https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-public-cloud-query-exclude-aws-security-group-that-is-not/m-p/257860#M120 <P>There isn't a way to exclude SGs attached to any kind of resources, but you can at least put in a few more restrictions.&nbsp; For example, the below query will return all security groups that are open to the public on port 22 that are on a VPC which contains an IGW with an EC2 instance attached.</P> <P>&nbsp;</P> <P><EM>config where<SPAN>&nbsp;</SPAN><A href="http://api.name/" target="_blank" rel="nofollow noopener">api.name</A><SPAN>&nbsp;</SPAN>= 'aws-ec2-describe-security-groups' as X; config where<SPAN>&nbsp;</SPAN><A href="http://api.name/" target="_blank" rel="nofollow noopener">api.name</A><SPAN>&nbsp;</SPAN>= 'aws-ec2-describe-internet-gateways' as Y; config where<SPAN>&nbsp;</SPAN><A href="http://api.name/" target="_blank" rel="nofollow noopener">api.name</A><SPAN>&nbsp;</SPAN>= 'aws-ec2-describe-instances' as Z; filter '$.Z.securityGroups[*].groupId contains $.X.groupId and $.Y.attachments[*].vpcId contains $.X.vpcId and ($.X.ipPermissions[?(@.toPort==22||@.fromPort==22)].ipv6Ranges[*].cidrIpv6 contains ::/0 or $.X.ipPermissions[?(@.toPort==22||@.fromPort==22)].ipRanges[*] contains 0.0.0.0/0 or $.X.ipPermissions[?(@.toPort&gt;22&amp;&amp;@.fromPort&lt;22)].ipv6Ranges[*].cidrIpv6 contains ::/0 or $.X.ipPermissions[?(@.toPort&gt;22&amp;&amp;@.fromPort&lt;22)].ipRanges[*] contains 0.0.0.0/0)'; show X;</EM></P> <P>&nbsp;</P> <P>Hope this helps.</P> Thu, 13 Jun 2019 00:49:56 GMT kchen 2019-06-13T00:49:56Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-public-cloud-query-exclude-aws-security-group-that-is-not/m-p/257806#M119 <P>Hi,</P><P>&nbsp;</P><P>Some policies are producing alerts against SGs that are not associated with any resources.</P><P>Can you please advise how to customize the query and exclude those SGs?&nbsp;</P><P>&nbsp;</P><P>For example, policy "AWS Security Groups allow internet traffic from internet to MYSQL port (3306)"&nbsp; is defined as follows:</P><P>config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort &gt; 3306 &amp;&amp; @.fromPort &lt; 3306)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3306 || @.fromPort == 3306)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort &gt; 3306 &amp;&amp; @.fromPort &lt; 3306)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3306 || @.fromPort == 3306)].ipv6Ranges[*].cidrIpv6 contains ::/0)))</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you</P> Wed, 02 Sep 2020 17:13:40 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-public-cloud-query-exclude-aws-security-group-that-is-not/m-p/257806#M119 DXiao 2020-09-02T17:13:40Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-public-cloud-query-exclude-aws-security-group-that-is-not/m-p/257860#M120 <P>There isn't a way to exclude SGs attached to any kind of resources, but you can at least put in a few more restrictions.&nbsp; For example, the below query will return all security groups that are open to the public on port 22 that are on a VPC which contains an IGW with an EC2 instance attached.</P> <P>&nbsp;</P> <P><EM>config where<SPAN>&nbsp;</SPAN><A href="http://api.name/" target="_blank" rel="nofollow noopener">api.name</A><SPAN>&nbsp;</SPAN>= 'aws-ec2-describe-security-groups' as X; config where<SPAN>&nbsp;</SPAN><A href="http://api.name/" target="_blank" rel="nofollow noopener">api.name</A><SPAN>&nbsp;</SPAN>= 'aws-ec2-describe-internet-gateways' as Y; config where<SPAN>&nbsp;</SPAN><A href="http://api.name/" target="_blank" rel="nofollow noopener">api.name</A><SPAN>&nbsp;</SPAN>= 'aws-ec2-describe-instances' as Z; filter '$.Z.securityGroups[*].groupId contains $.X.groupId and $.Y.attachments[*].vpcId contains $.X.vpcId and ($.X.ipPermissions[?(@.toPort==22||@.fromPort==22)].ipv6Ranges[*].cidrIpv6 contains ::/0 or $.X.ipPermissions[?(@.toPort==22||@.fromPort==22)].ipRanges[*] contains 0.0.0.0/0 or $.X.ipPermissions[?(@.toPort&gt;22&amp;&amp;@.fromPort&lt;22)].ipv6Ranges[*].cidrIpv6 contains ::/0 or $.X.ipPermissions[?(@.toPort&gt;22&amp;&amp;@.fromPort&lt;22)].ipRanges[*] contains 0.0.0.0/0)'; show X;</EM></P> <P>&nbsp;</P> <P>Hope this helps.</P> Thu, 13 Jun 2019 00:49:56 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-public-cloud-query-exclude-aws-security-group-that-is-not/m-p/257860#M120 kchen 2019-06-13T00:49:56Z