JSON Preview Helps Build Custom Policies in RQL Faster Than Ever

Jul 07, 2021
4 minutes
... views

As more and more companies expand their cloud footprints, it gradually becomes harder to maintain visibility and compliance across their whole environments. Coupled with the fact that cloud service providers are constantly adding new services and updating existing ones, scaling one’s cloud security strategy becomes a massive challenge. This is originally why Prisma Cloud developed Resource Query Language (RQL).

 

What is RQL?

RQL is a proprietary language designed with the goal of allowing anyone—including those without any particular programming experience—to quickly and easily build custom policies that act as guardrails for your cloud environment. Behind every compliance standard is a set of policies, and behind every policy is an RQL query: it acts as the underlying engine that drives Prisma Cloud’s misconfiguration detection capabilities.

For those familiar with databases, RQL is similar to Structured Query Language, or SQL, a set of conditions that match on a particular combination of data within your cloud environment (the “data” here referring to your cloud resources’ configuration data). All configuration data ingested by Prisma Cloud is in JSON format, allowing for a simple and standardized way for RQL to match data on. By matching on the particular configurations you want to monitor, you can ensure that your resources will be continuously monitored by Prisma Cloud for security violations.

 

Introducing JSON Preview

Starting with our 21.6.2 release, Prisma Cloud users will be able to create custom policies and begin investigating incidents even more quickly using our fast and intuitive JSON Preview. While we already offer a robust, context-aware auto-suggestion mechanism to guide users through creating an RQL query today, it became challenging to remember which parts of a resource’s JSON were relevant, especially when there are so many APIs and services across multiple cloud service providers. This new feature makes the query building process dramatically easier by simply showing you a preview of the entire JSON schema as you craft your query.

To get started, login to Prisma Cloud and navigate to the Investigate page. Turn on the JSON Preview toggle and begin creating a Config RQL query. When you get to the JSON rule, you will see a preview depending on the API that you’ve chosen:

The preview will show up in lieu of the classic autosuggestions when the toggle is enabled and the RQL query needs a JSON path as its next input.
The preview will show up in lieu of the classic autosuggestions when the toggle is enabled and the RQL query needs a JSON path as its next input.

You can explore the JSON schema visually by scrolling through the preview. All attributes are sorted alphabetically. You can also minimize, maximize any sections by clicking on the chevron icons. Hover over any attribute of the preview to see what the corresponding JSON path will look like:

Hovering over an attribute will show a preview of the JSON path that will be appended to the RQL query.
Hovering over an attribute will show a preview of the JSON path that will be appended to the RQL query.

If you’re looking for a specific attribute, you can use the search bar in the JSON Preview to filter by matches only, including attributes that may be nested within other ones:

Use the search bar to locate attributes quickly and easily.
Use the search bar to locate attributes quickly and easily.

Once you’ve found the path that you want, click on the attribute to automatically append the correct path to your RQL query:

Once the path is selected, you can continue to build your RQL query using the classic autosuggestions.
Once the path is selected, you can continue to build your RQL query using the classic autosuggestions.

And just like that, you have built your first RQL query without ever having to look through an example resource configuration file.

The feature also works for chaining together multiple JSON paths:

In general, the JSON Preview will automatically display whenever a JSON path is needed next in the RQL query.
In general, the JSON Preview will automatically display whenever a JSON path is needed next in the RQL query.

Lastly, JSON Preview works for complex Join queries referencing multiple APIs, and the correct API will automatically be chosen for the preview:

The JSON Preview is context-aware and works for multi-API join queries.
The JSON Preview is context-aware and works for multi-API join queries.

The Future of RQL

The JSON Preview is the first of many steps in improving the query building experience. For example, support for more complex nested array rules, functions, and descriptions of what each attribute means in context are all planned enhancements for the RQL building experience. Our ultimate goal is to enable all users—no matter their technical backgrounds—to be able to create the necessary policy guardrails to maintain their security posture and investigate critical incidents happening in their cloud environments.

Want to try Prisma Cloud? Request a trial today to start securing your cloud environments.


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.