"Show me all Prisma Cloud Monitored Assets with a configuration change"

L1 Bithead

"Show me all Prisma Cloud Monitored Assets with a configuration change"

If you were to need to monitor a set of assets such as Google Cloud VPCs and any changes that have been made in a set date range, what would be an RQL you could write that would yield the audit trail and show those changes?  I would have to imagine it starts with an event query based on something similar I pulled up for AWS:


event where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')


or maybe RQL: config where cloud.type = 'aws' AND api.name = 'aws-elbv2-target-group'


But how would be the best practice to possible get a list of a set of assets you want to monitor highly for changes.  Maybe leveraging tags?

L2 Linker

Hi @ramyfrahman 


You can maybe use a date range like _DateTime.ageInDays(user_creation_time)<7 and _DateTime.ageInDays(user_creation_time) > 1

This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.


You can also pull in labels per project so you can use that as well.

The Example below find EC2 instances where launch time is more than 30 days.

config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays($.launchTime) > 30'









Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!