08-02-2019 08:03 AM - last edited on 09-02-2020 10:17 AM by kwadsack
I found that when I use the filter command in RQL, it requires you to assign two variables in order for the filter command to work appropriately. Even if you don’t use the other assigned variable in the filter command, the api requires the two variables to be assigned. Otherwise, a warning is returned with no output. I beleive this could be problematic because of unnecessary calls to AWS or Redlocks api when the variable isn't used. This can also accumulate large unnecessary costs when Redlock is performing these scans numerous times a day to thousands of services. Also, the response “bad request” makes it very difficult to debug what the issue could be in the command. This error is consistent regardless of the RQL mistake, and error specific responses would help development much more. You can perform this test in the investigate tab. https://app3.redlock.io/investigate
Example:
Command:
config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId exists'; show X;
Returns:
{
"tags": [],
"ownerId": "999999999",
"attachments": [
{
"state": "available",
"vpcId": "vpc-9999999"
}
],
"internetGatewayId": "igw-99999999"
}
Command:
config where api.name = 'aws-ec2-describe-internet-gateways' as X; filter '$.X.attachments[*].vpcId exists'; show X;
Returns:
Warning: Bad Request
08-02-2019 08:42 AM - edited 08-02-2019 08:48 AM
The RQL you are utilziing is a join, which is specifically used for aggregating 2 api calls, and cross-correlating the information.
If you are only trying to filter results within a single API call, you don't need to use a join. For the RQL it seems you are trying to gather, the proper RQL is below.
config where api.name = 'aws-ec2-describe-internet-gateways' AND json.rule = attachments[*].vpcId exists
You can find the full RQL Guide at the following location, which can also provide some assistance/guidance on RQL moving forward.
https://docs.paloaltonetworks.com/redlock/redlock-rql-reference.html
08-02-2019 08:42 AM - edited 08-02-2019 08:48 AM
The RQL you are utilziing is a join, which is specifically used for aggregating 2 api calls, and cross-correlating the information.
If you are only trying to filter results within a single API call, you don't need to use a join. For the RQL it seems you are trying to gather, the proper RQL is below.
config where api.name = 'aws-ec2-describe-internet-gateways' AND json.rule = attachments[*].vpcId exists
You can find the full RQL Guide at the following location, which can also provide some assistance/guidance on RQL moving forward.
https://docs.paloaltonetworks.com/redlock/redlock-rql-reference.html
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
