Prisma Cloud Discussions
Showing results for 
Search instead for 
Did you mean: 
Prisma Cloud Discussions


RQL - how to filter tags in addcolumn section

Hi, I'm looking for help with a query.
config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'Amazon Elastic Load Balancing' AND json.rule = scheme equals "internet-facing" addcolumn tags
This adds a new column with all of the resou

PDawson by L0 Member
  • 0 replies


For Prisma cloud what are folks using for reporting?  The canned reports are lacking and we need to customize reports to make them actionable by groups.  Customization in the tool is restricted to occurrence and one other item.  

SSiggins by L0 Member
  • 0 replies

IAM PassRole RQL with Conditionals

Hello!  I'm attempting to write some RQL to detect policies with the following permissions and struggling a bit.


Action: "iam:PassRole"

Effect: "Allow"

Resource: "*"


Now, in general this isn't too bad to figure out.  The RQL below accomplishes this nic


Automated compliance checking

We are looking to automate a check on a new resource to see if it passes our compliance policies.   As part of this automated checking we are wondering how long we should wait after a resource is created before we run the check.    Is there an estima


SReis by L0 Member
  • 0 replies

twistcli with buildah?

Hi There,

We have a build process that we are migrating to a rootless containerized builder, and are using buildah to build and push the images instead of docker. If I pull an image with buildah, it downloads the image but when I run twistcli on that


RQL query for tag-based exception


I'm trying to help a customer filter out false-positives in the Prisma Cloud policies. For instance, we have a customised "Internet exposed instances" where they previously have white listed specific IP addresses, which is not very dynamic. Instea


Managing Compute Defender False Positives?

I'm finding what appears to be a lot of false positives for alerts within Compute Defender > Events and Runtime. What is best practice for marking these false positive to prevent additional alerts from being generated? I noticed some options for re-l


CGoff12 by L0 Member
  • 0 replies

Resolved! RQL find excessive sts:AssumeRole

Trying to put together a query to identify excessive assumeRole permissions. For example it would identify if the following is in a policy.


"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Resource": "*"


I've been messing around with some queries, I h