Skip to main content

Sample AWS Event RQL Queries​

note

The following guide will walk you through AWS Event RQL Query Examples, based on audit logs

Alert on sensitive user activities from non-automation users​

event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy', 
'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair',
'DeleteLogGroup' ) AND json.rule = $.userIdentity.arn does not contain 'AWSCloudFormation'
and $.userIdentity.arn does not contain 'ocp_installer' and $.userIdentity.arn does not contain 'automation_user'

Alert when someone deletes a key​

event from cloud.audit_logs where cloud.type = 'aws' AND operation IN ( 'DeleteAccessKey' ) 

Failed AWS API calls​

event from cloud.audit_logs where json.rule = $.errorCode exists ADDCOLUMN $.errorCode