RQL query for resources outside the authorized regions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RQL query for resources outside the authorized regions

L2 Linker

Hello Prisma Cloud users,

 

I'm sharing with you some research I did this morning that you may find interesting. We want to detect and prevent when a resource is created in an unauthorized region.

 

config from cloud.resource where cloud.type = 'azure' AND cloud.region NOT IN ( 'Azure France Central' , 'Azure France South' , 'Azure Germany Central' , 'Azure Germany Northeast' , 'Azure Germany North' , 'Azure Germany West Central' )

 

You can specify your cloud types, your cloud regions and you can add all variables you want.

For example I can use api.name if I want to check a specific type of resources.

api.name = 'azure-kubernetes-cluster' # If want want to test my AKS clusters

 

Have a good journey in the world of RQL queries 😉

 

Prisma Cloud 

JB
2 REPLIES 2

L4 Transporter

This can be accomplished via targeting specific regions using the alert rule. The filters such as cloud.region and cloud.account are meant to be used in the investigate portion of Prisma, but are not respected if turned into a policy. This is due to how targeting is handled via the alert rule. With this in mind, you can create a query to look at an api, then target regions outside of the ones normally used by the team. You can find more details here - https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-alerts/... Create a Custom Policy

None

Is there any way to do this without grouping by api.name? Only filtering by cloud.type and cloud.region. When I try to save policy I've got this error "Insufficient Query for Policy Creation" I need to identify al resources outside the authorized regions, not by one api.name

  • 2951 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!