Hi, I'm trying to help a customer filter out false-positives in the Prisma Cloud policies. For instance, we have a customised "Internet exposed instances" where they previously have white listed specific IP addresses, which is not very dynamic. Instead, we've created tags on all Azure resources in the format of "allowInternetInbound:yes" and I'm trying to figure out how to add that to the RQL statement. In essence, all resources with that tag should not show up in the alerts. Current RQL: network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND source.ip NOT IN (xxx.xx.xx.xx) AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' ) I've been trying to add to the statement: AND source.resource NOT IN ( resource where tag ( ANY ) IN ( 'allowinboundinternet' ) ) But doesn't seem to work.
... View more