CloudWatch RQL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CloudWatch RQL

L0 Member

Hi all,

 

Relatively new with Prisma and playing with the RQL. Would anyone be able to tell me if there's a query i can run that tells me if cloudwatch is enabled within an AWS environment?

 

Report wise, I tried running something against CIS compliance and it's really just telling me that cloud trail is not integrated with cloud watch which doesn't directly answer the question, for compliance purposes.

1 accepted solution

Accepted Solutions

L3 Networker

You can use this to see the various alarms that might be setup in CloudWatch: config where api.name = 'aws-cloudwatch-describe-alarms' 

 

There is a policy that will also look to see if cloudtrail is not integrated with cloudwatch: config where cloud.type = 'aws' AND api.name = 'aws-cloudtrail-describe-trails' AND json.rule = 'cloudWatchLogsRoleArn equals null or cloudWatchLogsRoleArn does not exist'

View solution in original post

1 REPLY 1

L3 Networker

You can use this to see the various alarms that might be setup in CloudWatch: config where api.name = 'aws-cloudwatch-describe-alarms' 

 

There is a policy that will also look to see if cloudtrail is not integrated with cloudwatch: config where cloud.type = 'aws' AND api.name = 'aws-cloudtrail-describe-trails' AND json.rule = 'cloudWatchLogsRoleArn equals null or cloudWatchLogsRoleArn does not exist'

  • 1 accepted solution
  • 3091 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!