About MPestell

Hello team.   I have a named CloudTrail which every account must have.  aws-landing-zone-logs-us-east-1   Some accounts have additional CloudTrails in addition to the above for there own purposes.   I want an alert that tells me if 'any' account does not have a CloudTrail called aws-landing-zone-logs-us-east-1 but IMPORTANTLY ignoring any other CloudTrail they may already have.   The problem is that the below is alerting even though an account has aws-landing-zone-logs-us-east-1 because it is alerting for the additional CloudTrails also on that account.   config where api.name='aws-cloudtrail-describe-trails' AND cloud.type = 'aws' AND json.rule = "(s3BucketName!= aws-landing-zone-logs-us-east-1)"   Your help welcome and can't figure how to do it.    ... View more

Hi everyone.   I want to be able to list any AWS account that is not monitored by Prisma   We have AWS Organizations configured.  However I don't see any RQL to interrogate that to show the accounts in Organizations and compare to  _AWSCloudAccount.isRedLockMonitored   We have a central CLOUDTRAIL which is writing to a central S3 bucket.  The directory/file structure under the S3 also has the account number.  Again I wondered if a way to compare to _AWSCloudAccount.isRedLockMonitored but don't see any RQL that would help.   Any ideas anyone please?? ... View more

Hello all.   New to RQL.  I have the below RQL that identifies DEFAULT VPC's; config where cloud.account IN ( 'AWS_EBU_Networked_Prod_DR_DA_01' ) and api.name = 'aws-ec2-describe-vpcs' AND json.rule = isDefault is true   I have the below RQL that shows all VPC's that do not have FlowLogs enabled; config where cloud.account IN ( 'AWS_EBU_Networked_Prod_DR_DA_01' ) and api.name = 'aws-ec2-describe-vpcs' as X; config where api.name = 'aws-ec2-describe-flow-logs' as Y; filter ' not ($.Y.resourceId equals $.X.vpcId)'; show X;   Is it possible to combine the 2 so I only show VPC's that do not have FlowLogs enabled AND are not the DEFAULT VPC please??  You help most welcome. ... View more

Hi team.   Can someone share the URI for Prisma Cloud API REST documentation please. (Can't find it anywhere) ... View more

Hi everyone. We see occurances where we have RDS Snapshots showing in AWS console.  I see from Cloudwatch/trail that primsa is connecting and issueing the call to  DescribeDBSnapshots. If I then run a very general investigate query of config where cloud.type = 'aws' and api.name='aws-rds-describe-db-snapshots' / download all results.  I see all other accounts but 1 account (the 1 which I know has snapshots) is not showing up?   Any experience on this at all please?   Please note we see other alerts for this account including DescribeInstances information.   All accounts per imported at the same time using the same CloudFoundation.  Yet we see snapshot information for all of those accounts with no issues. ... View more

Hi guys. I am looking at a implementation that has been running for over a year - however little work has been done just yet.  The system has 54000 OPEN alerts.  I want to check which alerts are still valid (ie. do the resource at the end of the alert even exist anymore?)  Is it possible to do that from within REDLOCK/Prism please? ... View more