11-09-2023 12:30 PM
Working to develop a query in prisma to check for a certain tag's value being older than 365 days. I can't seem to find any documentation on this. I have this rough draft but it fails and I am not sure why:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-volumes' AND json.rule = ((tags[?(@.key=='Retain' && '_DateTime.ageInDays(@.value) > 365')] size > 0) or (tags[*].key does not contain Retain))
Looking for any working examples of checking a tag's value or using the date functions. Any recommendations/tips are welcome
11-09-2023 01:02 PM - edited 11-09-2023 01:02 PM
These two query statements work indapendently but I cannot combine them into the same query:
json.rule = _DateTime.ageInDays(tags[?(@.key=='Retain')].value) > 365
json.rule = tags[*].key does not contain "Retain"
Need to be able to filter out resources that dont have a tag.key called 'Retain' OR the tag[Retain].value is older than 365 days
09-09-2024 12:01 PM
Were you ever able to figure this out?
09-15-2024 06:19 PM - edited 09-15-2024 07:06 PM
@awsrqlqueryuser Please refer to the below. Please copy as pasted below and let me know if you have further questions.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-volumes' AND json.rule = '_DateTime.ageInDays(tags[*].value) > 365 and tags[*].key equals "Retain" or (tags[*].key does not contain "Retain")'
09-23-2024 01:09 PM
This does not work. After running the query and validating results you can see that it dumps all EBS volumes regardless of tag key/values specified in query. The DateTime function does not appear to work when using a passed in value (in this case the value of a specified tag key) because no evaluation takes place resulting in all EBS volumes being listed with no filter
09-23-2024 01:11 PM
No, our Palo Alto enterprise support team told us it was a bug with the DateTime function and we reported it shortly after I submitted this post. Not sure if any feature has been taken up from Palo Alto since then but we went a different route to handle this situation
09-24-2024 02:36 PM
@awsrqlqueryuser The DateTime function requires that there be a timestamp present in the resource config that is of any of the following 3 formats:
Zulu: "2011-08-13T20:17:46.384Z"
GSON/AWS: "Nov 7, 2016 9:34:21 AM"
ISO: "2011-12-04T10:15:30+01:00"
Reference: https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/rql-ope...
So a valid example of a query that is specific to EBS volumes would look something like this:
config from cloud.resource where api.name = 'aws-ec2-describe-volumes' AND json.rule = '_DateTime.ageInDays(createTime) > 365'
09-25-2024 07:38 AM
Format of the time stamp is not problematic in this case, the DateTime function only makes an evaluation on an explicitly passed in value. In your case 'createTime' is a valid json value that Prisma reads from every configuration item it ingests from AWS. In the question, I am looking to complete an evaluation on the array of tags for each configuration item. Once the tag key is found, use the DateTime function to evaluate the value of the tag but no evaluation takes place. I was told that it was a known gap last year after I submitted this but we opted to use different tools at the time to meet our needs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
