topic Re: RQL - Checking Tag.key's value in Prisma Cloud Discussions

RQL - Checking Tag.key's value

awsrqlqueryuser — Thu, 09 Nov 2023 20:30:17 GMT

Working to develop a query in prisma to check for a certain tag's value being older than 365 days. I can't seem to find any documentation on this. I have this rough draft but it fails and I am not sure why:

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-volumes' AND json.rule = ((tags[?(@.key=='Retain' && '_DateTime.ageInDays(@.value) > 365')] size > 0) or (tags[*].key does not contain Retain))

Looking for any working examples of checking a tag's value or using the date functions. Any recommendations/tips are welcome

Re: RQL - Checking Tag.key's value

awsrqlqueryuser — Thu, 09 Nov 2023 21:02:38 GMT

These two query statements work indapendently but I cannot combine them into the same query:
json.rule = _DateTime.ageInDays(tags[?(@.key=='Retain')].value) > 365
json.rule = tags[*].key does not contain "Retain"
Need to be able to filter out resources that dont have a tag.key called 'Retain' OR the tag[Retain].value is older than 365 days

Re: RQL - Checking Tag.key's value

APoppas — Mon, 09 Sep 2024 19:01:42 GMT

Were you ever able to figure this out?

Re: RQL - Checking Tag.key's value

OOmotayo — Mon, 16 Sep 2024 02:06:20 GMT

@awsrqlqueryuser Please refer to the below. Please copy as pasted below and let me know if you have further questions.

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-volumes' AND json.rule = '_DateTime.ageInDays(tags[*].value) > 365 and tags[*].key equals "Retain" or (tags[*].key does not contain "Retain")'

Re: RQL - Checking Tag.key's value

awsrqlqueryuser — Mon, 23 Sep 2024 20:09:53 GMT

This does not work. After running the query and validating results you can see that it dumps all EBS volumes regardless of tag key/values specified in query. The DateTime function does not appear to work when using a passed in value (in this case the value of a specified tag key) because no evaluation takes place resulting in all EBS volumes being listed with no filter

Re: RQL - Checking Tag.key's value

awsrqlqueryuser — Mon, 23 Sep 2024 20:11:10 GMT

No, our Palo Alto enterprise support team told us it was a bug with the DateTime function and we reported it shortly after I submitted this post. Not sure if any feature has been taken up from Palo Alto since then but we went a different route to handle this situation

Re: RQL - Checking Tag.key's value

ACurran2 — Tue, 24 Sep 2024 21:36:18 GMT

@awsrqlqueryuser The DateTime function requires that there be a timestamp present in the resource config that is of any of the following 3 formats:

Zulu: "2011-08-13T20:17:46.384Z"

GSON/AWS: "Nov 7, 2016 9:34:21 AM"

ISO: "2011-12-04T10:15:30+01:00"

Reference: https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/rql-operators

So a valid example of a query that is specific to EBS volumes would look something like this:
config from cloud.resource where api.name = 'aws-ec2-describe-volumes' AND json.rule = '_DateTime.ageInDays(createTime) > 365'

Re: RQL - Checking Tag.key's value

awsrqlqueryuser — Wed, 25 Sep 2024 14:38:20 GMT

Format of the time stamp is not problematic in this case, the DateTime function only makes an evaluation on an explicitly passed in value. In your case 'createTime' is a valid json value that Prisma reads from every configuration item it ingests from AWS. In the question, I am looking to complete an evaluation on the array of tags for each configuration item. Once the tag key is found, use the DateTime function to evaluate the value of the tag but no evaluation takes place. I was told that it was a known gap last year after I submitted this but we opted to use different tools at the time to meet our needs.