"Show me all Prisma Cloud Monitored Assets with a configuration change"

Reply
Highlighted
L2 Linker

"Show me all Prisma Cloud Monitored Assets with a configuration change"

If you were to need to monitor a set of assets such as Google Cloud VPCs and any changes that have been made in a set date range, what would be an RQL you could write that would yield the audit trail and show those changes?  I would have to imagine it starts with an event query based on something similar I pulled up for AWS:

 

event where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')

 

or maybe RQL: config where cloud.type = 'aws' AND api.name = 'aws-elbv2-target-group'

 

But how would be the best practice to possible get a list of a set of assets you want to monitor highly for changes.  Maybe leveraging tags?


Accepted Solutions
Highlighted
L2 Linker

Hi @ramyfrahman 

 

You can maybe use a date range like _DateTime.ageInDays(user_creation_time)<7 and _DateTime.ageInDays(user_creation_time) > 1

This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.

 

You can also pull in labels per project so you can use that as well.

The Example below find EC2 instances where launch time is more than 30 days.

config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays($.launchTime) > 30'

 

Regards,

Torsten

 

 

 

Regards,

Torsten

View solution in original post


All Replies
Highlighted
L2 Linker

Hi @ramyfrahman 

 

You can maybe use a date range like _DateTime.ageInDays(user_creation_time)<7 and _DateTime.ageInDays(user_creation_time) > 1

This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.

 

You can also pull in labels per project so you can use that as well.

The Example below find EC2 instances where launch time is more than 30 days.

config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays($.launchTime) > 30'

 

Regards,

Torsten

 

 

 

Regards,

Torsten

View solution in original post

Highlighted
L2 Linker

Ok so I think we are getting closer.  This was helpful but maybe I can ask this a different way

 

If I wanted to get a list of all the alerts that were in a config query like below that have a finding severity of HIGH, is that possible?

 

config where api.name = 'gcloud-compute-instances-list' and json.rule = status contains RUNNING

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!