Created
February 11, 2019 19:48
-
-
Save skout23/d07a02346744cc70aedc9ac6456f9242 to your computer and use it in GitHub Desktop.
Scratch Pad ideas for Cloudtrail queries using AWS Cloudwatch Logs Insights
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ``` | |
| filter eventName="ConsoleLogin" | |
| | stats count(*) as eventCount by userIdentity.userName, sourceIPAddress | |
| | sort eventCount desc | |
| filter not sourceIPAddress =~ /^(?i)123.123.123.123/ and userIdentity.userName =~/^(?i)\w/ | |
| | stats count(*) as eventCount by eventName, userIdentity.userName, sourceIPAddress | |
| | sort eventCount desc | |
| filter eventName="ConsoleLogin" | |
| | stats count(*) as eventCount by userIdentity.userName, sourceIPAddress | |
| | sort eventCount desc | |
| | filter errorCode =~ /^(?i)\w/ | |
| | stats count(*) as eventCount by eventSource, errorCode, errorMessage | |
| | sort eventCount desc | |
| stats count(*) by eventSource, errorCode, errorMessage | |
| fields eventSource, errorCode | |
| | filter errorCode =~ /^(?i)\w/ | |
| | stats count(*) as eventCount by eventSource, errorCode | |
| | sort eventCount desc | |
| fields eventSource, errorCode, errorMessage | |
| | filter errorCode =~ /^(?i)\w/ | |
| | stats count(*) as eventCount by eventSource, errorCode, errorMessage | |
| | sort eventCount desc | |
| fields eventSource, errorCode, errorMessage | |
| | filter errorCode =~ /^(?i)\w/ | |
| | stats count(*) as eventCount by eventSource, errorCode, errorMessage | |
| | sort eventCount desc | |
| fields eventName, userIdentity.invokedBy, requestParameters.userName | |
| | filter userIdentity.type =~ /^(?i)AssumedRole/ and requestParameters.userName =~ /^(?i)\w/ | |
| | stats count(*) as eventCount by requestParameters.userName, eventName, userIdentity.invokedBy | |
| | sort eventCount desc | |
| | limit 2000 | |
| fields eventName, eventSource | |
| | stats count(*) as eventCount by eventName, eventSource | |
| | sort eventCount desc | |
| | limit 200 | |
| fields eventSource, errorCode, errorMessage | |
| | filter userIdentity.type =~ /^(?i)AssumedRole/ | |
| | stats count(*) as eventCount by eventSource, errorCode, errorMessage | |
| | sort eventCount desc | |
| fields eventName, userIdentity.invokedBy | |
| | filter userIdentity.type =~ /^(?i)AssumedRole/ and userIdentity.invokedBy =~ /^(?i)\w/ | |
| | stats count(*) as eventCount by eventName, userIdentity.invokedBy | |
| | sort eventCount desc | |
| | limit 2000 | |
| fields eventName, userIdentity.sessionContext.sessionIssuer.userName | |
| | filter requestParameters.userName =~ /^(?i)\w/ | |
| | stats count(*) as eventCount by requestParameters.userName, eventName, userIdentity.sessionContext.sessionIssuer.userName | |
| | sort eventCount desc | |
| fields eventName, userIdentity.sessionContext.sessionIssuer.userName | |
| | filter requestParameters.userName =~ /^(?i)\w/ and not eventName =~ /^(?i)ListSSHPublicKeys/ and not eventName =~ /^(?i)ListAccessKeys/ and not userIdentity.sessionContext.sessionIssuer.userName =~ /^(?i)lambda/ | |
| | stats count(*) as eventCount by requestParameters.userName, eventName, userIdentity.sessionContext.sessionIssuer.userName | |
| | sort eventCount desc | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment