Prisma Cloud: RQL's to extract private IP addresses from various services in AWS and Azure.

Prisma Cloud: RQL's to extract private IP addresses from various services in AWS and Azure.

704
Created On 08/02/23 23:42 PM - Last Modified 04/01/25 16:16 PM


Objective


Use the RQL's in this document to retrieve any private IP's from various services in AWS and Azure.

Environment


  • Prisma Cloud
  • Amazon Web Services
  • Azure

Procedure


Amazon Web Services:

Amazon EFS:
config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'Amazon EFS' AND api.name = 'aws-describe-mount-targets' AND json.rule = mountTargetDescriptionWithSecurityGroups[*].mountTargetDescription.ipAddress exists addcolumn mountTargetDescriptionWithSecurityGroups[*].mountTargetDescription.ipAddress

Amazon EC2:
config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'Amazon EC2' AND api.name = 'aws-ec2-describe-instances' AND json.rule = privateIpAddress exists addcolumn privateIpAddress

Amazon EKS:
config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'Amazon EKS' AND api.name = 'aws-eks-describe-cluster' AND json.rule = kubernetesNetworkConfig.serviceIpv4Cidr exists addcolumn kubernetesNetworkConfig.serviceIpv4Cidr

/* Only works if using instance based ECS */
Amazon ECS:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecs-container-instance' AND json.rule = ec2InstanceId exists as X; config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = privateIpAddress exists as Y; filter ' $.X.ec2InstanceId == $.Y.instanceId'; show Y; addcolumn privateIpAddress

Azure:

Azure Compute:
config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Compute' AND api.name = 'azure-vm-list' AND json.rule = ['properties.networkProfile'].networkInterfaces[*].privateIpAddress exists addcolumn ['properties.networkProfile'].networkInterfaces[*].privateIpAddress

Azure App Service:
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = properties.inboundIpAddress exists addcolumn properties.inboundIpAddress

Azure Container Instances:
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-instances-container-group' AND json.rule = properties.ipAddress.ip exists addcolumn properties.ipAddress.ip

Azure VPN:
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-p2s-vpn-gateway' AND json.rule = properties.p2SConnectionConfigurations[*].properties.vpnClientAddressPool.addressPrefixes exists addcolumn properties.p2SConnectionConfigurations[*].properties.vpnClientAddressPool.addressPrefixes

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XfwFCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail