Show (X;Y) doesn't work trying to combine aws-ec2-describe-security-groups and aws-ec2-describe-vpcs

EPienaar — Fri, 14 Oct 2022 11:04:57 GMT

Hi All,

I would really appreciate some help here, as I have tried hundreds of iterations to get this right and it isn't working.

I followed the RQL guidance of the RQL example library, but even a basic example doesn't work with show(X;|Y;)

I tried the following and it doesn't work:

show (X;|Y;) - command doesn't work

config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' as X; config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.Y.vpcId contains $.X.vpcId and $.X.groupName == default and ($.X.ipPermissions[*] is not empty or $.X.ipPermissionsEgress[*] is not empty)'; show (X;|Y;); addcolumn $.Y.tags[?(@.key=='resource_owner')].value groupId vpcId

This works but only displays security group tag information, not the VPC tag information I need:

without resource_owner but has VPC ID and SG ID - show Y ( SG )

config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as X; config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))' as Y; filter '$.X.vpcId equals $.Y.vpcId'; show Y; addcolumn vpcId groupId $.tags[?(@.key=='resource_owner')].value

My Aim is to redo one of the policies to display more fields based on the following api's

aws-ec2-describe-vpcs

aws-ec2-describe-security-groups

It would be great if I could join the 2 data sets.

I would like the following fields displayed:

$.Y.vpcId

$.Y.groupId

$.X.tags[?(@.key=='resource_owner')].value

I need the vpc's tags because, unfortunately the security groups tags are not filled in.

Thanks for your forthcoming help 🙂

Re: Show (X;Y) doesn't work trying to combine aws-ec2-describe-security-groups and aws-ec2-describe-vpcs

EPienaar — Fri, 14 Oct 2022 14:35:45 GMT

Hi Miller,

So the only one that actually works in terms of outputting the tags, but also only the VPC id is:

config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as X; config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))' as Y; filter '$.X.vpcId equals $.Y.vpcId'; show X; addcolumn vpcId groupId $.tags[?(@.key=='resource_owner')].value

You can use aws EC2 global search on the VPC and it will come up with the attached security groups, but it would be great if I could use the join to get all the info out.

Thanks

topic Show (X;Y) doesn't work trying to combine aws-ec2-describe-security-groups and aws-ec2-describe-vpcs in Prisma Cloud Discussions

Show (X;Y) doesn't work trying to combine aws-ec2-describe-security-groups and aws-ec2-describe-vpcs

show (X;|Y;) - command doesn't work

without resource_owner but has VPC ID and SG ID - show Y ( SG )

Re: Show (X;Y) doesn't work trying to combine aws-ec2-describe-security-groups and aws-ec2-describe-vpcs