RQL query for tag-based exception

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RQL query for tag-based exception

L0 Member

Hi,

I'm trying to help a customer filter out false-positives in the Prisma Cloud policies. For instance, we have a customised "Internet exposed instances" where they previously have white listed specific IP addresses, which is not very dynamic. Instead, we've created tags on all Azure resources in the format of "allowInternetInbound:yes" and I'm trying to figure out how to add that to the RQL statement. In essence, all resources with that tag should not show up in the alerts. 

 

Current RQL: network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND source.ip NOT IN (xxx.xx.xx.xx) AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )

 

I've been trying to add to the statement: AND source.resource NOT IN ( resource where tag ( ANY ) IN ( 'allowinboundinternet' ) ) 

 

But doesn't seem to work. 

1 REPLY 1

L4 Transporter

Greetings Marcus,

 

I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.

 

Kind Regards,

J. Avery King

J. Avery King | Prisma Cloud | Customer Success Engineer
  • 2132 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!