You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
636 lines
35 KiB
636 lines
35 KiB
[AWS Billing - Account Name Generator]
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
description = Extract account id - account name lookup from monthly billing report
|
|
disabled = 1
|
|
schedule_window = 30
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
search = `aws-billing-sourcetype` eventtype=aws_billing_monthly_report (RecordType=InvoiceTotal OR RecordType=AccountTotal) | eval LinkedAccountId=if(isnull(LinkedAccountId),PayerAccountId,LinkedAccountId) | eval LinkedAccountName=if(isnull(LinkedAccountName),PayerAccountName,LinkedAccountName) | stats count by LinkedAccountId LinkedAccountName | dedup LinkedAccountId sortby -_time | append [makeresults | eval LinkedAccountId="placeholder" | eval LinkedAccountName="placeholder"] | table LinkedAccountId LinkedAccountName | outputlookup account_name
|
|
|
|
[AWS Billing - Account Name Appender]
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
description = Append account id to account_name lookup
|
|
cron_schedule = 0 1 * * *
|
|
disabled = 1
|
|
schedule_window = 30
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
search = `aws-billing-sourcetype` eventtype=aws_billing_monthly_report (RecordType=InvoiceTotal OR RecordType=AccountTotal) | eval LinkedAccountId=if(isnull(LinkedAccountId),PayerAccountId,LinkedAccountId) | eval LinkedAccountName=if(isnull(LinkedAccountName),PayerAccountName,LinkedAccountName) | stats count by LinkedAccountId LinkedAccountName | dedup LinkedAccountId sortby -_time | append [ makeresults | eval LinkedAccountId="placeholder" | eval LinkedAccountName="placeholder"] | table LinkedAccountId LinkedAccountName | append [|inputlookup account_name]| dedup LinkedAccountId LinkedAccountName| outputlookup account_name
|
|
|
|
[AWS Metadata - CloudFront Edges]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 50 * * * *
|
|
disabled = 1
|
|
enableSched = 0
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
search = `aws-metadata("", "", "cloudfront_distributions", "Id")` | rename Id as id,DomainName as domain_name| dedup id | table id, domain_name, account_id | outputlookup cloudfront_edges
|
|
|
|
[AWS Config - Tags Generator]
|
|
description = Extract tags lookup from AWS Config
|
|
disabled = 1
|
|
schedule_window = 30
|
|
dispatch.earliest_time = 1
|
|
dispatch.latest_time = now
|
|
search = `aws-config-sourcetype` | spath output=tags path=tags | stats count by tags resourceType aws_account_id | fields - count | rex max_match=20 field=tags "\"(?<key>[^,]+)\": \"(?<value>[^,]+)\"" | eval keyvalue=mvzip('key', 'value',"=") | mvexpand keyvalue | fields keyvalue resourceType aws_account_id | rex field=keyvalue "(?<key>[^,]+)=(?<value>[^,]+)" | stats count by key value resourceType aws_account_id | fields key value resourceType aws_account_id | rename resourceType as type | outputlookup tags_config
|
|
|
|
[AWS Config - Tags Appender]
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
description = Append output to tags_config lookup
|
|
cron_schedule = 5 1 * * *
|
|
disabled = 1
|
|
schedule_window = 30
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
search = `aws-config-sourcetype` | spath output=tags path=tags | stats count by tags resourceType aws_account_id | fields - count | rex max_match=20 field=tags "\"(?<key>[^,]+)\": \"(?<value>[^,]+)\"" | eval keyvalue=mvzip('key', 'value',"=") | mvexpand keyvalue | fields keyvalue resourceType aws_account_id | rex field=keyvalue "(?<key>[^,]+)=(?<value>[^,]+)" | stats count by key value resourceType aws_account_id | fields key value resourceType aws_account_id | rename resourceType as type| append [ inputlookup tags_config ]| dedup key aws_account_id type value | outputlookup tags_config
|
|
|
|
[AWS Metadata - Tags]
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@d
|
|
cron_schedule = 10 1 * * *
|
|
disabled = 1
|
|
schedule_window = 30
|
|
dispatch.latest_time = now
|
|
search = `aws-metadata-sourcetype` | spath output=tags path=Tags{} | stats count by tags source aws_account_id | rex max_match=20 field=tags "\"Key\": \"(?<key>[^,]+)\", \"Value\": \"(?<value>[^,]+)\"" | where isnotnull(key) AND isnotnull(value)| rex field=source ".*?:(?<type>.*)" | fields key value type aws_account_id | outputlookup tags_metadata
|
|
|
|
[Billing: Billing Reports S3Key Generator]
|
|
description = Generate the lookup that stores the S3KeyLastModified for the latest report each month.
|
|
disabled = 1
|
|
dispatch.earliest_time = -1y
|
|
dispatch.latest_time = now
|
|
search = `aws-billing-sourcetype` (RecordType=AccountTotal OR RecordType=StatementTotal) | stats count by aws_account_id S3KeyLastModified source eventtype | eventstats max(S3KeyLastModified) as max_s3 by source | where S3KeyLastModified=max_s3 and (eventtype="aws_billing_monthly_report" or eventtype="aws_billing_detail_report") | table S3KeyLastModified source eventtype | outputlookup billing_report_s3key
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
enableSched = 0
|
|
|
|
[Billing: Billing Reports S3Key Appender]
|
|
cron_schedule = 50 1 * * *
|
|
description = Append the lookup that stores the S3KeyLastModified for the latest report each month.
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
search = `aws-billing-sourcetype` (RecordType=AccountTotal OR RecordType=StatementTotal) | stats count by aws_account_id S3KeyLastModified source eventtype | eventstats max(S3KeyLastModified) as max_s3 by source | where S3KeyLastModified=max_s3 and (eventtype="aws_billing_monthly_report" or eventtype="aws_billing_detail_report") | table S3KeyLastModified source eventtype | append [|inputlookup billing_report_s3key] | dedup S3KeyLastModified source eventtype | outputlookup billing_report_s3key
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
enableSched = 0
|
|
|
|
[Insights: ELB]
|
|
action.email.useNSSubject = 1
|
|
action.summary_index = 1
|
|
action.summary_index.insights = elb
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 25 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
realtime_schedule = 0
|
|
enableSched = 0
|
|
search = `aws-unused-elb(("*"), ("*"))` | append [search earliest=-1d `aws-not-autoscaling-elb(("*"), ("*"))`] | append [search earliest=-1d `aws-not-enough-request-elb(("*"), ("*"))`] | append [search earliest=-1d `aws-not-cross-zone-elb(("*"), ("*"))`] | append [search earliest=-1d `aws-insecure-listener-elb(("*"), ("*"))`] | stats count by account_id region
|
|
|
|
[Insights: EIP]
|
|
action.email.useNSSubject = 1
|
|
action.summary_index = 1
|
|
action.summary_index.insights = eip
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 30 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
realtime_schedule = 0
|
|
search = `aws-unused-eip("*", "*")` | search insight="*" | stats count by account_id region
|
|
|
|
[Insights: EBS]
|
|
action.email.useNSSubject = 1
|
|
action.summary_index = 1
|
|
action.summary_index.insights = ebs
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 35 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
realtime_schedule = 0
|
|
search = earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \
|
|
| where State!="in-use"\
|
|
| eval abnormaltype="Unused", Severity=1| append[search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \
|
|
| where VolumeType="io1"\
|
|
| where State="in-use"\
|
|
| rename Attachments{}.VolumeId as instanceId\
|
|
| join instanceId type="inner" [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_instances", "InstanceId")`\
|
|
| where EbsOptimized="false" | rename InstanceId as instanceId]\
|
|
| eval abnormaltype="Non-Optimized", Severity=1]| append[search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \
|
|
| join VolumeId type="outer" [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ebs_snapshots", "SnapshotId")` \
|
|
| rename SnapshotId as snapshotId, StartTime as start_time] \
|
|
| eval snapTime=strptime(start_time, "%Y-%m-%dT%T") \
|
|
| eval diff=round((now()-snapTime)/86400,0) \
|
|
| where NOT (diff>0 AND diff<30)\
|
|
| eval abnormaltype="No Recent Snapshot", Severity=2]| append[search earliest=-7d@h `aws-cloudwatch-ebs("*", "*")` (metric_name="VolumeWriteOps" OR metric_name="VolumeReadOps")\
|
|
| eval Average = Average / period\
|
|
| stats avg(Average) as iops by metric_dimensions \
|
|
| eval iops = round(iops*2, 2)\
|
|
| sort +iops\
|
|
| `aws-cloudwatch-dimension-rex("VolumeId", "id")` \
|
|
| join type=inner id [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \
|
|
| rename Iops as piops,VolumeType as type,VolumeId as id]\
|
|
| where piops != "null"\
|
|
| where type="io1"\
|
|
| where iops/piops < 0.1\
|
|
| eval abnormaltype="Small IOPS", Severity=3]| append[search earliest=-7d@h `aws-cloudwatch-ebs("*", "*")` (metric_name="VolumeWriteOps" OR metric_name="VolumeReadOps")\
|
|
| eval Average = Average / period\
|
|
| stats avg(Average) as iops by metric_dimensions \
|
|
| eval iops = round(iops*2, 2)\
|
|
| sort -iops\
|
|
| `aws-cloudwatch-dimension-rex("VolumeId", "id")` \
|
|
| join type=inner id [search earliest=-1d `aws-metadata((aws_account_id="*"), (region="**") , "ec2_volumes", "VolumeId")` \
|
|
| rename Iops as piops,VolumeId as id]\
|
|
| where piops != "null"\
|
|
| where iops/piops > 0.9\
|
|
| eval abnormaltype="Large IOPS", Severity=3] | stats count by account_id region
|
|
|
|
[Addon Synchronization]
|
|
search = | syncaddon
|
|
disabled = 1
|
|
enableSched = 0
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
cron_schedule = 0 * * * *
|
|
|
|
[Billing CUR: Billing Reports AssemblyId Generator]
|
|
cron_schedule = 20 2 * * *
|
|
description = Generate the lookup that stores the AssemblyId for the latest CUR report for each month.
|
|
disabled = 1
|
|
dispatch.earliest_time = -1y
|
|
dispatch.latest_time = now
|
|
search = `aws-billing-sourcetype-cur-digest` \
|
|
| stats latest(assemblyId) as assemblyId, latest(lastModified) as lastModifiedDate by source \
|
|
| rex field=source ".*/(?<timestr>\\d{8}-)\\d{8}.*" \
|
|
| outputlookup billing_report_assemblyid_cur
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
enableSched = 0
|
|
|
|
[Machine Learning: Recommendation]
|
|
action.email.useNSSubject = 1
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 0 21 * * *
|
|
disabled = 1
|
|
enableSched = 1
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
search = | recommend
|
|
|
|
[Config: Topology History Appender]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 5 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search=`aws-config-sourcetype` (resourceId=igw-* OR resourceId=vpc-* OR resourceId=i-* OR resourceId=subnet-* OR resourceId=vol-* OR resourceId=sg-* OR resourceId=eni-* OR resourceId=acl-* OR resourceId=rtb-* OR resourceType=AWS::ElasticLoadBalancingV2::LoadBalancer OR resourceType=AWS::IAM::*) [| inputlookup topology_history_checkpoint | rename earliestTimestamp as _index_earliest | return _index_earliest] | dedup resourceId | eval resourceName=if((isnull(resourceName) or resourceName==""), 'tags.Name', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), 'configuration.groupName', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), resourceId, resourceName) | eval _time=_indextime, relationships=mvzip('relationships{}.resourceId', 'relationships{}.name'), tags=mvzip('configuration.tags{}.key', 'configuration.tags{}.value'), attachedPolicies=mvzip('configuration.attachedManagedPolicies{}.policyArn', 'configuration.attachedManagedPolicies{}.policyName'), userPolicies=mvzip('configuration.userPolicyList{}.policyName', 'configuration.userPolicyList{}.policyDocument'), groupPolicies=mvzip('configuration.groupPolicyList{}.policyName', 'configuration.groupPolicyList{}.policyDocument') | eval relationships=mvfilter(match(relationships, ",Is*") AND NOT match(relationships, ",Is attached to Volume")) | rename configurationItemStatus as resourceStatus, configuration.state.name as instanceStatus, configuration.instanceType as instanceType, configuration.vpcId as vpcId, ARN as resourceArn, configuration.privateIpAddress as privateIp, configuration.publicIpAddress as publicIp | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, configurationItemCaptureTime, _time | collect `topology-history-index` source=aws_topology_summary | append [| makeresults count=1 | eval earliestTimestamp=floor(now()/3600)*3600 | table earliestTimestamp | outputlookup topology_history_checkpoint]
|
|
|
|
[Config: Topology Daily Snapshot Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 0 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `topology-history-index` [search `topology-daily-snapshot-index` earliest=-1d@d | stats count | eval earliest=if(count==0, 0, "-1d@d") | return earliest] latest=@d | append [search `topology-daily-snapshot-index` earliest=-1d@d] | dedup resourceId | search resourceStatus!="ResourceDeleted" | eval _time=relative_time(now(),"@d") | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, _time | collect `topology-daily-snapshot-index` source=aws_topology_summary
|
|
|
|
[Config: Topology History Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
disabled = 1
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
search=`aws-config-sourcetype` (resourceId=igw-* OR resourceId=vpc-* OR resourceId=i-* OR resourceId=subnet-* OR resourceId=vol-* OR resourceId=sg-* OR resourceId=eni-* OR resourceId=acl-* OR resourceId=rtb-* OR resourceType=AWS::ElasticLoadBalancingV2::LoadBalancer OR resourceType=AWS::IAM::*) | dedup resourceId | search configurationItemStatus!="ResourceDeleted" | eval resourceName=if((isnull(resourceName) or resourceName==""), 'tags.Name', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), 'configuration.groupName', resourceName), resourceName=if((isnull(resourceName) or resourceName==""), resourceId, resourceName) | eval _time=_indextime, relationships=mvzip('relationships{}.resourceId', 'relationships{}.name'), tags=mvzip('configuration.tags{}.key', 'configuration.tags{}.value'), attachedPolicies=mvzip('configuration.attachedManagedPolicies{}.policyArn', 'configuration.attachedManagedPolicies{}.policyName'), userPolicies=mvzip('configuration.userPolicyList{}.policyName', 'configuration.userPolicyList{}.policyDocument'), groupPolicies=mvzip('configuration.groupPolicyList{}.policyName', 'configuration.groupPolicyList{}.policyDocument') | eval relationships=mvfilter(match(relationships, ",Is*") AND NOT match(relationships, ",Is attached to Volume")) | rename configurationItemStatus as resourceStatus, configuration.state.name as instanceStatus, configuration.instanceType as instanceType, configuration.vpcId as vpcId, ARN as resourceArn, configuration.privateIpAddress as privateIp, configuration.publicIpAddress as publicIp | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, configurationItemCaptureTime, _time | collect `topology-history-index` source=aws_topology_summary | append [| makeresults count=1 | eval earliestTimestamp=floor(now()/3600)*3600 | table earliestTimestamp | outputlookup topology_history_checkpoint]
|
|
|
|
[AWS Metadata - S3 Buckets]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 55 * * * *
|
|
disabled = 1
|
|
enableSched = 0
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
search = `aws-metadata("*", "*", "s3_buckets", "Name")` | rename Name as bucket_name, LocationConstraint as region | table bucket_name, account_id, region | outputlookup s3_buckets
|
|
|
|
[AWS: calculate data volume indexed]
|
|
cron_schedule = 20 0 * * *
|
|
description = Calculate the amount of data indexed in Splunk
|
|
disabled = 1
|
|
enableSched = 1
|
|
dispatch.earliest_time = -1d@d
|
|
dispatch.latest_time = @d
|
|
search = | search `cp-aws-dashboards-internal-index` sourcetype=splunkd source=*metrics.log splunk_server="*" group="per_sourcetype_thruput" \
|
|
| stats sum(kb) as sum_kb by series | eval sum_mb=sum_kb/1024 \
|
|
| filterawssourcetype
|
|
action.summary_index = 1
|
|
action.summary_index.report = aws_indexed_data_volume
|
|
alert.digest_mode = True
|
|
realtime_schedule = 0
|
|
|
|
[Amazon Inspector: Topology Amazon Inspector Recommendation Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 35 * * * *
|
|
description = Generate Amazon Inspector data
|
|
disabled = 1
|
|
dispatch.earliest_time = -3mon@mon
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `aws-inspector-findings` assetAttributes.agentId=* assetType=ec2-instance | fields assetAttributes.agentId,serviceAttributes.rulesPackageArn,severity,title | rename assetAttributes.agentId as agent_id, serviceAttributes.rulesPackageArn as rule_arn | stats latest(severity) as severity, latest(title) as finding by rule_arn, agent_id | table agent_id, severity, finding | outputlookup topology_inspector_recommendations
|
|
|
|
[Anomaly Detection: Jobs Service]
|
|
cron_schedule = 5 * * * *
|
|
disabled = 1
|
|
enableSched = 0
|
|
dispatch.max_time = 198000
|
|
search = | anomalyjob
|
|
|
|
[Anomaly Detection: Schedule Time Checker]
|
|
cron_schedule = 0 * * * *
|
|
disabled = 1
|
|
enableSched = 0
|
|
dispatch.earliest_time = -1h@h
|
|
dispatch.latest_time = @h
|
|
search = `cp-aws-dashboards-audit-index` action="search" search=* | regex search="job_id=\"\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\"" | eval is_alert=if(savedsearch_name="", 0, 1) , earliest_time = strptime(apiStartTime,"'%a %b %d %T %Y'"), latest_time=strptime(apiEndTime,"'%a %b %d %T %Y'"), day=strftime(_time, "%Y-%m-%d") | table _time, job_id, is_alert, earliest_time,latest_time, day | append [ | inputlookup anomaly_schedule_checker ] | where isnotnull(earliest_time) AND isnotnull(latest_time) | dedup job_id, is_alert | outputlookup anomaly_schedule_checker
|
|
|
|
[Billing CUR: Topology Billing Metric Generator]
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 30 2 * * *
|
|
description = Generate Billing overlay for Topology
|
|
disabled = 1
|
|
dispatch.earliest_time = -mon@mon
|
|
dispatch.latest_time = @mon
|
|
enableSched = 0
|
|
search = `aws-billing-details-cur(*)` InvoiceId=* ResourceId="i-*" OR ResourceId="vol-*" \
|
|
| rex field=source "(?<assemblyId>(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1})" \
|
|
| search \
|
|
[| inputlookup billing_report_assemblyid_cur | eval timestr1 = strftime(relative_time(now(),"-mon"), "%Y%m") + "01-" | where timestr = timestr1 | table assemblyId | format] \
|
|
| stats sum(BlendedCost) as billing by ResourceId \
|
|
| rename ResourceId as name \
|
|
| table billing, name \
|
|
| outputlookup topology_billing_metrics_cur
|
|
|
|
[Billing: Topology Billing Metric Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
description = Generate Billing overlay for Topology
|
|
cron_schedule = 15 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -mon@mon
|
|
dispatch.latest_time = @mon
|
|
enableSched = 0
|
|
search = `aws-billing-details(*)` ResourceId="i-*" OR ResourceId="vol-*" | stats sum(BlendedCost) as billing by ResourceId | rename ResourceId as name | table billing, name | outputlookup topology_billing_metrics
|
|
|
|
[CloudTrail Base Search]
|
|
action.email.useNSSubject = 1
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
auto_summarize = 1
|
|
auto_summarize.dispatch.earliest_time = -1mon@d
|
|
disabled = 1
|
|
dispatch.earliest_time = -1mon
|
|
dispatch.latest_time = now
|
|
search = `aws-cloudtrail((aws_account_id="*"), (region="**") )` | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | stats count count(eval(errorCode!="success")) as errors count(Unauthorized) as Unauthorized by eventName region aws_account_id userName
|
|
|
|
[CloudTrail EventName Generator]
|
|
action.email.inline = 1
|
|
alert.digest_mode = True
|
|
alert.severity = 1
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
alert.expires = 2h
|
|
cron_schedule = */20 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -22m@m
|
|
dispatch.latest_time = -2m@m
|
|
enableSched = 0
|
|
search = `aws-cloudtrail-sourcetype` | stats count by eventName | lookup all_eventName eventName OUTPUTNEW eventName as existing | fillnull | search existing=0 | fields eventName | outputlookup all_eventName append=true
|
|
|
|
[CloudTrail S3 Data Event Search]
|
|
action.email.useNSSubject = 1
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
auto_summarize = 1
|
|
auto_summarize.dispatch.earliest_time = -1mon@d
|
|
disabled = 1
|
|
dispatch.earliest_time = -1mon
|
|
dispatch.latest_time = now
|
|
search = `aws-cloudtrail-sourcetype`| lookup all_eventName eventName OUTPUTNEW function| search function="S3 Data Event" | spath output=bucketName path="requestParameters.bucketName" | spath output=objectName path=requestParameters.key | spath output=userName path=userIdentity.userName | eval error=if(errorCode=="success",0, 1) | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | eval Unauthorized=if(Unauthorized=="true", 1, 0) | stats count by region, aws_account_id, bucketName, objectName, userName, eventName, userAgent, sourceIPAddress,Unauthorized, error, readOnly,_time
|
|
|
|
[CloudTrail Timechart Search]
|
|
action.email.useNSSubject = 1
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
auto_summarize = 1
|
|
auto_summarize.dispatch.earliest_time = -1mon@d
|
|
disabled = 1
|
|
dispatch.earliest_time = -1mon
|
|
dispatch.latest_time = now
|
|
search = `aws-cloudtrail((aws_account_id="*"), (region="**") )` | eval day=strftime(_time, "%Y-%m-%d %z") | stats count by eventName region aws_account_id day errorCode | eval _time=strptime(day, "%Y-%m-%d %z") | eval response=if(errorCode=="success","success", "error") | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | eval response=if(Unauthorized=="true", "unauthorized", response) | fields - day errorCode Unauthorized
|
|
|
|
[CloudWatch: Topology CPU Metric Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 10 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `aws-cloudwatch-ec2("*", "*")` metric_dimensions="*InstanceId=[*]*" metric_name="CPUUtilization" \
|
|
| stats avg(Average) as cpu by metric_dimensions | `aws-cloudwatch-dimension-rex("InstanceId", "name")` \
|
|
| table cpu, name | outputlookup topology_cpu_metrics
|
|
|
|
[CloudWatch: Topology Disk IO Metric Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 15 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `aws-cloudwatch-ec2("*", "*")` metric_dimensions="*InstanceId=[*]*" metric_name="Disk*Ops" \
|
|
| stats sum(Sum) as io_count by metric_dimensions, metric_name | stats sum(io_count) as disk by metric_dimensions \
|
|
| `aws-cloudwatch-dimension-rex("InstanceId", "name")` | table disk, name | outputlookup topology_diskio_metrics
|
|
|
|
[CloudWatch: Topology Network Traffic Metric Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 20 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `aws-cloudwatch-ec2("*", "*")` metric_dimensions="*InstanceId=[*]*" metric_name="Network*" \
|
|
| stats sum(Sum) as network by metric_dimensions, metric_name | stats sum(network) as network_traffic by metric_dimensions \
|
|
| `aws-cloudwatch-dimension-rex("InstanceId", "name")` | table network_traffic, name | outputlookup topology_network_traffic_metrics
|
|
|
|
[CloudWatch: Topology Volume IO Metric Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 25 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `aws-cloudwatch-ebs("*", "*")` metric_dimensions="*VolumeId=[*]*" (metric_name="VolumeReadOps" OR metric_name="VolumeWriteOps") \
|
|
| stats sum(Sum) as io_count by metric_dimensions, metric_name | stats sum(io_count) as volume_io by metric_dimensions \
|
|
| `aws-cloudwatch-dimension-rex("VolumeId", "name")` | table volume_io, name | outputlookup topology_volumeio_metrics
|
|
|
|
[CloudWatch: Topology Volume Traffic Metric Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 30 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `aws-cloudwatch-ebs("*", "*")` metric_dimensions="*VolumeId=[*]*" metric_name="Volume*Bytes" \
|
|
| stats sum(Sum) as network by metric_dimensions, metric_name | stats sum(network) as network_traffic by metric_dimensions \
|
|
| `aws-cloudwatch-dimension-rex("VolumeId", "name")` | table network_traffic, name | outputlookup topology_volume_traffic_metrics
|
|
|
|
|
|
[Config Rules: Topology Config Rules Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 40 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -3mon@mon
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search = `aws-config-rule-sourcetype` source="*:configRule:complianceDetail" | fields EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId,EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName,ComplianceType | rename EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId as resource_id, EvaluationResultIdentifier.EvaluationResultQualifier.ConfigRuleName as rule_name | stats latest(ComplianceType) as compliance_type by resource_id, rule_name | table resource_id, rule_name, compliance_type | outputlookup topology_config_rules
|
|
|
|
[Config: Topology Monthly Snapshot Generator]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 0 0 1 * *
|
|
disabled = 1
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search=`topology-daily-snapshot-index` earliest=-1d@d | table resourceArn, relationships, tags, resourceStatus, instanceStatus, instanceType, publicIp, privateIp, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, attachedPolicies, userPolicies, groupPolicies, _time | collect `topology-monthly-snapshot-index` source=aws_topology_summary
|
|
|
|
[Config: Topology Playback Appender]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 0 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = 0
|
|
dispatch.latest_time = now
|
|
enableSched = 0
|
|
search=`topology-history-index` configurationItemCaptureTime=* (resourceId=igw-* OR resourceId=vpc-* OR resourceId=i-* OR resourceId=subnet-* OR resourceId=vol-* OR resourceId=sg-* OR resourceId=eni-* OR resourceId=acl-* OR resourceId=rtb-*) [| inputlookup topology_playback_checkpoint | rename earliestTimestamp as earliest | return earliest]| eval indexTimestamp=floor(_time), _time=strptime(configurationItemCaptureTime, "%Y-%m-%dT%H:%M:%S.%3NZ"), timestamp=floor(_time/60)*60, canMiss=if((indexTimestamp - timestamp) > 86400, 1, 0) | table relationships, resourceStatus, instanceStatus, vpcId , resourceId, resourceName, awsAccountId, awsRegion, resourceType, canMiss, timestamp, _time | collect `topology-playback-index` source=aws_topology_summary | append [search * | head 1 | eval earliestTimestamp=floor(now()/3600)*3600 | table earliestTimestamp | outputlookup topology_playback_checkpoint]
|
|
|
|
[Insights: IAM]
|
|
action.email.useNSSubject = 1
|
|
action.summary_index = 1
|
|
action.summary_index.insights = iam
|
|
auto_summarize.dispatch.earliest_time = -1d@h
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 45 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
realtime_schedule = 0
|
|
enableSched = 0
|
|
search = `aws-password-policy-iam(("*"))` | append [search earliest=-1d `aws-key-rotation-iam(("*"))`] | append [search earliest=-1d `aws-long-unused-iam(("*"))`] | stats count by account_id
|
|
|
|
[Insights: SG]
|
|
action.email.useNSSubject = 1
|
|
action.summary_index = 1
|
|
action.summary_index.insights = sg
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = 40 1 * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
realtime_schedule = 0
|
|
enableSched = 0
|
|
search = `aws-specific-ports-unrestricted-sg(("*"), ("*"))` | append [search earliest=-1d `aws-unrestricted-access-sg(("*"), ("*"))`] | append [search earliest=-1d `aws-unused-sg(("*"), ("*"))`] | append [search earliest=-1d `aws-redundant-sg(("*"), ("*"))`] | append [search earliest=-1d `aws-large-number-rules-sg(("*"), ("*"))`] | stats count by account_id region
|
|
|
|
[VPC Flow Logs Summary Generator - Dest IP]
|
|
action.email.useNSSubject = 1
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = */15 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -16m@m
|
|
dispatch.latest_time = -1m@m
|
|
enableSched = 0
|
|
realtime_schedule = 0
|
|
search = `aws-vpc-flow-sourcetype` bytes!="-" | fields bytes packets aws_account_id dest_ip interface_id protocol vpcflow_action | stats sum(bytes) as bytes sum(packets) as packets by aws_account_id dest_ip interface_id protocol vpcflow_action | sort 10000 -packets | collect `aws-vpc-flow-log-index` source="dest_ip"
|
|
|
|
[VPC Flow Logs Summary Generator - Dest Port]
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = */15 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -16m@m
|
|
dispatch.latest_time = -1m@m
|
|
enableSched = 0
|
|
realtime_schedule = 0
|
|
search = `aws-vpc-flow-sourcetype` bytes!="-" | fields bytes packets aws_account_id dest_port interface_id protocol vpcflow_action | lookup well_known_ports port as dest_port protocol OUTPUT port as port | eval port=if(dest_port<=1024,dest_port,port) | rename port as dest_port | fillnull value="Others" dest_port | stats sum(bytes) as bytes sum(packets) as packets by aws_account_id dest_port interface_id protocol vpcflow_action | eventstats sum(packets) as total_packets sum(bytes) as total_bytes by interface_id aws_account_id protocol vpcflow_action | sort 10000 -packets | collect `aws-vpc-flow-log-index` source="dest_port"
|
|
|
|
[VPC Flow Logs Summary Generator - Src IP]
|
|
action.email.useNSSubject = 1
|
|
alert.digest_mode = True
|
|
alert.suppress = 0
|
|
alert.track = 0
|
|
cron_schedule = */30 * * * *
|
|
disabled = 1
|
|
dispatch.earliest_time = -32m@m
|
|
dispatch.latest_time = -2m@m
|
|
enableSched = 0
|
|
realtime_schedule = 0
|
|
search = `aws-vpc-flow-sourcetype` bytes!="-" | fields bytes packets aws_account_id src_ip interface_id protocol vpcflow_action | stats sum(bytes) as bytes sum(packets) as packets by aws_account_id src_ip interface_id protocol vpcflow_action | sort 10000 -packets | iplocation src_ip | collect `aws-vpc-flow-log-index` source="src_ip"
|
|
|
|
[ITSI Import Objects - Import EC2 Instance Entity]
|
|
action.itsi_import_objects = 1
|
|
action.itsi_import_objects.param.backfill_enabled = 0
|
|
action.itsi_import_objects.param.entity_identifier_fields = InstanceId
|
|
action.itsi_import_objects.param.entity_informational_fields = InstanceName,InstanceType,AccountId,region,entity_type_info
|
|
action.itsi_import_objects.param.entity_merge_field = entity_title
|
|
action.itsi_import_objects.param.entity_title_field = entity_title
|
|
action.itsi_import_objects.param.entity_type_field = entity_type
|
|
action.itsi_import_objects.param.service_enabled = 1
|
|
action.itsi_import_objects.param.service_team = default_itsi_security_group
|
|
action.itsi_import_objects.param.service_templates_config = {}
|
|
action.itsi_import_objects.param.update_type = upsert
|
|
cron_schedule = */50 * * * *
|
|
dispatch.earliest_time = -60m
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
disabled = 1
|
|
search = `aws-metadata(*, *, "ec2_instances","InstanceId")`\
|
|
| fillnull value="N/A"\
|
|
| spath output=tags path=Tags{}\
|
|
| rex field=tags "\"Key\": \"Name\", \"Value\": \"(?<tagname>.+)\""\
|
|
| rename tagname AS InstanceName\
|
|
| eval entity_title=InstanceId\
|
|
| eval entity_type="EC2 Instance"\
|
|
| eval entity_type_info=entity_type\
|
|
| table entity_title InstanceId InstanceName InstanceType AccountId region entity_type_info entity_type
|
|
|
|
[ITSI Import Objects - Import Lambda Function Entity]
|
|
action.itsi_import_objects = 1
|
|
action.itsi_import_objects.param.backfill_enabled = 0
|
|
action.itsi_import_objects.param.entity_description_fields = Description
|
|
action.itsi_import_objects.param.entity_identifier_fields = uniq_id
|
|
action.itsi_import_objects.param.entity_informational_fields = FunctionName,Runtime,Handler,AccountId,region,entity_type_info
|
|
action.itsi_import_objects.param.entity_merge_field = entity_title
|
|
action.itsi_import_objects.param.entity_title_field = entity_title
|
|
action.itsi_import_objects.param.entity_type_field = entity_type
|
|
action.itsi_import_objects.param.service_enabled = 1
|
|
action.itsi_import_objects.param.service_team = default_itsi_security_group
|
|
action.itsi_import_objects.param.service_templates_config = {}
|
|
action.itsi_import_objects.param.update_type = upsert
|
|
cron_schedule = */50 * * * *
|
|
dispatch.earliest_time = -60m
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
disabled = 1
|
|
search = `aws-metadata-lambda(*, *)`\
|
|
| fillnull value="N/A" \
|
|
| rename name AS FunctionName\
|
|
| eval entity_title=uniq_id\
|
|
| eval entity_type="Lambda Function"\
|
|
| eval entity_type_info=entity_type\
|
|
| table entity_title uniq_id Description FunctionName Runtime Handler AccountId region entity_type_info entity_type
|
|
|
|
[ITSI Import Objects - Import ELB Instance Entity]
|
|
action.itsi_import_objects = 1
|
|
action.itsi_import_objects.param.backfill_enabled = 0
|
|
action.itsi_import_objects.param.entity_identifier_fields = uniq_id
|
|
action.itsi_import_objects.param.entity_informational_fields = ELBName,ELBType,DNSName,VpcId,AccountId,region,entity_type_info
|
|
action.itsi_import_objects.param.entity_merge_field = entity_title
|
|
action.itsi_import_objects.param.entity_title_field = entity_title
|
|
action.itsi_import_objects.param.entity_type_field = entity_type
|
|
action.itsi_import_objects.param.service_enabled = 1
|
|
action.itsi_import_objects.param.service_team = default_itsi_security_group
|
|
action.itsi_import_objects.param.service_templates_config = {}
|
|
action.itsi_import_objects.param.update_type = upsert
|
|
cron_schedule = */50 * * * *
|
|
dispatch.earliest_time = -60m
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
disabled = 1
|
|
search = `aws-metadata-elb(*, *)`\
|
|
| eval VpcId=if(isnull(VPCId), VpcId, VPCId)\
|
|
| fillnull value="N/A" \
|
|
| rename name AS ELBName\
|
|
| eval entity_title=uniq_id\
|
|
| eval entity_type="ELB Instance"\
|
|
| eval entity_type_info=entity_type\
|
|
| eval ELBType=if(Type="application", "Application Load Balancer", "Classic Load Balancer") \
|
|
| table entity_title uniq_id ELBName ELBType DNSName VpcId AccountId region entity_type_info entity_type
|
|
|
|
[ITSI Import Objects - Import EBS Volume Entity]
|
|
action.itsi_import_objects = 1
|
|
action.itsi_import_objects.param.backfill_enabled = 0
|
|
action.itsi_import_objects.param.entity_identifier_fields = VolumeId
|
|
action.itsi_import_objects.param.entity_informational_fields = VolumeName,VolumeType,Size(GB),InstanceId,AccountId,region,entity_type_info
|
|
action.itsi_import_objects.param.entity_merge_field = entity_title
|
|
action.itsi_import_objects.param.entity_title_field = entity_title
|
|
action.itsi_import_objects.param.entity_type_field = entity_type
|
|
action.itsi_import_objects.param.service_enabled = 1
|
|
action.itsi_import_objects.param.service_team = default_itsi_security_group
|
|
action.itsi_import_objects.param.service_templates_config = {}
|
|
action.itsi_import_objects.param.update_type = upsert
|
|
cron_schedule = */50 * * * *
|
|
dispatch.earliest_time = -60m
|
|
dispatch.latest_time = now
|
|
enableSched = 1
|
|
disabled = 1
|
|
search = `aws-metadata(*, *, "ec2_volumes","VolumeId")`\
|
|
| fillnull value="N/A" \
|
|
| spath output=tags path=Tags{}\
|
|
| rex field=tags "\"Key\": \"Name\", \"Value\": \"(?<tagname>.+)\"" \
|
|
| rename tagname AS VolumeName, Size AS Size(GB), Attachments{}.InstanceId AS InstanceId\
|
|
| eval entity_title=VolumeId\
|
|
| dedup entity_title\
|
|
| eval entity_type="EBS Volume"\
|
|
| eval entity_type_info=entity_type\
|
|
| table entity_title VolumeId VolumeName VolumeType Size(GB) InstanceId AccountId region entity_type_info entity_type
|