Created
August 4, 2023 10:29
-
-
Save huevos-y-bacon/7a994c029d1dac6718f754357b52d12b to your computer and use it in GitHub Desktop.
CloudWatch Log Insights Query - CloudTrail
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CloudTrail events: By Service / Role / principalId / etc | |
| fields | |
| eventTime | |
| ,eventName | |
| ,eventSource | |
| ,errorCode | |
| ,errorMessage | |
| ,userIdentity.principalId as principalId | |
| ,userIdentity.sessionContext.sessionIssuer.userName as SESSIONUSERID | |
| ,@message | |
| # | filter SESSIONUSERID like /(?i)elev/ | |
| # | filter SESSIONUSERID not like /Dome9/ | |
| # | filter SESSIONUSERID not like /CloudHealth/ | |
| # | filter SESSIONUSERID not like /(?i)func/ | |
| # | filter eventSource not like /config/ | |
| # | filter eventSource not like /tagging/ | |
| # | filter eventSource not like /sts/ | |
| # | filter eventSource not like /lambda/ | |
| # | filter eventSource not like /glue/ | |
| # | filter requestParameters.logGroupName not like /(?i)lambda/ | |
| # | filter Role like /developer/ | |
| # | filter principalId not like /(?i)func/ | |
| # | filter @message like /(?i)firehose/ | |
| # | filter @message like /(?i)waf/ | |
| # | filter @message like /(?i)newrelic/ | |
| | filter errorCode like /^[a-zA-Z0-9].*$/ | |
| | filter awsRegion not like /us-east-1/ | |
| | sort eventTime desc | |
| | limit 200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment