https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/512036#M623 <P>Greetings Ramyfrahman,</P> <P>&nbsp;</P> <P>I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>J. Avery King</P> Tue, 16 Aug 2022 20:29:34 GMT AKing9 2022-08-16T20:29:34Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/347737#M301 <P>If you were to need to monitor a set of assets such as Google Cloud VPCs and any changes that have been made in a set date range, what would be an RQL you could write that would yield the audit trail and show those changes?&nbsp; I would have to imagine it starts with an event query based on something similar I pulled up for AWS:</P><P>&nbsp;</P><P>event where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')</P><P>&nbsp;</P><P>or maybe RQL:&nbsp;config where cloud.type = 'aws' AND api.name = 'aws-elbv2-target-group'</P><P>&nbsp;</P><P>But how would be the best practice to possible get a list of a set of assets you want to monitor highly for changes.&nbsp; Maybe leveraging tags?</P> Wed, 09 Sep 2020 02:42:23 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/347737#M301 Retired Member 2020-09-09T02:42:23Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/350343#M311 <P>Hi&nbsp;@Retired Member&nbsp;</P><P>&nbsp;</P><P>You can maybe use a date range like _DateTime.ageInDays(user_creation_time)&lt;7 and _DateTime.ageInDays(user_creation_time) &gt; 1</P><P>This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.</P><P>&nbsp;</P><P><SPAN>You can also pull in labels per project so you can use that as well.</SPAN></P><P><SPAN>The Example below find EC2 instances where launch time is more than 30 days.</SPAN></P><P><SPAN>config <SPAN class="hljs-built_in">where</SPAN> api.name = <SPAN class="hljs-string">'aws-ec2-describe-instances'</SPAN> AND json.rule = <SPAN class="hljs-string">'_DateTime.ageInDays($.launchTime) &gt; 30'</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="hljs-string">Regards,</SPAN></SPAN></P><P><SPAN><SPAN class="hljs-string">Torsten</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Torsten</SPAN></P> Fri, 18 Sep 2020 07:51:04 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/350343#M311 tostern 2020-09-18T07:51:04Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/351301#M317 <P>Ok so I think we are getting closer.&nbsp; This was helpful but maybe I can ask this a different way</P><P>&nbsp;</P><P>If I wanted to get a list of all the alerts that were in a config query like below that have a finding severity of HIGH, is that possible?</P><P>&nbsp;</P><P>config where api.name = 'gcloud-compute-instances-list' and json.rule = status contains RUNNING</P> Tue, 22 Sep 2020 22:38:59 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/351301#M317 Retired Member 2020-09-22T22:38:59Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/512036#M623 <P>Greetings Ramyfrahman,</P> <P>&nbsp;</P> <P>I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>J. Avery King</P> Tue, 16 Aug 2022 20:29:34 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/quot-show-me-all-prisma-cloud-monitored-assets-with-a/m-p/512036#M623 AKing9 2022-08-16T20:29:34Z