topic Re: RQL - Get if there is a ip other than certain ip in the rule and 22 port is open in Prisma Cloud Discussions

RQL - Get if there is a ip other than certain ip in the rule and 22 port is open

SMutlu — Thu, 13 Apr 2023 10:38:07 GMT

Hi All,

I am looking for some support for the RQL.

I am trying to detect if any firewall rule on GCP allows SSH port 22 traffic from except the PSM IP addresses. I developed some queries but it's not able to catch every scenario. I am trying to develop a query that should check exact match with the IP addresses that I've write. Need your comments for this use-case. Thank you !

Example Query :

config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and sourceRanges[*] is not member of (IP Addresses separeted with comma) and allowed[?any(ports is member of (22) or ports contains _Port.inRange(22,22) and (ports does not exist and (IPProtocol contains tcp)))] exists

Kind Regards

Re: RQL - Get if there is a ip other than certain ip in the rule and 22 port is open

SMutlu — Tue, 02 May 2023 12:33:17 GMT

Hi Everyone,

This query works for that case ;

config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (allowed[?any( (ports is member of (22) or ports contains _Port.inRange(22,22) or ports does not exist) and (IPProtocol contains tcp or IPProtocol contains "all" ))] exists) and (sourceRanges[*] size does not equal 5 or (sourceRanges[*] does not contain "MY IP1" or sourceRanges[*] does not contain "MY IP2" or sourceRanges[*] does not contain "MY IP3" or sourceRanges[*] does not contain "MY IP4" or sourceRanges[*] does not contain "MY IP5" ))

Kind Regards

Seyma Nur