topic RQL query for resources outside the authorized regions in Prisma Cloud Discussions

RQL query for resources outside the authorized regions

JJoly — Wed, 20 Apr 2022 15:36:00 GMT

Hello Prisma Cloud users,

I'm sharing with you some research I did this morning that you may find interesting. We want to detect and prevent when a resource is created in an unauthorized region.

config from cloud.resource where cloud.type = 'azure' AND cloud.region NOT IN ( 'Azure France Central' , 'Azure France South' , 'Azure Germany Central' , 'Azure Germany Northeast' , 'Azure Germany North' , 'Azure Germany West Central' )

You can specify your cloud types, your cloud regions and you can add all variables you want.

For example I can use api.name if I want to check a specific type of resources.

api.name = 'azure-kubernetes-cluster' # If want want to test my AKS clusters

Have a good journey in the world of RQL queries 😉

Re: RQL query for resources outside the authorized regions

RPrasadi — Thu, 31 Oct 2024 21:03:02 GMT

This can be accomplished via targeting specific regions using the alert rule. The filters such as cloud.region and cloud.account are meant to be used in the investigate portion of Prisma, but are not respected if turned into a policy. This is due to how targeting is handled via the alert rule. With this in mind, you can create a query to look at an api, then target regions outside of the ones normally used by the team. You can find more details here - https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-alerts/create-an-alert-rule Create a Custom Policy

Re: RQL query for resources outside the authorized regions

APinzon — Fri, 22 Sep 2023 10:14:56 GMT

Is there any way to do this without grouping by api.name? Only filtering by cloud.type and cloud.region. When I try to save policy I've got this error "Insufficient Query for Policy Creation" I need to identify al resources outside the authorized regions, not by one api.name