[aws-data-model-acceleration]
definition = summariesonly=f

[aws-accountid-to-name]
definition = lookup account_name LinkedAccountId OUTPUT LinkedAccountName | eval LinkedAccountName = if(match(LinkedAccountName, ".*?"), " (".LinkedAccountName.")","") | eval Account=LinkedAccountId.LinkedAccountName

[aws-billing-details(1)]
args = accountId
definition = `aws-billing-sourcetype` eventtype=aws_billing_detail_report $accountId$

[aws-billing-datamodel-tags]
definition = datamodel Detailed_Billing | spath output=fieldName path=objects{}.calculations{}.outputFields{}.fieldName | spath output=displayName path=objects{}.calculations{}.outputFields{}.displayName | table fieldName displayName | eval names=mvzip(fieldName,displayName) | mvexpand names| eval names=split(names,",") | eval fieldName=mvindex(names,0) | eval displayName=mvindex(names,1) | rename displayName as title, fieldName as key | table key, title | search key!="LinkedAccountId"

[aws-billing-index]
definition = (index="main")

[aws-billing-sourcetype]
definition = `aws-billing-index` sourcetype="aws:billing"

[aws-billing-monthly-accounts]
definition = `aws-billing-sourcetype` eventtype=aws_billing_monthly_report (RecordType=AccountTotal OR RecordType=StatementTotal) | eval LinkedAccountId=if(isnull(LinkedAccountId),PayerAccountId,LinkedAccountId) | stats count by LinkedAccountId CurrencyCode

[aws-billing-monthly-total(3)]
args = accountId, currency, monthSpl
definition = `aws-billing-sourcetype` $monthSpl$ eventtype=aws_billing_monthly_report CurrencyCode=$currency$ (RecordType=AccountTotal OR RecordType=StatementTotal) | eval LinkedAccountId=if(isnull(LinkedAccountId),PayerAccountId,LinkedAccountId) | search $accountId$ | billingtype

[aws-billing-monthly-item(3)]
args = accountId, currency, monthSpl
definition = `aws-billing-sourcetype` $monthSpl$ eventtype=aws_billing_monthly_report CurrencyCode=$currency$ InvoiceID!="Estimated" (RecordType=PayerLineItem OR RecordType=LinkedLineItem) | eval LinkedAccountId=if(isnull(LinkedAccountId),PayerAccountId,LinkedAccountId) | search $accountId$

[aws-account-summary]
definition = search `cp-aws-dashboards-summary-index` sourcetype="aws:addon:account" | dedup host, account_id, name

[aws-cloudwatch-billing(2)]
args = accountId, currency
definition = `aws-cloudwatch-sourcetype` source="*:AWS/Billing" metric_dimensions="*Currency=[$currency$]*" metric_dimensions="*],*" \
             | dedup _time metric_dimensions aws_account_id | `aws-cloudwatch-dimension-rex("LinkedAccount", "LinkedAccountId")` \
             | search $accountId$ \
             | eval zone=strftime(time(),"%z") | eval rel_time=replace(zone, "^([-+]?)0?((?<=0)\d|\d\d)0?((?<=0)\d|\d\d).*$", "\1\2h\1\3m") \
             | eval utctime= _time + 86400 - relative_time(86400, rel_time) | eval currentmonth = strftime(_time,"%m") \
             | eval utcmonth = strftime(utctime,"%m") | where utcmonth=currentmonth

[aws-sourcetype-index-summary]
definition = search `cp-aws-dashboards-summary-index` sourcetype="aws:addon:input" earliest=-1d | dedup input_sourcetype, input_index | table input_sourcetype, input_index

[aws-cloudwatch-dimension-rex(2)]
args = dimension, key
definition = rex field=metric_dimensions "([ ,]|^)$dimension$=\[(?<$key$>.*?)\]"

[aws-cloudwatch-sourcetype]
definition = `aws-cloudwatch-index` sourcetype="aws:cloudwatch"

[aws-cloudwatch-index]
definition = (index="main")

[aws-metadata-index]
definition = (index="main")

[aws-metadata-sourcetype]
definition = `aws-metadata-index` sourcetype="aws:metadata"

[aws-metadata-field-extraction]
definition = eval AccountId=if(isnum(AccountId),AccountId, user_id) , aws_account_id = AccountId, account_id = AccountId

[aws-metadata(4)]
args = accountId, region, resource, dedupfield
definition = `aws-metadata-sourcetype` source="*:$resource$" | `aws-metadata-field-extraction` | search $accountId$ $region$  | eventstats latest(_time) as latest_time | eval latest_time=relative_time(latest_time,"-55m") | where _time > latest_time | dedup $dedupfield$ sortby -_time

[aws-metadata-resource(3)]
args = accountId, region, resource
definition = `aws-metadata-sourcetype` source="*:$resource$" | `aws-metadata-field-extraction` | search $accountId$ $region$  | eventstats latest(_time) as latest_time | eval latest_time=relative_time(latest_time,"-55m") | where _time > latest_time | dedup id sortby -start_time

[aws-unused-eip(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$), "ec2_addresses", "PublicIp")` | rename InstanceId as instance_id ,NetworkInterfaceId as network_interface_id, PublicIp as public_ip,AccountId as account_id | eval instance_id = if(isnull(instance_id),"null",instance_id)| eval network_interface_id = if(isnull(network_interface_id),"null",network_interface_id)| join type=left instance_id [search earliest=-1d `aws-metadata(($accountId$), ($region$), "ec2_instances", "InstanceId")` | spath output=tagsname path=Tags{} | rex field=tagsname "\"Key\": \"Name\", \"Value\": \"(?<tagname>.+)\"" | rename InstanceId as instance_id, tagname as name ,State.Name as state | fields instance_id name state] | eval insight = case(instance_id=="null" AND network_interface_id=="null","No attached instance", state!="running", "Inactive attached instance")

[aws-unused-elb(2)]
args = accountId, region
definition = `aws-metadata-recommend-elb(($accountId$), ($region$))` | where total_instance_count >= 0 AND healthy_instance_count = 0 | eval insight="No healthy instance"

[aws-not-autoscaling-elb(2)]
args = accountId, region
definition = `aws-metadata-recommend-elb(($accountId$), ($region$))` | where healthy_instance_count = 1 | mvexpand instances | rex field=instances "(?<instance_id>[^,]+),(?<instance_elb_state>[^,]+)" | search (instance_elb_state="InService" OR instance_elb_state="healthy") | join type=left instance_id [search earliest=-1d `aws-metadata-recommend-autoscaling-instance(($accountId$), ($region$))`] | where isnull(autoscaling_group) | eval insight="One healthy instance without autoscaling"

[aws-not-enough-request-elb(2)]
args = accountId, region
definition = `aws-metadata-recommend-elb(($accountId$), ($region$))` | join type=left account_id, region, name [search earliest=-7d `aws-cloudwatch-recommend-elb(($accountId$), ($region$))`] | where isnotnull(request_count) AND request_count<200 | eval insight="Not enough requests"

[aws-insecure-listener-elb(2)]
args = accountId, region
definition = `aws-metadata-elb(($accountId$), ($region$))` | eval listener_protocols=if(isnotnull('ListenerDescriptions{}.Listener.Protocol'), mvjoin('ListenerDescriptions{}.Listener.Protocol',","), mvjoin('Listeners{}.Protocol', ",")), contain_secure_protocol=if(like(listener_protocols, "%HTTPS%") OR like(listener_protocols, "%SSL%"), 1, 0), insight="Insecure listener protocol" | where contain_secure_protocol = 0 | eval availability_zones=if(isnotnull('AvailabilityZones{}'), mvjoin('AvailabilityZones{}', ","), mvjoin('AvailabilityZones{}.ZoneName', ",")) | fields account_id, region, name, insight, availability_zones, Type

[aws-not-cross-zone-elb(2)]
args = accountId, region
definition = `aws-metadata-recommend-elb(($accountId$), ($region$))` | where healthy_instance_count>=1 | mvexpand instances | rex field=instances "(?<instance_id>[^,]+),(?<instance_elb_state>[^,]+)" | search (instance_elb_state="InService" OR instance_elb_state="healthy") | join type=left instance_id [search earliest=-1d `aws-metadata-recommend-instance(($accountId$),($region$))`] | stats count(placement) as healthy_AZ_count, values(Type) as Type, values(placement) as placement by account_id, region, name, availability_zones | search healthy_AZ_count = 1 | eval insight="Healthy instances are not cross-zone"

[aws-metadata-recommend-elb(2)]
args = accountId, region
definition =`aws-metadata-elb(($accountId$), ($region$))` | eval availability_zones=if(isnotnull('AvailabilityZones{}'), mvjoin('AvailabilityZones{}', ","),  mvjoin('AvailabilityZones{}.ZoneName', ",")), instances=if(isnotnull('instances{}.State'), mvzip('instances{}.InstanceId', 'instances{}.State'), mvzip('TargetGroups{}.TargetHealthDescriptions{}.Target.Id','TargetGroups{}.TargetHealthDescriptions{}.TargetHealth.State')),  healthy_instance_state = mvfilter(match(instances,"\w+,InService$") OR match(instances, "\w+,healthy$")) , healthy_instance_count=if(isnull(healthy_instance_state),0, mvcount(healthy_instance_state)), total_instance_count=if(isnull(instances), 0, mvcount(instances) ) | fields account_id, region, name, instances, availability_zones, healthy_instance_count, total_instance_count, Type

[aws-metadata-recommend-autoscaling-instance(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$),"ec2_instances", "InstanceId")` | spath output=tagsname path=Tags{} | rex field=tagsname "\"Key\": \"aws:autoscaling:groupName\", \"Value\": \"(?<autoscale>.+)\""  | rename autoscale as autoscaling_group, InstanceId as instance_id,State.Name as state,Placement.AvailabilityZone as placement | where isnotnull(autoscaling_group) | fields instance_id, state, placement, autoscaling_group

[aws-cloudwatch-recommend-elb(2)]
args = accountId, region
definition = `aws-cloudwatch-elb(($accountId$), ($region$))` metric_name="RequestCount" \
             | `aws-cloudwatch-dimension-rex("LoadBalancerName", "name")` \
             | rex field=metric_dimensions "([ ,]|^)LoadBalancer=\[\w*/(?<name>.*?)/" \
             | bucket _time span=1d | stats sum(Sum) as request_count by _time, account_id, region, name \
             | stats max(request_count) as request_count by account_id, region, name


[aws-metadata-elb(2)]
args = accountId, region
definition = `aws-metadata-sourcetype` source="*_load_balancers" | `aws-metadata-field-extraction` | search $accountId$ $region$  \
             | eventstats latest(_time) as latest_time | eval latest_time=relative_time(latest_time,"-55m")  \
             | where _time > latest_time \
             | eval name=if(isnull(name), LoadBalancerName, name), vpc_id=if(isnull(VpcId), VPCId, VpcId), dns_name=if(isnull(dns_name), DNSName, dns_name) \
             | `aws-resource-uniqId` | dedup uniq_id sortby -_time

[aws-metadata-lambda(2)]
args = accountId, region
definition = `aws-metadata-sourcetype`  source="*:lambda_functions" | `aws-metadata-field-extraction`\
             | search $accountId$ $region$ \
             | eventstats latest(_time) as latest_time \
             | eval latest_time=relative_time(latest_time,"-55m") | where _time > latest_time \
             | rename FunctionName AS name\
             | `aws-resource-uniqId` \
             | dedup uniq_id sortby -_time

[aws-resource-uniqId]
definition = eval uniq_id = name."#".aws_account_id."#".region

[aws-sqs-sourcetype]
definition = `aws-sqs-index` sourcetype="aws:sqs"

[aws-sqs-index]
definition = (index="main")

[aws-config-rule(3)]
args = accountId, region, source
definition = `aws-config-rule-sourcetype` source="*configRule$source$" $accountId$ $region$

[aws-config-rule-sourcetype]
definition = `aws-config-rule-index` sourcetype="aws:config:rule"

[aws-config-rule-index]
definition = (index="main")

[aws-cloudwatch-ec2(2)]
args = accountId, region
definition = `aws-cloudwatch-sourcetype` $accountId$ $region$ eventtype="aws_cloudwatch_ec2_events" metric_dimensions!="*],*" metric_dimensions="InstanceId=*"

[volume_size(1)]
args = field
definition = eval $field$=case($field$>1024, tostring(round($field$/1024, 1))+" TB", true(), tostring(round($field$, 0))+" GB")

[aws-metadata-clb(2)]
args = accountId, region
definition = `aws-metadata-elb(($accountId$), ($region$))` | search (source="*:classic_load_balancers" OR source="*:elastic_load_balancers")

[aws-metadata-alb(2)]
args = accountId, region
definition = `aws-metadata-elb(($accountId$), ($region$))` | search source="*:application_load_balancers"

[aws-config-rules-insights(2)]
args = accountId, region
definition = `aws-config-rule(($accountId$) ,($region$) , ":complianceDetail")` EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName=* ComplianceType="NON_COMPLIANT" | bucket _time span=1d | stats distinct_count(EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId) as count by account_id, region, _time

[aws-inspector-insights(2)]
args = accountId, region
definition = `aws-inspector-findings` `aws-inspector-rex-arn` | search $accountId$ $region$ | bucket _time span=1d | stats distinct_count(arn) as count by account_id, region, _time

[aws-personal-health-insights(2)]
args = accountId, region
definition = `aws-sqs-sourcetype` AND BodyJson.source="aws.health" AND BodyJson.detail.eventTypeCategory="issue" | rename  BodyJson.time as time, BodyJson.account as account_id, BodyJson.region as region | search $accountId$ $region$ | eval _time = strptime(time, "%Y-%m-%dT%H:%M:%S")| bucket _time span=1d | stats count by account_id, region, _time

[aws-insights-combination(3)]
args = accountId, region, earliest
definition = `cp-aws-dashboards-summary-index` insights=* $accountId$ | eval region=if(insights="iam", "Global", region), insights=case(insights="iam", "IAM", insights="eip", "Elastic IP", insights="sg", "Security Group", insights="elb", "ELB", insights="ec2", "EC2", insights="ebs", "EBS")\
            | search $region$ | bucket _time span=1d | stats sum(count) as count by account_id, region, insights, _time \
            | append [search earliest=$earliest$ `aws-config-rules-insights(($accountId$) ,($region$))` | eval insights="Config Rules" ] \
            | append [search earliest=$earliest$ `aws-inspector-insights(($accountId$) ,($region$))` | eval insights="Amazon Inspector" ] \
            | append [search earliest=$earliest$ `aws-personal-health-insights(($accountId$) ,($region$))` | eval insights="AWS Personal Health"]

[aws-inspector-findings]
definition = `aws-inspector-sourcetype` source="*:inspector:finding"

[aws-inspector-rex-arn]
definition = | rex field=arn "^arn:.+?:inspector:(?<region>[^:]+):(?<accountId>[^:]+):target/(?<target>[^/]+)/template/(?<template>[^/]+)(/|$)"

[aws-config-notification(2)]
args = accountId, region
definition = `aws-config-notification-sourcetype` $accountId$ $region$

[aws-cloudtrail(2)]
args = accountId, region
definition = `aws-cloudtrail-sourcetype` $accountId$ $region$

[aws-s3-index]
definition = (index="main")

[aws-cloudtrail-index]
definition = (index="main" OR `aws-s3-index`)

[aws-cloudtrail-sourcetype]
definition = `aws-cloudtrail-index` sourcetype="aws:cloudtrail"

[cloudtrail_service(2)]
args = service, notable
definition = lookup all_eventName eventName OUTPUT function | fillnull value="N/A" function | search function="$service$" | eval notable=if(match(eventName, "(^Get*|^List*|^Describe*)"), 0, 1) | search notable=$notable$

[aws-cloudwatch-s3(2)]
args = accountId, region
definition = `aws-cloudwatch-sourcetype` $accountId$ $region$ eventtype="aws_cloudwatch_s3_events" metric_dimensions="*BucketName=*" metric_dimensions!="*FilterId*"

[aws-ec2-metadata]
definition = where 'State.Name'="running" | eval SpotInstanceRequestId = if(isnull(SpotInstanceRequestId),"null",SpotInstanceRequestId) | eval Platform = if(isnull(Platform),"null",Platform) | rename Placement.AvailabilityZone as availability_zone, Placement.Tenancy as tenancy, Image.Attributes.ImageLocation as location | fields _time, aws_account_id, InstanceId, SpotInstanceRequestId, region, availability_zone, location, Platform, tenancy, InstanceType | extractplatform | bucket _time span=1h  | stats dc(InstanceId) as count dc(SpotInstanceRequestId) as spot by _time, aws_account_id, region, Platform, tenancy, InstanceType, availability_zone | eval spot=spot-1, count=count-spot

[aws-ec2-info]
definition = eval family=split(InstanceType,"."), family=mvindex(family,0), run_instance_info=_time.",".availability_zone.",".InstanceType.",".count

[aws-ri-info]
definition = search state=active | rename InstanceTenancy as tenancy, description as platform | eval availability_zone = if(isnull(availability_zone),"null",availability_zone) | stats sum(instance_count) as RI_count by aws_account_id, region, availability_zone, platform, tenancy, InstanceType | eval family=split(InstanceType,"."), family=mvindex(family,0), RI_info = availability_zone.",".InstanceType.",".RI_count | stats values(RI_info) as RI_info by aws_account_id, region, platform, tenancy, family

[aws-ri-utilization]
definition =  rename instance_tenancy as tenancy, description as platform | stats sum(instance_count) as RI_count by aws_account_id, region, availability_zone, platform, tenancy, instance_type, state | eval family=split(instance_type,"."), family=mvindex(family,0), RI_info = availability_zone.",".instance_type.",".RI_count | stats values(RI_info) as RI_info by aws_account_id, region, platform, tenancy, family, state

[aws-config-notification-sourcetype]
definition = `aws-config-index` sourcetype="aws:config:notification"

[aws-config-index]
definition = (index="main" OR `aws-s3-index`)

[aws-config-sourcetype]
definition = `aws-config-index` sourcetype="aws:config"

[aws-inspector-runs]
definition = `aws-inspector-sourcetype` source="*:inspector:assessmentRun"

[ensure_single_value(1)]
args = field
definition = | stats max($field$) as $field$, c($field$) as field_size | eval $field$=if(field_size > 0, $field$, 0) | fields $field$

[aws-accesslog-sourcetype(1)]
args = resource
definition = `aws-s3-index` sourcetype="aws:$resource$:accesslogs"

[aws-cloudwatch-ebs(2)]
args = accountId, region
definition = `aws-cloudwatch-sourcetype` $accountId$ $region$ eventtype="aws_cloudwatch_ebs_events" metric_dimensions!="*],*" metric_dimensions="VolumeId=*"

[aws-cloudwatch-elb(2)]
args = accountId, region
definition = `aws-cloudwatch-sourcetype` $accountId$ $region$ eventtype="aws_cloudwatch_elb_events" metric_dimensions!="*],*" metric_dimensions="LoadBalancer*"

[aws-inspector-index]
definition = (index="main")

[aws-inspector-sourcetype]
definition = `aws-inspector-index` sourcetype="aws:inspector"

[aws-metadata-recommend-instance(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$),"ec2_instances", "InstanceId")` | spath output=tagsname path=Tags{} | rex field=tagsname "\"Key\": \"Name\", \"Value\": \"(?<tagname>.+)\""  | rename InstanceId as instance_id, tagname as instance_name ,State.Name as state, Placement.AvailabilityZone as placement | fields instance_id, instance_name, state, placement

[aws-resource-uniqLabel]
definition = lookup regions region | eval uniq_label = name." (".account_id.", ".location.")"

[aws-billing-index-cur]
definition = (index="main")

[aws-billing-details-cur(1)]
args = accountId
definition = `aws-billing-sourcetype-cur` $accountId$

[aws-billing-sourcetype-cur]
definition = `aws-billing-index-cur` sourcetype="aws:billing:cur"

[aws-billing-datamodel-tags-cur]
definition = datamodel Detailed_Billing_CUR | spath output=fieldName path=objects{}.calculations{}.outputFields{}.fieldName | spath output=displayName path=objects{}.calculations{}.outputFields{}.displayName | table fieldName displayName | eval names=mvzip(fieldName,displayName) | mvexpand names| eval names=split(names,",") | eval fieldName=mvindex(names,0) | eval displayName=mvindex(names,1) | rename displayName as title, fieldName as key | table key, title | search NOT key IN ("LinkedAccountId", "AssemblyId")

[aws-billing-sourcetype-cur-digest]
definition = `aws-billing-index-cur` sourcetype="aws:billing:cur:digest"

[aws-billing-monthly-accounts-cur]
definition = tstats `aws-data-model-acceleration`  count  FROM datamodel=Detailed_Billing_CUR where detailed_billing_cur.InvoiceId=*   by detailed_billing_cur.LinkedAccountId , detailed_billing_cur.CurrencyCode   | rename detailed_billing_cur.CurrencyCode as CurrencyCode, detailed_billing_cur.LinkedAccountId as LinkedAccountId | table LinkedAccountId, CurrencyCode, count

[aws-billing-monthly-item-cur(3)]
args = accountId, currency, monthSpl
definition = `aws-billing-sourcetype-cur` $monthSpl$ CurrencyCode=$currency$ InvoiceId="*" | eval LinkedAccountId=if(isnull(UsageAccountId),PayerAccountId,UsageAccountId) | search $accountId$

[aws-billing-cur-tag-value(1)]
args = key
definition = append [ | tstats values(detailed_billing_cur.$key$) as value from datamodel=Detailed_Billing_CUR.detailed_billing_cur | mvexpand value| dedup value | table value] 

[aws-billing-tag-value(1)]
args = key
definition =  append [ | tstats values(detailed_billing.$key$) as value from datamodel=Detailed_Billing.detailed_billing | mvexpand value| dedup value | table value] 

[topology-daily-snapshot-index]
definition = index="aws_topology_daily_snapshot"

[topology-history-index]
definition = index="aws_topology_history"

[aws-password-policy-iam(1)]
args = accountId
definition = `aws-metadata(($accountId$), ("*"), "iam_users", "Arn")` | dedup account_id | rename PasswordPolicy.AllowUsersToChangePassword as policy, PasswordPolicy.PasswordReusePrevention as reuse  | where isnull(policy) OR isnull(reuse) | eval insight=if(isnull(policy), "No password policy", "Password reuse is not prevented"), UserName="Root Account"

[aws-specific-ports-unrestricted-sg(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$), "ec2_security_groups", "GroupId")` | spath output=inbound path=IpPermissions{} | mvexpand inbound | regex inbound=".*CidrIp\": \"0.0.0.0/0.*" | rex field=inbound ".*ToPort\": [\"]*(?<to_port>[^\",}]*).*" |rex field=inbound ".*FromPort\": [\"]*(?<from_port>[^\",}]*).*" | rename GroupId as id | fields account_id, region, id, vpc_id, to_port, from_port | where [| inputlookup sg_ports | search risk="high" | eval searchstr="from_port<=".port." AND to_port>=".port | return 100 $searchstr]  | eval insight="Unrestricted access on specific ports", port=if(from_port=to_port, from_port, from_port." - ".to_port) | fields - to_port, from_port | mvcombine port

[aws-unrestricted-access-sg(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$), "ec2_security_groups", "GroupId")` | spath output=inbound path=IpPermissions{} | mvexpand inbound | regex inbound=".*CidrIp\": \"0.0.0.0/0.*" | rex field=inbound ".*ToPort\": [\"]*(?<to_port>[^\",}]*).*" |rex field=inbound ".*FromPort\": [\"]*(?<from_port>[^\",}]*).*" | rename GroupId as id | fields account_id, region, id, vpc_id, to_port, from_port | where NOT ( [| inputlookup sg_ports | eval searchstr="from_port=".port." AND to_port=".port | return 100 $searchstr] ) | eval insight="Unrestricted access", port=if(from_port=to_port, from_port, from_port." ~ ".to_port) | fields - to_port, from_port | mvcombine port

[aws-unused-sg(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$), "ec2_security_groups", "GroupId")` | eval insight="Unused security group" | rename GroupId as id,GroupName as name,VpcId as vpc_id | fields account_id, region, name, id, vpc_id, insight

[aws-redundant-sg-helper]
definition = mvexpand rules | rex field=rules ".*\[{(?<grants>[^\]]+).*" | eval grants_len=len(grants), grants=substr(grants,1,grants_len-2), grants=split(grants, "}, {"), grants=mvsort(grants), grants=mvjoin(grants, ","), temp=replace(rules, ", \"IpRanges\".*}],", ""), temp=replace(temp,", \"IpRanges\": \[]",""), temp=replace(temp,", \"UserIdGroupPairs.*}]",""), parameter = replace(temp,", \"UserIdGroupPairs\": \[]","") + grants

[aws-redundant-sg(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$), "ec2_security_groups", "GroupId")` | spath output=inbound path=IpPermissions{} | spath output=outbound path=IpPermissionsEgress{} | rename inbound as rules | `aws-redundant-sg-helper` | stats values(parameter) as inbound, values(outbound) as rules by account_id, GroupId, region, VpcId | `aws-redundant-sg-helper` | stats values(parameter) as outbound, values(inbound) as inbound by account_id, GroupId, region, VpcId | eval inbound=mvsort(inbound), outbound=mvsort(outbound) | rename GroupId as id,VpcId as vpc_id| fields account_id, id, region, inbound, outbound, vpc_id | mvcombine id | eval id_count=mvcount(id), same_ids=id, id=mvindex(id,0)  | where id_count > 1 | eval insight="Redundant security groups"

[aws-large-number-rules-sg(2)]
args = accountId, region
definition = `aws-metadata(($accountId$), ($region$), "ec2_security_groups", "GroupId")` | spath output=inboundipranges path=IpPermissions{}.IpRanges{}| spath output=outboundipranges path=IpPermissionsEgress{}.IpRanges{} | spath output=inbounduserid path=IpPermissions{}.UserIdGroupPairs{}| spath output=outbounduserid path=IpPermissionsEgress{}.UserIdGroupPairs{} | eval inbound_count_ipranges=if(isnull(inboundipranges),0,mvcount(inboundipranges)), outbound_count_ipranges=if(isnull(outboundipranges),0,mvcount(outboundipranges)), inbound_count_userid = if(isnull(inbounduserid),0,mvcount(inbounduserid)), outbound_count_userid = if(isnull(outbounduserid),0,mvcount(outbounduserid)),total_count = inbound_count_ipranges+outbound_count_ipranges +inbound_count_userid+outbound_count_userid | where (isnotnull(VpcId) AND total_count > 50) OR (isnull(VpcId) AND total_count > 100) | eval insight="Large number of rules"

[aws-cloudwatch-logs-index]
definition = (index="main")

[aws-vpc-flow-log-index]
definition = index="aws_vpc_flow_logs"

[aws-vpc-flow-sourcetype]
definition = `aws-cloudwatch-logs-index` sourcetype="aws:cloudwatchlogs:vpcflow"

[aws-key-rotation-iam(1)]
args = accountId
definition = `aws-metadata(($accountId$), ("*"), "iam_users", "Arn")` | spath output=AccessKeys path=AccessKeys{} | eval AccessKeys=mvfilter(match(AccessKeys,".*\"Status\": \"Active\",*")) | fields account_id UserName AccessKeys | mvexpand AccessKeys | rex field=AccessKeys ".*CreateDate\": \"(?<CreateDate>[^\"]*)" | eval CreateDay=strptime(CreateDate, "%FT%T"), diff_days=(now()-CreateDay)/86400 | where diff_days > 90 |fields account_id UserName CreateDate | mvcombine CreateDate | eval insight="IAM access key rotation"

[aws-long-unused-iam(1)]
args = accountId
definition = `aws-metadata(($accountId$), ("*"), "iam_users", "Arn")` | spath output=AccessKeys path=AccessKeys{} | eval AccessKeys=mvfilter(match(AccessKeys,".*\"Status\": \"Active\",*")) | fields account_id UserName AccessKeys PasswordLastUsed | mvexpand AccessKeys | rex field=AccessKeys ".*LastUsedDate\": \"(?<LastUsedDate>[^\"]*)" | eval ak_used_day=strptime(LastUsedDate, "%FT%T"), ps_used_day=strptime(PasswordLastUsed, "%FT%T"), recent_used_day=max(ak_used_day,ps_used_day), diff_days=(now()-recent_used_day)/86400 | stats min(diff_days) as no_used_days by UserName, account_id | where no_used_days > 30 | eval insight="User is unused for long time"

[aws-cloudwatch-lambda(2)]
args = accountId, region
definition = `aws-cloudwatch-sourcetype` $accountId$ $region$ eventtype="aws_cloudwatch_lambda_events" metric_dimensions!="*],*" metric_dimensions="FunctionName=*"

#API GATEWAY
[aws-cloudwatch-apigateway(2)]
args = accountId, region
definition = `aws-cloudwatch-sourcetype` $accountId$ $region$ eventtype="aws_cloudwatch_apigateway_events" metric_dimensions!="*],*" metric_dimensions="ApiName=*"

#RDS
[aws-cloudwatch-rds(2)]
args = accountId, region
definition = `aws-cloudwatch-sourcetype` $accountId$ $region$ eventtype="aws_cloudwatch_rds_events" metric_dimensions!="*],*" metric_dimensions="DBInstanceIdentifier=*"

#ANOMALY
[aws-anomaly-index]
definition = index="summary" sourcetype="aws:anomaly"

[aws-anomaly-data]
definition = `aws-anomaly-index`| dedup _time, job_id | eval total = 0 |foreach outlier_* [eval outlier_count_<<MATCHSTR>> = if(<<FIELD>>=="True", 1, 0) ,total = total + outlier_count_<<MATCHSTR>>] | where total > 0

[aws-anomaly-config]
definition = rest servicesNS/nobody/DA-ITSI-CP-aws-dashboards/configs/conf-anomalyconfigs fillcontents=1 splunk_server=local | rename title as job_id | fillnull value=""

### AWS Topology ###

[topology-monthly-snapshot-index]
definition = index="aws_topology_monthly_snapshot"

[topology-playback-index]
definition = index="aws_topology_playback"

[cp-aws-dashboards-internal-index]
definition = index="_internal"

[cp-aws-dashboards-audit-index]
definition = index="_audit"

[cp-aws-dashboards-summary-index]
definition = index="summary"

[cp-aws-dashboards-awsanomalydetection-index]
definition = index="aws_anomaly_detection"