topic Re: Redlock Query to get unauthorized operation details in Prisma Cloud Discussions

Redlock Query to get unauthorized operation details

APaul — Wed, 02 Sep 2020 17:20:06 GMT

I am trying to write a custom query to get the unauthorized access details or Access denied details captured and after a certain number of attempts is there it will alert.

I am referring to the mentioned article : ( Example: Authorization Failures )

I need to capture this in cloudtrail logs:

{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }

I used this Custom Redlock Query:

event where cloud.type = 'aws' AND json.rule = (( $.errorCode = "*UnauthorizedOperation") )

However, I am not getting the desired result.

Re: Redlock Query to get unauthorized operation details

ebeuerlein — Fri, 13 Sep 2019 14:45:40 GMT

I think this should work for you:

event where cloud.type = 'aws' AND json.rule = errorCode contains UnauthorizedOperation or errorCode contains AccessDenied

Re: Redlock Query to get unauthorized operation details

APaul — Mon, 16 Sep 2019 05:57:14 GMT

It seems :

event where cloud.type = 'aws' AND json.rule = errorCode

"errorCode" option I am not getting in my RQL Builder . Hence not able to execute the query.

Further help is really appreciated.

Re: Redlock Query to get unauthorized operation details

ebeuerlein — Mon, 16 Sep 2019 16:15:14 GMT

Are you looking generically for errorCode? Otherwise, specifying a specific operation would help the auto help to determine what you are looking for. Also, you will need to specify a operator for errorCode such as contains/does not contain, etc.

Thanks,

Eddie