https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/280483#M185 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118903">@APaul</a>&nbsp;</P><P>&nbsp;</P><P>Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" :</P><P><A href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html#cloudtrail-event-reference-user-identity-fields" target="_blank">https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html#cloudtrail-event-reference-user-identity-fields</A></P><P>&nbsp;</P><P>All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.</P><P>&nbsp;</P><P>I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType:</P><P><A href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html" target="_blank">https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html</A></P><P><STRONG>AwsApiCall</STRONG> – An API was called.</P><P>AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.</P><P><STRONG>AwsConsoleSignin</STRONG> – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.</P><P>&nbsp;</P><P>So consider doing:</P><PRE>event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall"</PRE><P>In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.</P><P>&nbsp;</P><P>Did that help?</P><P>&nbsp;</P> Thu, 01 Aug 2019 08:47:34 GMT SRohatyn 2019-08-01T08:47:34Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/280462#M184 <P>I need to write a query to check for events of a snapshot taken using programmatic access :</P><P>&nbsp;</P><PRE>event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.userIdentity.type = "Consolepassword"</PRE><P>Till now I have tried to do this, and I am pretty sure "<STRONG>json.rule = $.userIdentity.type = "Consolepassword</STRONG>" is 100% incorrect.</P><P>&nbsp;</P><P>I need help on the second part to check if the user is using programmatic access or console access to take a snapshot.</P> Wed, 02 Sep 2020 17:17:58 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/280462#M184 APaul 2020-09-02T17:17:58Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/280483#M185 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118903">@APaul</a>&nbsp;</P><P>&nbsp;</P><P>Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" :</P><P><A href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html#cloudtrail-event-reference-user-identity-fields" target="_blank">https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html#cloudtrail-event-reference-user-identity-fields</A></P><P>&nbsp;</P><P>All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.</P><P>&nbsp;</P><P>I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType:</P><P><A href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html" target="_blank">https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html</A></P><P><STRONG>AwsApiCall</STRONG> – An API was called.</P><P>AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.</P><P><STRONG>AwsConsoleSignin</STRONG> – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.</P><P>&nbsp;</P><P>So consider doing:</P><PRE>event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall"</PRE><P>In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.</P><P>&nbsp;</P><P>Did that help?</P><P>&nbsp;</P> Thu, 01 Aug 2019 08:47:34 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/280483#M185 SRohatyn 2019-08-01T08:47:34Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/281053#M186 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/117130">@SRohatyn</a>&nbsp;,</P><P>&nbsp;</P><P>Thanks a lot for your valuable inputs and related reference links. I am able to get the result with little modification.</P><PRE>event where cloud.type = 'aws' AND operation = 'CreateSnapshot' AND json.rule != (( $.userAgent = 'signin.amazonaws.com' ) OR ($.userAgent = 'console.amazonaws.com' ))</PRE><P>This is giving me the desired results. A big thanks for your help.</P> Mon, 05 Aug 2019 07:34:29 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/281053#M186 APaul 2019-08-05T07:34:29Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/281054#M187 <P>You're very welcome. Thanks for the update with what works for you.</P> Mon, 05 Aug 2019 07:37:17 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/check-for-snapshot-taken-using-programmatic-access/m-p/281054#M187 SRohatyn 2019-08-05T07:37:17Z