Prisma Cloud: Why can't we see resource configuration: view details in Policy " AWS CloudTrail is not enabled with multi trail and not capturing all management events"?

Why can't we see resource configuration: view details in Policy " AWS CloudTrail is not enabled with multi trail and not capturing all management events"?

RQL:

config from cloud.resource where api.name= 'aws-cloudtrail-describe-trails' AND json.rule = 'isMultiRegionTrail is true and includeGlobalServiceEvents is true' as X; config from cloud.resource where api.name= 'aws-cloudtrail-get-trail-status' AND json.rule = 'status.isLogging equals true' as Y; config from cloud.resource where api.name= 'aws-cloudtrail-get-event-selectors' AND json.rule = 'eventSelectors[*].readWriteType contains All' as Z; filter '($.X.trailARN equals $.Z.trailARN) and ($.X.name equals $.Y.trail)'; show X; count(X) less than 1

• Prisma Cloud
• RQL

Notice the count function count(X) at last in RQL, this type of query doesn't return the resource, it returns a pseudo resource, for example, accounts that have these resources.

That's the reason you can't see resource configuration because it doesn't have any configuration. The resource JSON is empty or null for pseudo resources.

Use the count attribute for a tally of the number of resources of a specific type. count is available for use with the api.name attribute as <X, Y or Z>); it is not available with json.rule. When the api.name is a global service (such as, aws-iam-get-account-summary), count includes all resources for that service within the cloud account; if the api.name is a regional service (such as, aws-rds-describe-db-instances), the count includes the only resources tied to the cloud region for the cloud account. For example, you can retrieve a count of all the AWS EC2 images available in your AWS account:

config from cloud.resource where api.name = 'aws-ec2-describe-images' as X; count(X) greater than 0