Can somebody please answer my query.
From the cloud accounts section of Prisma Cloud UI, I can able to see all the status checks got passed for Config,Flow,Audit logs for one of the cloud accounts.
However when I ran the simple query(Ex:- event where cloud.account="X.X.X.X") from investigate blade for audit/flow logs, there were no logs as shown below.
I was under assumption that, if cloud account status checks is pass and if it's in green color then log ingestion was successfully happening. Please correct me if my understanding is wrong here. If my assumption is wrong, how can we rely on knowing the log ingestion is happening or not? Is it by manually running the queries??
Please help me to understand this functionality if cloud account status.
Hi @MPalagiri ,
the result what you get is expected because you didn't finished the query, i get the same result because there no real output expected here. Event queries are used to search and audit all the console and API access events in the cloud environment. Try event where commands like below.
event where cloud.type = 'azure'
I hope that helped you?
Thanks for your kind response.
The query was completed and here the objective is, I want to validate whether audit logs are ingesting from specific cloud account that we onboarded or not?
Anyhow I ran the query that you suggested but no luck.
If we run only this as you suggested, event where cloud.type = 'azure. This scouts for the events across all the cloud accounts which we have onboarded but we need from specific account as i highlited above.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!