[AWS Billing - Account Name Generator] alert.suppress = 0 alert.track = 0 description = Extract account id - account name lookup from monthly billing report disabled = 1 schedule_window = 30 dispatch.earliest_time = 0 dispatch.latest_time = now search = `aws-billing-sourcetype` eventtype=aws_billing_monthly_report (RecordType=InvoiceTotal OR RecordType=AccountTotal) | eval LinkedAccountId=if(isnull(LinkedAccountId),PayerAccountId,LinkedAccountId) | eval LinkedAccountName=if(isnull(LinkedAccountName),PayerAccountName,LinkedAccountName) | stats count by LinkedAccountId LinkedAccountName | dedup LinkedAccountId sortby -_time | append [makeresults | eval LinkedAccountId="placeholder" | eval LinkedAccountName="placeholder"] | table LinkedAccountId LinkedAccountName | outputlookup account_name [AWS Billing - Account Name Appender] alert.suppress = 0 alert.track = 0 description = Append account id to account_name lookup cron_schedule = 0 1 * * * disabled = 1 schedule_window = 30 dispatch.earliest_time = -1d dispatch.latest_time = now search = `aws-billing-sourcetype` eventtype=aws_billing_monthly_report (RecordType=InvoiceTotal OR RecordType=AccountTotal) | eval LinkedAccountId=if(isnull(LinkedAccountId),PayerAccountId,LinkedAccountId) | eval LinkedAccountName=if(isnull(LinkedAccountName),PayerAccountName,LinkedAccountName) | stats count by LinkedAccountId LinkedAccountName | dedup LinkedAccountId sortby -_time | append [ makeresults | eval LinkedAccountId="placeholder" | eval LinkedAccountName="placeholder"] | table LinkedAccountId LinkedAccountName | append [|inputlookup account_name]| dedup LinkedAccountId LinkedAccountName| outputlookup account_name [AWS Metadata - CloudFront Edges] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 50 * * * * disabled = 1 enableSched = 0 dispatch.earliest_time = -1d dispatch.latest_time = now search = `aws-metadata("", "", "cloudfront_distributions", "Id")` | rename Id as id,DomainName as domain_name| dedup id | table id, domain_name, account_id | outputlookup cloudfront_edges [AWS Config - Tags Generator] description = Extract tags lookup from AWS Config disabled = 1 schedule_window = 30 dispatch.earliest_time = 1 dispatch.latest_time = now search = `aws-config-sourcetype` | spath output=tags path=tags | stats count by tags resourceType aws_account_id | fields - count | rex max_match=20 field=tags "\"(?[^,]+)\": \"(?[^,]+)\"" | eval keyvalue=mvzip('key', 'value',"=") | mvexpand keyvalue | fields keyvalue resourceType aws_account_id | rex field=keyvalue "(?[^,]+)=(?[^,]+)" | stats count by key value resourceType aws_account_id | fields key value resourceType aws_account_id | rename resourceType as type | outputlookup tags_config [AWS Config - Tags Appender] alert.suppress = 0 alert.track = 0 description = Append output to tags_config lookup cron_schedule = 5 1 * * * disabled = 1 schedule_window = 30 dispatch.earliest_time = -1d dispatch.latest_time = now search = `aws-config-sourcetype` | spath output=tags path=tags | stats count by tags resourceType aws_account_id | fields - count | rex max_match=20 field=tags "\"(?[^,]+)\": \"(?[^,]+)\"" | eval keyvalue=mvzip('key', 'value',"=") | mvexpand keyvalue | fields keyvalue resourceType aws_account_id | rex field=keyvalue "(?[^,]+)=(?[^,]+)" | stats count by key value resourceType aws_account_id | fields key value resourceType aws_account_id | rename resourceType as type| append [ inputlookup tags_config ]| dedup key aws_account_id type value | outputlookup tags_config [AWS Metadata - Tags] alert.suppress = 0 alert.track = 0 dispatch.earliest_time = -7d@d cron_schedule = 10 1 * * * disabled = 1 schedule_window = 30 dispatch.latest_time = now search = `aws-metadata-sourcetype` | spath output=tags path=Tags{} | stats count by tags source aws_account_id | rex max_match=20 field=tags "\"Key\": \"(?[^,]+)\", \"Value\": \"(?[^,]+)\"" | where isnotnull(key) AND isnotnull(value)| rex field=source ".*?:(?.*)" | fields key value type aws_account_id | outputlookup tags_metadata [Billing: Billing Reports S3Key Generator] description = Generate the lookup that stores the S3KeyLastModified for the latest report each month. disabled = 1 dispatch.earliest_time = -1y dispatch.latest_time = now search = `aws-billing-sourcetype` (RecordType=AccountTotal OR RecordType=StatementTotal) | stats count by aws_account_id S3KeyLastModified source eventtype | eventstats max(S3KeyLastModified) as max_s3 by source | where S3KeyLastModified=max_s3 and (eventtype="aws_billing_monthly_report" or eventtype="aws_billing_detail_report") | table S3KeyLastModified source eventtype | outputlookup billing_report_s3key alert.digest_mode = True alert.suppress = 0 alert.track = 0 enableSched = 0 [Billing: Billing Reports S3Key Appender] cron_schedule = 50 1 * * * description = Append the lookup that stores the S3KeyLastModified for the latest report each month. disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now search = `aws-billing-sourcetype` (RecordType=AccountTotal OR RecordType=StatementTotal) | stats count by aws_account_id S3KeyLastModified source eventtype | eventstats max(S3KeyLastModified) as max_s3 by source | where S3KeyLastModified=max_s3 and (eventtype="aws_billing_monthly_report" or eventtype="aws_billing_detail_report") | table S3KeyLastModified source eventtype | append [|inputlookup billing_report_s3key] | dedup S3KeyLastModified source eventtype | outputlookup billing_report_s3key alert.digest_mode = True alert.suppress = 0 alert.track = 0 enableSched = 0 [Insights: ELB] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index.insights = elb alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 25 1 * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now realtime_schedule = 0 enableSched = 0 search = `aws-unused-elb(("*"), ("*"))` | append [search earliest=-1d `aws-not-autoscaling-elb(("*"), ("*"))`] | append [search earliest=-1d `aws-not-enough-request-elb(("*"), ("*"))`] | append [search earliest=-1d `aws-not-cross-zone-elb(("*"), ("*"))`] | append [search earliest=-1d `aws-insecure-listener-elb(("*"), ("*"))`] | stats count by account_id region [Insights: EIP] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index.insights = eip alert.suppress = 0 alert.track = 0 cron_schedule = 30 1 * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 0 realtime_schedule = 0 search = `aws-unused-eip("*", "*")` | search insight="*" | stats count by account_id region [Insights: EBS] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index.insights = ebs alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 35 1 * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 0 realtime_schedule = 0 search = earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \ | where State!="in-use"\ | eval abnormaltype="Unused", Severity=1| append[search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \ | where VolumeType="io1"\ | where State="in-use"\ | rename Attachments{}.VolumeId as instanceId\ | join instanceId type="inner" [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_instances", "InstanceId")`\ | where EbsOptimized="false" | rename InstanceId as instanceId]\ | eval abnormaltype="Non-Optimized", Severity=1]| append[search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \ | join VolumeId type="outer" [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ebs_snapshots", "SnapshotId")` \ | rename SnapshotId as snapshotId, StartTime as start_time] \ | eval snapTime=strptime(start_time, "%Y-%m-%dT%T") \ | eval diff=round((now()-snapTime)/86400,0) \ | where NOT (diff>0 AND diff<30)\ | eval abnormaltype="No Recent Snapshot", Severity=2]| append[search earliest=-7d@h `aws-cloudwatch-ebs("*", "*")` (metric_name="VolumeWriteOps" OR metric_name="VolumeReadOps")\ | eval Average = Average / period\ | stats avg(Average) as iops by metric_dimensions \ | eval iops = round(iops*2, 2)\ | sort +iops\ | `aws-cloudwatch-dimension-rex("VolumeId", "id")` \ | join type=inner id [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \ | rename Iops as piops,VolumeType as type,VolumeId as id]\ | where piops != "null"\ | where type="io1"\ | where iops/piops < 0.1\ | eval abnormaltype="Small IOPS", Severity=3]| append[search earliest=-7d@h `aws-cloudwatch-ebs("*", "*")` (metric_name="VolumeWriteOps" OR metric_name="VolumeReadOps")\ | eval Average = Average / period\ | stats avg(Average) as iops by metric_dimensions \ | eval iops = round(iops*2, 2)\ | sort -iops\ | `aws-cloudwatch-dimension-rex("VolumeId", "id")` \ | join type=inner id [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \ | rename Iops as piops,VolumeId as id]\ | where piops != "null"\ | where iops/piops > 0.9\ | eval abnormaltype="Large IOPS", Severity=3] | stats count by account_id region [Addon Synchronization] search = | syncaddon disabled = 1 enableSched = 0 dispatch.earliest_time = 0 dispatch.latest_time = now cron_schedule = 0 * * * * [Billing CUR: Billing Reports AssemblyId Generator] cron_schedule = 20 2 * * * description = Generate the lookup that stores the AssemblyId for the latest CUR report for each month. disabled = 1 dispatch.earliest_time = -1y dispatch.latest_time = now search = `aws-billing-sourcetype-cur-digest` \ | stats latest(assemblyId) as assemblyId, latest(lastModified) as lastModifiedDate by source \ | rex field=source ".*/(?\\d{8}-)\\d{8}.*" \ | outputlookup billing_report_assemblyid_cur alert.digest_mode = True alert.suppress = 0 alert.track = 0 enableSched = 0 [Machine Learning: Recommendation] action.email.useNSSubject = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 0 21 * * * disabled = 1 enableSched = 1 dispatch.earliest_time = 0 dispatch.latest_time = now search = | recommend [Config: Topology History Appender] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 5 * * * * disabled = 1 dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 search=`aws-config-sourcetype` (resourceId=igw-* OR resourceId=vpc-* OR resourceId=i-* OR resourceId=subnet-* OR resourceId=vol-* OR resourceId=sg-* OR resourceId=eni-* OR resourceId=acl-* OR resourceId=rtb-* OR resourceType=AWS::ElasticLoadBalancingV2::LoadBalancer OR resourceType=AWS::IAM::*) [| inputlookup topology_history_checkpoint | rename earliestTimestamp as _index_earliest | return _index_earliest] | dedup resourceId | eval resourceName=if((isnull(resourceName) or resourceName==""), 'tags.Name', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), 'configuration.groupName', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), resourceId, resourceName) | eval _time=_indextime, relationships=mvzip('relationships{}.resourceId', 'relationships{}.name'), tags=mvzip('configuration.tags{}.key', 'configuration.tags{}.value'), attachedPolicies=mvzip('configuration.attachedManagedPolicies{}.policyArn', 'configuration.attachedManagedPolicies{}.policyName'), userPolicies=mvzip('configuration.userPolicyList{}.policyName', 'configuration.userPolicyList{}.policyDocument'), groupPolicies=mvzip('configuration.groupPolicyList{}.policyName', 'configuration.groupPolicyList{}.policyDocument') | eval relationships=mvfilter(match(relationships, ",Is*") AND NOT match(relationships, ",Is attached to Volume")) | rename configurationItemStatus as resourceStatus, configuration.state.name as instanceStatus, configuration.instanceType as instanceType, configuration.vpcId as vpcId, ARN as resourceArn, configuration.privateIpAddress as privateIp, configuration.publicIpAddress as publicIp | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, configurationItemCaptureTime, _time | collect `topology-history-index` source=aws_topology_summary | append [| makeresults count=1 | eval earliestTimestamp=floor(now()/3600)*3600 | table earliestTimestamp | outputlookup topology_history_checkpoint] [Config: Topology Daily Snapshot Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 0 1 * * * disabled = 1 dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 search = `topology-history-index` [search `topology-daily-snapshot-index` earliest=-1d@d | stats count | eval earliest=if(count==0, 0, "-1d@d") | return earliest] latest=@d | append [search `topology-daily-snapshot-index` earliest=-1d@d] | dedup resourceId | search resourceStatus!="ResourceDeleted" | eval _time=relative_time(now(),"@d") | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, _time | collect `topology-daily-snapshot-index` source=aws_topology_summary [Config: Topology History Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 disabled = 1 dispatch.earliest_time = 0 dispatch.latest_time = now search=`aws-config-sourcetype` (resourceId=igw-* OR resourceId=vpc-* OR resourceId=i-* OR resourceId=subnet-* OR resourceId=vol-* OR resourceId=sg-* OR resourceId=eni-* OR resourceId=acl-* OR resourceId=rtb-* OR resourceType=AWS::ElasticLoadBalancingV2::LoadBalancer OR resourceType=AWS::IAM::*) | dedup resourceId | search configurationItemStatus!="ResourceDeleted" | eval resourceName=if((isnull(resourceName) or resourceName==""), 'tags.Name', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), 'configuration.groupName', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), resourceId, resourceName) | eval _time=_indextime, relationships=mvzip('relationships{}.resourceId', 'relationships{}.name'), tags=mvzip('configuration.tags{}.key', 'configuration.tags{}.value'), attachedPolicies=mvzip('configuration.attachedManagedPolicies{}.policyArn', 'configuration.attachedManagedPolicies{}.policyName'), userPolicies=mvzip('configuration.userPolicyList{}.policyName', 'configuration.userPolicyList{}.policyDocument'), groupPolicies=mvzip('configuration.groupPolicyList{}.policyName', 'configuration.groupPolicyList{}.policyDocument') | eval relationships=mvfilter(match(relationships, ",Is*") AND NOT match(relationships, ",Is attached to Volume")) | rename configurationItemStatus as resourceStatus, configuration.state.name as instanceStatus, configuration.instanceType as instanceType, configuration.vpcId as vpcId, ARN as resourceArn, configuration.privateIpAddress as privateIp, configuration.publicIpAddress as publicIp | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, configurationItemCaptureTime, _time | collect `topology-history-index` source=aws_topology_summary | append [| makeresults count=1 | eval earliestTimestamp=floor(now()/3600)*3600 | table earliestTimestamp | outputlookup topology_history_checkpoint] [AWS Metadata - S3 Buckets] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 55 * * * * disabled = 1 enableSched = 0 dispatch.earliest_time = -1d dispatch.latest_time = now search = `aws-metadata("*", "*", "s3_buckets", "Name")` | rename Name as bucket_name, LocationConstraint as region | table bucket_name, account_id, region | outputlookup s3_buckets [AWS: calculate data volume indexed] cron_schedule = 20 0 * * * description = Calculate the amount of data indexed in Splunk disabled = 1 enableSched = 1 dispatch.earliest_time = -1d@d dispatch.latest_time = @d search = | search `cp-aws-dashboards-internal-index` sourcetype=splunkd source=*metrics.log splunk_server="*" group="per_sourcetype_thruput" \ | stats sum(kb) as sum_kb by series | eval sum_mb=sum_kb/1024 \ | filterawssourcetype action.summary_index = 1 action.summary_index.report = aws_indexed_data_volume alert.digest_mode = True realtime_schedule = 0 [Amazon Inspector: Topology Amazon Inspector Recommendation Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 35 * * * * description = Generate Amazon Inspector data disabled = 1 dispatch.earliest_time = -3mon@mon dispatch.latest_time = now enableSched = 0 search = `aws-inspector-findings` assetAttributes.agentId=* assetType=ec2-instance | fields assetAttributes.agentId,serviceAttributes.rulesPackageArn,severity,title | rename assetAttributes.agentId as agent_id, serviceAttributes.rulesPackageArn as rule_arn | stats latest(severity) as severity, latest(title) as finding by rule_arn, agent_id | table agent_id, severity, finding | outputlookup topology_inspector_recommendations [Anomaly Detection: Jobs Service] cron_schedule = 5 * * * * disabled = 1 enableSched = 0 dispatch.max_time = 198000 search = | anomalyjob [Anomaly Detection: Schedule Time Checker] cron_schedule = 0 * * * * disabled = 1 enableSched = 0 dispatch.earliest_time = -1h@h dispatch.latest_time = @h search = `cp-aws-dashboards-audit-index` action="search" search=* | regex search="job_id=\"\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\"" | eval is_alert=if(savedsearch_name="", 0, 1) , earliest_time = strptime(apiStartTime,"'%a %b %d %T %Y'"), latest_time=strptime(apiEndTime,"'%a %b %d %T %Y'"), day=strftime(_time, "%Y-%m-%d") | table _time, job_id, is_alert, earliest_time,latest_time, day | append [ | inputlookup anomaly_schedule_checker ] | where isnotnull(earliest_time) AND isnotnull(latest_time) | dedup job_id, is_alert | outputlookup anomaly_schedule_checker [Billing CUR: Topology Billing Metric Generator] alert.suppress = 0 alert.track = 0 cron_schedule = 30 2 * * * description = Generate Billing overlay for Topology disabled = 1 dispatch.earliest_time = -mon@mon dispatch.latest_time = @mon enableSched = 0 search = `aws-billing-details-cur(*)` InvoiceId=* ResourceId="i-*" OR ResourceId="vol-*" \ | rex field=source "(?(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1})" \ | search \ [| inputlookup billing_report_assemblyid_cur | eval timestr1 = strftime(relative_time(now(),"-mon"), "%Y%m") + "01-" | where timestr = timestr1 | table assemblyId | format] \ | stats sum(BlendedCost) as billing by ResourceId \ | rename ResourceId as name \ | table billing, name \ | outputlookup topology_billing_metrics_cur [Billing: Topology Billing Metric Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 description = Generate Billing overlay for Topology cron_schedule = 15 1 * * * disabled = 1 dispatch.earliest_time = -mon@mon dispatch.latest_time = @mon enableSched = 0 search = `aws-billing-details(*)` ResourceId="i-*" OR ResourceId="vol-*" | stats sum(BlendedCost) as billing by ResourceId | rename ResourceId as name | table billing, name | outputlookup topology_billing_metrics [CloudTrail Base Search] action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -1mon@d disabled = 1 dispatch.earliest_time = -1mon dispatch.latest_time = now search = `aws-cloudtrail((aws_account_id="*"), (region="**") )` | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | stats count count(eval(errorCode!="success")) as errors count(Unauthorized) as Unauthorized by eventName region aws_account_id userName [CloudTrail EventName Generator] action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 alert.expires = 2h cron_schedule = */20 * * * * disabled = 1 dispatch.earliest_time = -22m@m dispatch.latest_time = -2m@m enableSched = 0 search = `aws-cloudtrail-sourcetype` | stats count by eventName | lookup all_eventName eventName OUTPUTNEW eventName as existing | fillnull | search existing=0 | fields eventName | outputlookup all_eventName append=true [CloudTrail S3 Data Event Search] action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -1mon@d disabled = 1 dispatch.earliest_time = -1mon dispatch.latest_time = now search = `aws-cloudtrail-sourcetype`| lookup all_eventName eventName OUTPUTNEW function| search function="S3 Data Event" | spath output=bucketName path="requestParameters.bucketName" | spath output=objectName path=requestParameters.key | spath output=userName path=userIdentity.userName | eval error=if(errorCode=="success",0, 1) | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | eval Unauthorized=if(Unauthorized=="true", 1, 0) | stats count by region, aws_account_id, bucketName, objectName, userName, eventName, userAgent, sourceIPAddress,Unauthorized, error, readOnly,_time [CloudTrail Timechart Search] action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -1mon@d disabled = 1 dispatch.earliest_time = -1mon dispatch.latest_time = now search = `aws-cloudtrail((aws_account_id="*"), (region="**") )` | eval day=strftime(_time, "%Y-%m-%d %z") | stats count by eventName region aws_account_id day errorCode | eval _time=strptime(day, "%Y-%m-%d %z") | eval response=if(errorCode=="success","success", "error") | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | eval response=if(Unauthorized=="true", "unauthorized", response) | fields - day errorCode Unauthorized [CloudWatch: Topology CPU Metric Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 10 * * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 0 search = `aws-cloudwatch-ec2("*", "*")` metric_dimensions="*InstanceId=[*]*" metric_name="CPUUtilization" \ | stats avg(Average) as cpu by metric_dimensions | `aws-cloudwatch-dimension-rex("InstanceId", "name")` \ | table cpu, name | outputlookup topology_cpu_metrics [CloudWatch: Topology Disk IO Metric Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 15 * * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 0 search = `aws-cloudwatch-ec2("*", "*")` metric_dimensions="*InstanceId=[*]*" metric_name="Disk*Ops" \ | stats sum(Sum) as io_count by metric_dimensions, metric_name | stats sum(io_count) as disk by metric_dimensions \ | `aws-cloudwatch-dimension-rex("InstanceId", "name")` | table disk, name | outputlookup topology_diskio_metrics [CloudWatch: Topology Network Traffic Metric Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 20 * * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 0 search = `aws-cloudwatch-ec2("*", "*")` metric_dimensions="*InstanceId=[*]*" metric_name="Network*" \ | stats sum(Sum) as network by metric_dimensions, metric_name | stats sum(network) as network_traffic by metric_dimensions \ | `aws-cloudwatch-dimension-rex("InstanceId", "name")` | table network_traffic, name | outputlookup topology_network_traffic_metrics [CloudWatch: Topology Volume IO Metric Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 25 * * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 0 search = `aws-cloudwatch-ebs("*", "*")` metric_dimensions="*VolumeId=[*]*" (metric_name="VolumeReadOps" OR metric_name="VolumeWriteOps") \ | stats sum(Sum) as io_count by metric_dimensions, metric_name | stats sum(io_count) as volume_io by metric_dimensions \ | `aws-cloudwatch-dimension-rex("VolumeId", "name")` | table volume_io, name | outputlookup topology_volumeio_metrics [CloudWatch: Topology Volume Traffic Metric Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 30 * * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now enableSched = 0 search = `aws-cloudwatch-ebs("*", "*")` metric_dimensions="*VolumeId=[*]*" metric_name="Volume*Bytes" \ | stats sum(Sum) as network by metric_dimensions, metric_name | stats sum(network) as network_traffic by metric_dimensions \ | `aws-cloudwatch-dimension-rex("VolumeId", "name")` | table network_traffic, name | outputlookup topology_volume_traffic_metrics [Config Rules: Topology Config Rules Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 40 * * * * disabled = 1 dispatch.earliest_time = -3mon@mon dispatch.latest_time = now enableSched = 0 search = `aws-config-rule-sourcetype` source="*:configRule:complianceDetail" | fields EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId,EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName,ComplianceType | rename EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId as resource_id, EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName as rule_name | stats latest(ComplianceType) as compliance_type by resource_id, rule_name | table resource_id, rule_name, compliance_type | outputlookup topology_config_rules [Config: Topology Monthly Snapshot Generator] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 0 0 1 * * disabled = 1 dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 search=`topology-daily-snapshot-index` earliest=-1d@d | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, _time | collect `topology-monthly-snapshot-index` source=aws_topology_summary [Config: Topology Playback Appender] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 0 1 * * * disabled = 1 dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 search=`topology-history-index` configurationItemCaptureTime=* (resourceId=igw-* OR resourceId=vpc-* OR resourceId=i-* OR resourceId=subnet-* OR resourceId=vol-* OR resourceId=sg-* OR resourceId=eni-* OR resourceId=acl-* OR resourceId=rtb-*) [| inputlookup topology_playback_checkpoint | rename earliestTimestamp as earliest | return earliest]| eval indexTimestamp=floor(_time), _time=strptime(configurationItemCaptureTime, "%Y-%m-%dT%H:%M:%S.%3NZ"), timestamp=floor(_time/60)*60, canMiss=if((indexTimestamp - timestamp) > 86400, 1, 0) | table relationships, resourceStatus, instanceStatus, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, canMiss, timestamp, _time | collect `topology-playback-index` source=aws_topology_summary | append [search * | head 1 | eval earliestTimestamp=floor(now()/3600)*3600 | table earliestTimestamp | outputlookup topology_playback_checkpoint] [Insights: IAM] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index.insights = iam auto_summarize.dispatch.earliest_time = -1d@h alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 45 1 * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now realtime_schedule = 0 enableSched = 0 search = `aws-password-policy-iam(("*"))` | append [search earliest=-1d `aws-key-rotation-iam(("*"))`] | append [search earliest=-1d `aws-long-unused-iam(("*"))`] | stats count by account_id [Insights: SG] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index.insights = sg alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = 40 1 * * * disabled = 1 dispatch.earliest_time = -1d dispatch.latest_time = now realtime_schedule = 0 enableSched = 0 search = `aws-specific-ports-unrestricted-sg(("*"), ("*"))` | append [search earliest=-1d `aws-unrestricted-access-sg(("*"), ("*"))`] | append [search earliest=-1d `aws-unused-sg(("*"), ("*"))`] | append [search earliest=-1d `aws-redundant-sg(("*"), ("*"))`] | append [search earliest=-1d `aws-large-number-rules-sg(("*"), ("*"))`] | stats count by account_id region [VPC Flow Logs Summary Generator - Dest IP] action.email.useNSSubject = 1 alert.suppress = 0 alert.track = 0 cron_schedule = */15 * * * * disabled = 1 dispatch.earliest_time = -16m@m dispatch.latest_time = -1m@m enableSched = 0 realtime_schedule = 0 search = `aws-vpc-flow-sourcetype` bytes!="-" | fields bytes packets aws_account_id dest_ip interface_id protocol vpcflow_action | stats sum(bytes) as bytes sum(packets) as packets by aws_account_id dest_ip interface_id protocol vpcflow_action | sort 10000 -packets | collect `aws-vpc-flow-log-index` source="dest_ip" [VPC Flow Logs Summary Generator - Dest Port] alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = */15 * * * * disabled = 1 dispatch.earliest_time = -16m@m dispatch.latest_time = -1m@m enableSched = 0 realtime_schedule = 0 search = `aws-vpc-flow-sourcetype` bytes!="-" | fields bytes packets aws_account_id dest_port interface_id protocol vpcflow_action | lookup well_known_ports port as dest_port protocol OUTPUT port as port | eval port=if(dest_port<=1024,dest_port,port) | rename port as dest_port | fillnull value="Others" dest_port | stats sum(bytes) as bytes sum(packets) as packets by aws_account_id dest_port interface_id protocol vpcflow_action | eventstats sum(packets) as total_packets sum(bytes) as total_bytes by interface_id aws_account_id protocol vpcflow_action | sort 10000 -packets | collect `aws-vpc-flow-log-index` source="dest_port" [VPC Flow Logs Summary Generator - Src IP] action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 cron_schedule = */30 * * * * disabled = 1 dispatch.earliest_time = -32m@m dispatch.latest_time = -2m@m enableSched = 0 realtime_schedule = 0 search = `aws-vpc-flow-sourcetype` bytes!="-" | fields bytes packets aws_account_id src_ip interface_id protocol vpcflow_action | stats sum(bytes) as bytes sum(packets) as packets by aws_account_id src_ip interface_id protocol vpcflow_action | sort 10000 -packets | iplocation src_ip | collect `aws-vpc-flow-log-index` source="src_ip" [ITSI Import Objects - Import EC2 Instance Entity] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = InstanceId action.itsi_import_objects.param.entity_informational_fields = InstanceName,InstanceType,AccountId,region,entity_type_info action.itsi_import_objects.param.entity_merge_field = entity_title action.itsi_import_objects.param.entity_title_field = entity_title action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */50 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled = 1 search = `aws-metadata(*, *, "ec2_instances","InstanceId")`\ | fillnull value="N/A"\ | spath output=tags path=Tags{}\ | rex field=tags "\"Key\": \"Name\", \"Value\": \"(?.+)\""\ | rename tagname AS InstanceName\ | eval entity_title=InstanceId\ | eval entity_type="EC2 Instance"\ | eval entity_type_info=entity_type\ | table entity_title InstanceId InstanceName InstanceType AccountId region entity_type_info entity_type [ITSI Import Objects - Import Lambda Function Entity] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_description_fields = Description action.itsi_import_objects.param.entity_identifier_fields = uniq_id action.itsi_import_objects.param.entity_informational_fields = FunctionName,Runtime,Handler,AccountId,region,entity_type_info action.itsi_import_objects.param.entity_merge_field = entity_title action.itsi_import_objects.param.entity_title_field = entity_title action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */50 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled = 1 search = `aws-metadata-lambda(*, *)`\ | fillnull value="N/A" \ | rename name AS FunctionName\ | eval entity_title=uniq_id\ | eval entity_type="Lambda Function"\ | eval entity_type_info=entity_type\ | table entity_title uniq_id Description FunctionName Runtime Handler AccountId region entity_type_info entity_type [ITSI Import Objects - Import ELB Instance Entity] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = uniq_id action.itsi_import_objects.param.entity_informational_fields = ELBName,ELBType,DNSName,VpcId,AccountId,region,entity_type_info action.itsi_import_objects.param.entity_merge_field = entity_title action.itsi_import_objects.param.entity_title_field = entity_title action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */50 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled = 1 search = `aws-metadata-elb(*, *)`\ | eval VpcId=if(isnull(VPCId), VpcId, VPCId)\ | fillnull value="N/A" \ | rename name AS ELBName\ | eval entity_title=uniq_id\ | eval entity_type="ELB Instance"\ | eval entity_type_info=entity_type\ | eval ELBType=if(Type="application", "Application Load Balancer", "Classic Load Balancer") \ | table entity_title uniq_id ELBName ELBType DNSName VpcId AccountId region entity_type_info entity_type [ITSI Import Objects - Import EBS Volume Entity] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = VolumeId action.itsi_import_objects.param.entity_informational_fields = VolumeName,VolumeType,Size(GB),InstanceId,AccountId,region,entity_type_info action.itsi_import_objects.param.entity_merge_field = entity_title action.itsi_import_objects.param.entity_title_field = entity_title action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */50 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled = 1 search = `aws-metadata(*, *, "ec2_volumes","VolumeId")`\ | fillnull value="N/A" \ | spath output=tags path=Tags{}\ | rex field=tags "\"Key\": \"Name\", \"Value\": \"(?.+)\"" \ | rename tagname AS VolumeName, Size AS Size(GB), Attachments{}.InstanceId AS InstanceId\ | eval entity_title=VolumeId\ | dedup entity_title\ | eval entity_type="EBS Volume"\ | eval entity_type_info=entity_type\ | table entity_title VolumeId VolumeName VolumeType Size(GB) InstanceId AccountId region entity_type_info entity_type