I'm trying to help a customer filter out false-positives in the Prisma Cloud policies. For instance, we have a customised "Internet exposed instances" where they previously have white listed specific IP addresses, which is not very dynamic. Instead, we've created tags on all Azure resources in the format of "allowInternetInbound:yes" and I'm trying to figure out how to add that to the RQL statement. In essence, all resources with that tag should not show up in the alerts.
Current RQL: network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND source.ip NOT IN (xxx.xx.xx.xx) AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )
I've been trying to add to the statement: AND source.resource NOT IN ( resource where tag ( ANY ) IN ( 'allowinboundinternet' ) )
But doesn't seem to work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!