https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-to-search-for-suspicious-activity-on-specific-s3/m-p/559892#M1056 <P>We have a specific S3 bucket that we'd like to watch for events and alert on them.&nbsp; I've used this query:</P> <P>&nbsp;</P> <P>event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy', 'AttachGroupPolicy', 'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair', 'DeleteLogGroup' )</P> <P>&nbsp;</P> <P>but need to modify it to only query if events happen on a specific S3 bucket (not on all buckets).&nbsp; Anyone know how I can add to this RQL query to only query against the specific S3 bucket?</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 28 Sep 2023 16:18:30 GMT RDunsirn23 2023-09-28T16:18:30Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-to-search-for-suspicious-activity-on-specific-s3/m-p/559892#M1056 <P>We have a specific S3 bucket that we'd like to watch for events and alert on them.&nbsp; I've used this query:</P> <P>&nbsp;</P> <P>event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy', 'AttachGroupPolicy', 'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair', 'DeleteLogGroup' )</P> <P>&nbsp;</P> <P>but need to modify it to only query if events happen on a specific S3 bucket (not on all buckets).&nbsp; Anyone know how I can add to this RQL query to only query against the specific S3 bucket?</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 28 Sep 2023 16:18:30 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-to-search-for-suspicious-activity-on-specific-s3/m-p/559892#M1056 RDunsirn23 2023-09-28T16:18:30Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-to-search-for-suspicious-activity-on-specific-s3/m-p/559919#M1057 <P>Hello&nbsp;<SPAN>RDunsirn23,&nbsp;</SPAN></P> <P><SPAN>Can you check if the below RQL query works for your use case<BR /><BR /></SPAN></P> <P><SPAN>event from cloud.audit_logs where cloud.service = 's3.amazonaws.com' AND json.rule = $.requestParameters.bucketName = "&lt;bucket_name&gt;"<BR /><BR />Here, replace the bucket name with the S3 bucket name and this should generate an alert anytime any event is performed on the bucket. You can filter this further such that alerts are generated only for specific events by using operation IN ( '&lt;API name&gt;')&nbsp;<BR />Refer <A href="https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/config-query" target="_self">Event Query attributes</A> doc to learn about the different attributes for event query.</SPAN></P> Thu, 28 Sep 2023 18:43:41 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-to-search-for-suspicious-activity-on-specific-s3/m-p/559919#M1057 srnair 2023-09-28T18:43:41Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-to-search-for-suspicious-activity-on-specific-s3/m-p/559922#M1058 <P>Thank you!&nbsp; I will try this out.</P> Thu, 28 Sep 2023 19:00:42 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-to-search-for-suspicious-activity-on-specific-s3/m-p/559922#M1058 RDunsirn23 2023-09-28T19:00:42Z