The following guide will walk you through AWS Event RQL Query Examples, based on audit logs
event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy',
'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair',
'DeleteLogGroup' ) AND json.rule = $.userIdentity.arn does not contain 'AWSCloudFormation'
and $.userIdentity.arn does not contain 'ocp_installer' and $.userIdentity.arn does not contain 'automation_user'
event from cloud.audit_logs where cloud.type = 'aws' AND operation IN ( 'DeleteAccessKey' )
event from cloud.audit_logs where json.rule = $.errorCode exists ADDCOLUMN $.errorCode