strongDM audit shell script snippets from webinar

strongDM-audit-snippets.sh

# List Infrastructure Changes
## Start with activities
## Drill in to point-in-time snapshots

sdm audit activities --from "2020-01-01" --to "2020-03-01" -e -j | jq 'select(.activity | (contains("updated")) or contains("created") or contains("deleted"))'
sdm audit activities --from "2020-01-01" --to "2020-03-01" -e -j | jq 'select(.activity == "datasource deleted")'
sdm audit datasources --at 2020-02-24T18:41:00Z|grep ES3
sdm audit datasources --at 2020-02-24T18:42:00Z|grep ES3

# List Of Production Users
## Identify resources
## Show user list

sdm admin datasources list --filter 'tag:env=production'
sdm audit permissions -j | jq 'select(.datasourceName | contains("Pricing DB"))'

# Admin Listings with Roles and Permissions
## Show user list of strongDM Admins
## Show user list for high-privilege RBAC

sdm audit users -j | jq 'select(.strongRole == "admin")'
sdm audit permissions -j | jq 'select(.datasourceName | contains("Pricing DB")) | .roleName' | sort -u
sdm audit users -j | jq 'select(.roleName != null) | select(.roleName | contains("Finance") or contains("Analytics"))'

# Recent Extract for Databases
## Pull applicable CRUD activities
## Pull sample query log

sdm audit activities -j -e | jq 'select(any(.objects[].id; . == "rs-00000000000009d9"))'
sdm audit queries --from 2021-01-19 -j -e | jq 'select(.datasourceName | contains("Pricing DB"))'