Last active
April 2, 2024 07:23
-
-
Save Esonhugh/d8849ad3cbf9cfd1c3a7624cd1642f3b to your computer and use it in GitHub Desktop.
Revisions
-
Esonhugh revised this gist
Apr 2, 2024 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,7 +59,6 @@ condition = ".eventName == \"GetCallerIdentity\"" # condition = ".eventName == \"DescribeInstances\" and .sourceIPAddress == \"1.12.13.14\"" # condition = '.sourceIPAddress == "1.12.13.14" and .errorCode == "AccessDenied" or .errorCode == "UnauthorizedOperation" ' output_format = [ ".eventTime", -
Apr 2, 2024 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Apr 2, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,83 @@ import os SOURCE_FILE="merged_cloudtrail_logs.json" ''' Sample Event { "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "107513503799", "arn": "arn:aws:iam::107513503799:root", "accountId": "107513503799", "accessKeyId": "ASIARSCCN4A3W2FLR6FE", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-08-26T18:45:20Z", "mfaAuthenticated": "false" } }, "invokedBy": "health.amazonaws.com" }, "eventTime": "2023-08-26T20:52:05Z", "eventSource": "health.amazonaws.com", "eventName": "DescribeEventAggregates", "awsRegion": "us-east-1", "sourceIPAddress": "health.amazonaws.com", "userAgent": "AWS Internal", "requestParameters": { "filter": { "startTimes": [ { "from": "Aug 19, 2023, 8:52:05 PM" } ], "eventStatusCodes": [ "open", "upcoming" ] }, "aggregateField": "eventTypeCategory" }, "responseElements": null, "requestID": "4ad97058-6edd-40a6-b5f9-cb7fd0cd44e1", "eventID": "f6dad1c1-c787-476c-a200-d74fde8a5a8e", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "107513503799", "eventCategory": "Management", "sessionCredentialFromConsole": "true" }, ''' condition = ".eventName == \"GetCallerIdentity\"" # condition = ".eventName == \"DescribeInstances\" and .sourceIPAddress == \"1.12.13.14\"" # condition = '.sourceIPAddress == "1.12.13.14" and .errorCode == "AccessDenied" or .errorCode == "UnauthorizedOperation" ' // # condition = "" output_format = [ ".eventTime", ".userIdentity.arn", ".sourceIPAddress", ".eventName", ".requestID", ] jq_command_template = '''cat {sourcefile} | jq -cr '.[] | select( {condition} ) | [{output_format}] | @csv ' | sort ''' cmd = jq_command_template.format( sourcefile=SOURCE_FILE, condition=condition, output_format=", ".join(output_format), ) # print("command: ", cmd) print("output: ") print(", ".join(output_format)) print(os.popen(cmd).read())