Prisma Cloud RQL: How to get alerted for if ones secret client ID for Azure is about to expire.

Prisma Cloud RQL: How to get alerted for if ones secret client ID for Azure is about to expire.

720
Created On 11/09/22 22:01 PM - Last Modified 06/10/25 00:12 AM


Objective


This objective is if one would like to get alerted ahead of time for if their Azure Secret Client ID is going to expire before two weeks time.
 

Environment


  • Prisma Cloud
  • Azure

Procedure


The first thing you will need to do is attach the following RQL to a Config based Policy by navigating to Prisma Cloud -> Governance -> Add Policy -> Config.

config from cloud.resource where api.name = 'azure-active-directory-app-registration' AND json.rule = 'passwordCredentials[?any( endDateTime exists )] exists and _DateTime.ageInDays(passwordCredentials[*].endDateTime) > -14 and _DateTime.ageInDays(passwordCredentials[*].endDateTime) < 0'


Once you have created the policy, you will need then to attach it to an Alert Rule by navigating to Prisma Cloud -> Alerts -> View Alert Rules -> Add Alert Rule, before you can actually get alerted on it.

Additional Information


Creating a config based policy.
Creating an alert rule
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF8rCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail