"Show me all Prisma Cloud Monitored Assets with a configuration change"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

"Show me all Prisma Cloud Monitored Assets with a configuration change"

L2 Linker

If you were to need to monitor a set of assets such as Google Cloud VPCs and any changes that have been made in a set date range, what would be an RQL you could write that would yield the audit trail and show those changes?  I would have to imagine it starts with an event query based on something similar I pulled up for AWS:

 

event where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')

 

or maybe RQL: config where cloud.type = 'aws' AND api.name = 'aws-elbv2-target-group'

 

But how would be the best practice to possible get a list of a set of assets you want to monitor highly for changes.  Maybe leveraging tags?

1 accepted solution

Accepted Solutions

L3 Networker

Hi @ramyfrahman 

 

You can maybe use a date range like _DateTime.ageInDays(user_creation_time)<7 and _DateTime.ageInDays(user_creation_time) > 1

This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.

 

You can also pull in labels per project so you can use that as well.

The Example below find EC2 instances where launch time is more than 30 days.

config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays($.launchTime) > 30'

 

Regards,

Torsten

 

 

 

Regards,

Torsten

"With unity we can do great things"

View solution in original post

3 REPLIES 3

L3 Networker

Hi @ramyfrahman 

 

You can maybe use a date range like _DateTime.ageInDays(user_creation_time)<7 and _DateTime.ageInDays(user_creation_time) > 1

This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.

 

You can also pull in labels per project so you can use that as well.

The Example below find EC2 instances where launch time is more than 30 days.

config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays($.launchTime) > 30'

 

Regards,

Torsten

 

 

 

Regards,

Torsten

"With unity we can do great things"

Ok so I think we are getting closer.  This was helpful but maybe I can ask this a different way

 

If I wanted to get a list of all the alerts that were in a config query like below that have a finding severity of HIGH, is that possible?

 

config where api.name = 'gcloud-compute-instances-list' and json.rule = status contains RUNNING

L4 Transporter

Greetings Ramyfrahman,

 

I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.

 

Kind Regards,

J. Avery King

J. Avery King | Prisma Cloud | Customer Success Engineer
  • 1 accepted solution
  • 5218 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!