09-28-2023 09:18 AM
We have a specific S3 bucket that we'd like to watch for events and alert on them. I've used this query:
event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy', 'AttachGroupPolicy', 'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair', 'DeleteLogGroup' )
but need to modify it to only query if events happen on a specific S3 bucket (not on all buckets). Anyone know how I can add to this RQL query to only query against the specific S3 bucket?
Thanks!
09-28-2023 11:43 AM
Hello RDunsirn23,
Can you check if the below RQL query works for your use case
event from cloud.audit_logs where cloud.service = 's3.amazonaws.com' AND json.rule = $.requestParameters.bucketName = "<bucket_name>"
Here, replace the bucket name with the S3 bucket name and this should generate an alert anytime any event is performed on the bucket. You can filter this further such that alerts are generated only for specific events by using operation IN ( '<API name>')
Refer Event Query attributes doc to learn about the different attributes for event query.
09-28-2023 12:00 PM
Thank you! I will try this out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
