SPAN><BR /><SPAN>config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-compute-instance'</SPAN></P> <P>&nbsp;</P> <P><SPAN>And Service Accounts:&nbsp;<BR /></SPAN></P> <P><SPAN>OCI:<BR />config from cloud.resource where cloud.type = 'oci' AND cloud.service = 'OCI IAM' AND api.name = 'oci-iam-user' AND json.rule = (apiKeys[*] is not empty or authTokens[*] is not empty)<BR />Azure:<BR />config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-app-registration' AND json.rule = servicePrincipalLockConfiguration exists</SPAN></P> Thu, 21 Mar 2024 17:43:23 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-to-check-all-the-virtual-machines-and-service-accounts-in/m-p/581216#M1199 jquijada 2024-03-21T17:43:23Z