Prisma Cloud : All JSON attributes not being displayed in the auto-suggestion feature of Investigate Tab across various Cloud Providers

• As per AWS public docs, DestinationDescription - Amazon Data Firehose, there are 11 Destination types available for API 'aws-kinesis-firehose-delivery-stream'
• However, when running the following RQL in Investigate tab, Prisma Cloud is only auto-populating 3 Destination Types

1. DestinationId
2. ExtendedS3DestinationDescription
3. S3DestinationDescription

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-kinesis-firehose-delivery-stream' AND json.rule = destinations[*].

• Prisma Cloud
• All Cloud Providers

• Few JSON attributes are structured as an array
• The RQL auto-complete capability of the json.rule filters queries for resources fields and all other APIs in Prisma Cloud on a best effort basis and it is not exhaustive
• All possible attributes (Eg. Destination Types in the above example) or all possible values of all field keys in the resource JSON is not a feasible solution in the auto-complete functionality
• The functionality is provided more for ease of use allowing the user to select vs. type capability

• While querying via the RQL, you can type out the necessary json.rule filter criteria and is the de-facto recommendation whenever the necessary value does not appear in the visual auto-complete selection

• When other Destination Types like httpEndpointDestinationDescription, that are described in DestinationDescription - Amazon Data Firehose and not listed by Prisma Cloud, are submitted in the following RQL query, they give expected results

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-kinesis-firehose-delivery-stream' AND json.rule = destinations[*].httpEndpointDestinationDescription exists

• JSON attributes are case sensitive
• Example: Use httpEndpointDestinationDescription instead of HttpEndpointDestinationDescription