Guidelines for creating cloud security rules - Administrator Guide

Guidelines for creating cloud security rules - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Runtime Security

Creation date

2024-12-24

Last date published

2026-06-16

Category

Administrator Guide

Follow these guidelines when creating an XQL query in a cloud security configuration rule. These are the requirements for creating a valid XQL query.

XQL queries are supported for cloud security configuration rules only. XQL queries are not yet supported for other types of cloud security rules.

Use the asset_inventory dataset in config rules. No other datasets are supported.
Construct query conditions using the configuration JSON located in xdm.asset.raw_fields. Example:
json_extract_scalar(xdm.asset.raw_fields, "$.Platform Discovery.metadataOptions.httpEndpoint")
The evaluated asset type must be explicitly specified in the filters stage. Example:
dataset = asset_inventory | filter xdm.asset.provider = "aws" and xdm.asset.type.id = "LAMBDA_FUNCTION"| alter authType = json_extract_scalar(xdm.asset.raw_fields, "$.Platform Discovery.AuthType") | fields xdm.asset.id as asset_id, xdm.asset.type.class as class_name, xdm.asset.type.id as asset_type_id
The query output must contain the asset_id (representing the asset) and asset_type_id. (representing the asset type).
dataset = asset_inventory | filter xdm.asset.provider = "aws" and xdm.asset.type.id = "LAMBDA_FUNCTION"| alter authType = json_extract_scalar(xdm.asset.raw_fields, "$.Platform Discovery.AuthType") | fields xdm.asset.id as asset_id, xdm.asset.type.class as class_name, xdm.asset.type.id as asset_type_id
The query results must contain a maximum of 10 fields, including asset_id and asset_type_id.
The fields stage of the query must be positioned as the final step in the query pipeline.
dataset = asset_inventory | filter xdm.asset.provider = "aws" and xdm.asset.type.id = "LAMBDA_FUNCTION"| alter authType = json_extract_scalar(xdm.asset.raw_fields, "$.Platform Discovery.AuthType") | fields xdm.asset.id as asset_id, xdm.asset.type.class as class_name, xdm.asset.type.id as asset_type_id

Examples: XQL queries for Cloud Security rules

Example 118. XQL query for AWS EC2 in which IMDSv2 is not configured

dataset = asset_inventory 
| filter xdm.asset.provider = "aws" and xdm.asset.type.id = "EC2_INSTANCE"
| alter state = json_extract_scalar(xdm.asset.raw_fields, "$.Platform 
Discovery.state.name")
| alter httpEndpoint = json_extract_scalar(xdm.asset.raw_fields, 
"$.Platform Discovery.metadataOptions.httpEndpoint")
| alter httpTokens = json_extract_scalar(xdm.asset.raw_fields, 
"$.Platform Discovery.metadataOptions.httpTokens")
| filter state contains "running" and httpEndpoint = "enabled" and 
httpTokens not contains "required"
| fields xdm.asset.id as asset_id, xdm.asset.type.id  as asset_type_id