Prisma Cloud: "AWS EC2 instance with network path from the internet (0.0.0.0/0)" no alert triggered when it should have

This alert Policy name: "AWS EC2 instance with network path from the internet (0.0.0.0/0)". This asset was not updated other than switching from a "running" to "stopped" state as shown below. But there is no alert triggered when it should be. 

• Prisma Cloud
• Network RQL 

It may be the case that the Load Balancer currently has no instances exposed via Load Balancer or otherwise and the system appears to working as expected.

 I’ll elaborate: This portion of the query: 

where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match'

 means we are looking for policies (NACLs and Security Groups) that have a rule that explicitly allows all IPs.

That is, the Security Group or NACL must have an allow rule for 0.0.0.0/0. It may be the case that no Load Balancer Security Groups had such inbound rule. They only allowed specific ranges, and so, don’t match the above criteria. If you have a instance you think should be reported as exposed, you can use the following RQL to check which policy is denying the traffic, use it in the investigate page and look at the paths that are reported: (Change the instance ID accordingly) 

config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active' and dest.instance.id = 'i-abcdfeg123456' and effective.action = 'Deny'

View our documentation here on network RQL.