https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/how-can-i-confirm-whether-log-ingestion-frm-respective-cloud/m-p/364028#M333 <P>Hello Guys,</P><P>&nbsp;</P><P>Can somebody please answer my query.</P><P>&nbsp;</P><P>From the cloud accounts section of Prisma Cloud UI, I can able to see all the status checks got passed for Config,Flow,Audit logs for one of the cloud accounts.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MPalagiri_1-1605783030320.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28707i05350BC9776F0A0A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MPalagiri_1-1605783030320.png" alt="MPalagiri_1-1605783030320.png" /></span></P><P>&nbsp;</P><P>However when I ran the simple query(Ex:- event where cloud.account="X.X.X.X") from investigate blade for audit/flow logs, there were no logs as shown below.</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 908px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28708i446E9A8F873BC46B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>I was under assumption that, if cloud account status checks is pass and if it's in green color then log ingestion was successfully happening. Please correct me if my understanding is wrong here. If my assumption is wrong, how can we rely on knowing the log ingestion is happening or not? Is it by manually running the queries??</P><P>&nbsp;</P><P>Please help me to understand this functionality if cloud account status.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Nov 2020 10:58:44 GMT MPalagiri 2020-11-19T10:58:44Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/how-can-i-confirm-whether-log-ingestion-frm-respective-cloud/m-p/364028#M333 <P>Hello Guys,</P><P>&nbsp;</P><P>Can somebody please answer my query.</P><P>&nbsp;</P><P>From the cloud accounts section of Prisma Cloud UI, I can able to see all the status checks got passed for Config,Flow,Audit logs for one of the cloud accounts.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MPalagiri_1-1605783030320.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28707i05350BC9776F0A0A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MPalagiri_1-1605783030320.png" alt="MPalagiri_1-1605783030320.png" /></span></P><P>&nbsp;</P><P>However when I ran the simple query(Ex:- event where cloud.account="X.X.X.X") from investigate blade for audit/flow logs, there were no logs as shown below.</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 908px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28708i446E9A8F873BC46B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>I was under assumption that, if cloud account status checks is pass and if it's in green color then log ingestion was successfully happening. Please correct me if my understanding is wrong here. If my assumption is wrong, how can we rely on knowing the log ingestion is happening or not? Is it by manually running the queries??</P><P>&nbsp;</P><P>Please help me to understand this functionality if cloud account status.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Nov 2020 10:58:44 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/how-can-i-confirm-whether-log-ingestion-frm-respective-cloud/m-p/364028#M333 MPalagiri 2020-11-19T10:58:44Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/how-can-i-confirm-whether-log-ingestion-frm-respective-cloud/m-p/364042#M334 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/162952">@MPalagiri</a>&nbsp;,</P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="4">the result what you get is expected because you didn't finished the query, i get the same result because there no real output expected here.&nbsp;<SPAN>Event queries are used to search and audit all the console and API access events in the cloud environment. Try event where commands like below.</SPAN></FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>event where cloud.type = 'azure'</SPAN></FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>I hope that helped you?</SPAN></FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>Regards,</SPAN></FONT></P><P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>Torsten</SPAN></FONT></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Nov 2020 11:14:43 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/how-can-i-confirm-whether-log-ingestion-frm-respective-cloud/m-p/364042#M334 tostern 2020-11-19T11:14:43Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/how-can-i-confirm-whether-log-ingestion-frm-respective-cloud/m-p/364044#M335 <P>Hello Torsten,</P><P>&nbsp;</P><P>Thanks for your kind response.</P><P>&nbsp;</P><P>The query was completed and here the objective is, I want to validate whether audit logs are ingesting from specific cloud account that we onboarded or not?</P><P>Anyhow I ran the query that you suggested but no luck.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MPalagiri_0-1605787643217.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28709i5B447EC44E85F2EA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MPalagiri_0-1605787643217.png" alt="MPalagiri_0-1605787643217.png" /></span></P><P>&nbsp;</P><P>If we run only this as you suggested,&nbsp;<SPAN>event where cloud.type = 'azure. This scouts for the events across all the cloud accounts which we have onboarded but we need from specific account as i highlited above.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Thank you.</SPAN></P><P><SPAN>Mahesh.</SPAN></P> Thu, 19 Nov 2020 12:10:03 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/how-can-i-confirm-whether-log-ingestion-frm-respective-cloud/m-p/364044#M335 MPalagiri 2020-11-19T12:10:03Z