Prisma Cloud: One of the main reasons why one's RQL is not working as expected.

Prisma Cloud: One of the main reasons why one's RQL is not working as expected.

1378
Created On 09/18/22 16:52 PM - Last Modified 03/07/24 21:12 PM


Symptom


If ones RQL is not working properly, but everything looks good; i.e. Everything is in JSON and should work, but it does not. This is most likely due to error in logic or order of operations. 

For example: Notice how I have the below RQL declared. 
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = state.code equals 16 and publicIpAddress exists or publicDnsName is empty
As you can see it looks as though I want the have ONLY results for state = (16 || running) AND if publicIPAddress exists OR publicDNSName is empty

However, if I look at the results below for the above RQL and if I was to analyze any of the JSON configs I would notice that I might see results for state.code = (80 || stopped).

GUI Path: Investigate Page
tempsnip.png
GUI Path: Investigate Page > View Resource Config </>
json.png

Now you might ask yourself, why is this? I am definitely defining that I only results for running instances ...

Environment


  • Prisma Cloud
  • RQL

Cause


Well this is because of the order that json rules are being operated on. Meaning that even though you have it defined as: 
json.rule = state.code equals 16 and publicIpAddress exists or publicDnsName is empty
It is actually being operated as: 
json.rule = (state.code equals 16 and publicIpAddress exists) or publicDnsName is empty
So if the instance is off OR publicIpAddress does not exist, then you will get results offline instance if the publicDnsName is empty.

Resolution


To fix this and only have running instances be shown, all you will need to do is remedy the order of operations by wrapping appropriate conditions in parenthesis. 
For example: 
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = state.code equals 16 and (publicIpAddress exists or publicDnsName is empty) addcolumn state.name
Notice I have the publicIpAddress and the publicDnsName wrapped in parenthesis. Also, notice that I have added at the very end of the RQL < addcolumn state.name > This is so I can cleanly display that all results are of currently running instances. addcolumn is executed upon after everything else in the RQL and only changes the UI a bit.

GUI Path: Investigate Page
state.code.png
 
 

Additional Information


These concepts apply pretty in pretty much any environment that operate on conditions including basic Algebra, Python, C++, etc .
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ9zCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail