Skip to main content

Sample AWS Event RQL Queries#

note

The following guide will walk you through AWS Event RQL Query Examples, based on audit logs

Alert on sensitive user activities from non-automation users#

event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy',
'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair',
'DeleteLogGroup' ) AND json.rule = $.userIdentity.arn does not contain 'AWSCloudFormation'
and $.userIdentity.arn does not contain 'ocp_installer' and $.userIdentity.arn does not contain 'automation_user'

Alert when someone deletes a key#

event from cloud.audit_logs where cloud.type = 'aws' AND operation IN ( 'DeleteAccessKey' )

Failed AWS API calls#

event from cloud.audit_logs where json.rule = $.errorCode exists ADDCOLUMN $.errorCode
Last updated on by csestito