daorte · September 11, 2019 20:49
diff --git a/Cloudtrail.txt b/Cloudtrail.txt
 ********************************
 Amazon Athena Table
 ********************************

 CREATE EXTERNAL TABLE cloudtrail_logs (
 eventversion STRING,
 useridentity STRUCT<
               type:STRING,
               principalid:STRING,
               arn:STRING,
               accountid:STRING,
               invokedby:STRING,
               accesskeyid:STRING,
               userName:STRING,
 sessioncontext:STRUCT<
 attributes:STRUCT<
               mfaauthenticated:STRING,
               creationdate:STRING>,
 sessionissuer:STRUCT<  
               type:STRING,
               principalId:STRING,
               arn:STRING, 
               accountId:STRING,
               userName:STRING>>>,
 eventtime STRING,
 eventsource STRING,
 eventname STRING,
 awsregion STRING,
 sourceipaddress STRING,
 useragent STRING,
 errorcode STRING,
 errormessage STRING,
 requestparameters STRING,
 responseelements STRING,
 additionaleventdata STRING,
 requestid STRING,
 eventid STRING,
 resources ARRAY<STRUCT<
               ARN:STRING,
               accountId:STRING,
               type:STRING>>,
 eventtype STRING,
 apiversion STRING,
 readonly STRING,
 recipientaccountid STRING,
 serviceeventdetails STRING,
 sharedeventid STRING,
 vpcendpointid STRING
 )
 ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
 STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
 OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
 LOCATION 's3://CloudTrail_bucket_name/AWSLogs/Account_ID/';

 ********************************
 Query
 ********************************

 SELECT *
 FROM cloudtrail_logs
 WHERE 
    eventsource = 's3.amazonaws.com' AND 
    eventname in ('GetObject') AND 
    useridentity.accountid LIKE '%ANONYMOUS%' AND 
    useridentity.arn IS NULL AND
    requestparameters LIKE '%[your bucket name ]%';
	********************************
	Amazon Athena Table
	********************************

	CREATE EXTERNAL TABLE cloudtrail_logs (
	eventversion STRING,
	useridentity STRUCT<
	type:STRING,
	principalid:STRING,
	arn:STRING,
	accountid:STRING,
	invokedby:STRING,
	accesskeyid:STRING,
	userName:STRING,
	sessioncontext:STRUCT<
	attributes:STRUCT<
	mfaauthenticated:STRING,
	creationdate:STRING>,
	sessionissuer:STRUCT<
	type:STRING,
	principalId:STRING,
	arn:STRING,
	accountId:STRING,
	userName:STRING>>>,
	eventtime STRING,
	eventsource STRING,
	eventname STRING,
	awsregion STRING,
	sourceipaddress STRING,
	useragent STRING,
	errorcode STRING,
	errormessage STRING,
	requestparameters STRING,
	responseelements STRING,
	additionaleventdata STRING,
	requestid STRING,
	eventid STRING,
	resources ARRAY<STRUCT<
	ARN:STRING,
	accountId:STRING,
	type:STRING>>,
	eventtype STRING,
	apiversion STRING,
	readonly STRING,
	recipientaccountid STRING,
	serviceeventdetails STRING,
	sharedeventid STRING,
	vpcendpointid STRING
	)
	ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
	STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
	OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
	LOCATION 's3://CloudTrail_bucket_name/AWSLogs/Account_ID/';

	********************************
	Query
	********************************

	SELECT *
	FROM cloudtrail_logs
	WHERE
	eventsource = 's3.amazonaws.com' AND
	eventname in ('GetObject') AND
	useridentity.accountid LIKE '%ANONYMOUS%' AND
	useridentity.arn IS NULL AND
	requestparameters LIKE '%[your bucket name ]%';