- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-08-2020 07:42 PM
If you were to need to monitor a set of assets such as Google Cloud VPCs and any changes that have been made in a set date range, what would be an RQL you could write that would yield the audit trail and show those changes? I would have to imagine it starts with an event query based on something similar I pulled up for AWS:
event where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')
or maybe RQL: config where cloud.type = 'aws' AND api.name = 'aws-elbv2-target-group'
But how would be the best practice to possible get a list of a set of assets you want to monitor highly for changes. Maybe leveraging tags?
09-18-2020 12:51 AM
Hi @ramyfrahman
You can maybe use a date range like _DateTime.ageInDays(user_creation_time)<7 and _DateTime.ageInDays(user_creation_time) > 1
This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.
You can also pull in labels per project so you can use that as well.
The Example below find EC2 instances where launch time is more than 30 days.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays($.launchTime) > 30'
Regards,
Torsten
Regards,
Torsten
09-18-2020 12:51 AM
Hi @ramyfrahman
You can maybe use a date range like _DateTime.ageInDays(user_creation_time)<7 and _DateTime.ageInDays(user_creation_time) > 1
This is only an idea and i have to do more investigation on that, but event policies should be the right way to do that.
You can also pull in labels per project so you can use that as well.
The Example below find EC2 instances where launch time is more than 30 days.
config where api.name = 'aws-ec2-describe-instances' AND json.rule = '_DateTime.ageInDays($.launchTime) > 30'
Regards,
Torsten
Regards,
Torsten
09-22-2020 03:38 PM
Ok so I think we are getting closer. This was helpful but maybe I can ask this a different way
If I wanted to get a list of all the alerts that were in a config query like below that have a finding severity of HIGH, is that possible?
config where api.name = 'gcloud-compute-instances-list' and json.rule = status contains RUNNING
08-16-2022 01:29 PM
Greetings Ramyfrahman,
I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.
Kind Regards,
J. Avery King
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!