What happens if a RQL query contains two json.rule statements in Prisma Cloud?

What happens if a RQL query contains two json.rule statements in Prisma Cloud?

7644
Created On 02/08/19 03:21 AM - Last Modified 12/10/19 19:20 PM


Question


What happens if a RQL query contains two json.rule statements?

Environment


Prisma Cloud

Answer


The query will run; however, only the second json.rule statement will be evaluated.  For example, the following RQL:

config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule =  loggingConfiguration does not exist AND json.rule =  serverSideEncrypted is false

Will produce the same result as this query:

config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = serverSideEncrypted is false
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmmSCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language