Redlock Query to get unauthorized operation details

Reply
L0 Member

Redlock Query to get unauthorized operation details

I am trying to write a custom query to get the unauthorized access details or Access denied details captured and after a certain number of attempts is there it will alert.

 

I am referring to the mentioned article : ( Example: Authorization Failures )

I need to capture this in cloudtrail logs:

{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }

I used this Custom Redlock Query:

event where cloud.type = 'aws' AND json.rule = (( $.errorCode = "*UnauthorizedOperation") )

However, I am not getting the desired result.

 

L2 Linker

Re: Redlock Query to get unauthorized operation details

I think this should work for you:

 

event where cloud.type = 'aws' AND json.rule = errorCode contains UnauthorizedOperation or errorCode contains AccessDenied
L0 Member

Re: Redlock Query to get unauthorized operation details

It seems :

event where cloud.type = 'aws' AND json.rule = errorCode

 

"errorCode" option I am not getting in my RQL Builder . Hence not able to execute the query.

 

Further help is really appreciated.

L2 Linker

Re: Redlock Query to get unauthorized operation details

Are you looking generically for errorCode?   Otherwise, specifying a specific operation would help the auto help to determine what you are looking for.  Also, you will need to specify a operator for errorCode such as contains/does not contain, etc.

 

Thanks,

Eddie

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!