Removed where clause with type=ip_address

akhil-sumologic · akhil-sumologic · commit 8143ba3f72a8 · 2025-03-28T12:50:09.000+05:30
diff --git a/aws-observability/json/Classic-lb-App.json b/aws-observability/json/Classic-lb-App.json
@@ -3188,7 +3188,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "account={{account}} region={{region}} namespace={{namespace}}\n| parse \"* * * * * * * * * * * \\\"*\\\" \\\"*\\\" * *\" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n| where tolowercase(loadbalancername) matches tolowercase(\"{{loadbalancername}}\")\n| parse field=request \"* *://*:*/* HTTP\" as Method, Protocol, Domain, ServerPort, URI nodrop\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp, URI\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| where type=\"ip_address\" // and MaliciousConfidence=\"high\"\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| count(ip_count) as UniqueThreatIPs by URI\n| top 20 URI by UniqueThreatIPs, URI asc",
+                            "queryString": "account={{account}} region={{region}} namespace={{namespace}}\n| parse \"* * * * * * * * * * * \\\"*\\\" \\\"*\\\" * *\" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n| where tolowercase(loadbalancername) matches tolowercase(\"{{loadbalancername}}\")\n| parse field=request \"* *://*:*/* HTTP\" as Method, Protocol, Domain, ServerPort, URI nodrop\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp, URI\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| count(ip_count) as UniqueThreatIPs by URI\n| top 20 URI by UniqueThreatIPs, URI asc",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
diff --git a/aws-observability/json/DynamoDb-App.json b/aws-observability/json/DynamoDb-App.json
@@ -1805,7 +1805,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "region={{region}} account={{account}} namespace={{namespace}} \"\\\"eventSource\\\":\\\"dynamodb.amazonaws.com\\\"\"\n| json \"eventName\", \"awsRegion\", \"requestParameters.tableName\", \"sourceIPAddress\", \"userIdentity.userName\", \"userIdentity.sessionContext.sessionIssuer.userName\" as EventName, Region, tablename, SourceIp, UserName, ContextUserName nodrop\n| if (isEmpty(UserName), ContextUserName, UserName) as UserName\n| where (tolowercase(tablename) matches tolowercase(\"{{tablename}}\")) or isBlank(tablename)\n| where SourceIp != \"0.0.0.0\" and SourceIp != \"127.0.0.1\" and !(SourceIp matches \"*.amazonaws.com\")\n| count as ip_count by SourceIp\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=SourceIp\n| where type=\"ip_address\"\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum(ip_count) as ThreatCount by malicious_confidence\n| sort by ThreatCount, malicious_confidence asc",
+                            "queryString": "region={{region}} account={{account}} namespace={{namespace}} \"\\\"eventSource\\\":\\\"dynamodb.amazonaws.com\\\"\"\n| json \"eventName\", \"awsRegion\", \"requestParameters.tableName\", \"sourceIPAddress\", \"userIdentity.userName\", \"userIdentity.sessionContext.sessionIssuer.userName\" as EventName, Region, tablename, SourceIp, UserName, ContextUserName nodrop\n| if (isEmpty(UserName), ContextUserName, UserName) as UserName\n| where (tolowercase(tablename) matches tolowercase(\"{{tablename}}\")) or isBlank(tablename)\n| where SourceIp != \"0.0.0.0\" and SourceIp != \"127.0.0.1\" and !(SourceIp matches \"*.amazonaws.com\")\n| count as ip_count by SourceIp\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=SourceIp\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum(ip_count) as ThreatCount by malicious_confidence\n| sort by ThreatCount, malicious_confidence asc",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
diff --git a/aws-observability/json/Rds-App.json b/aws-observability/json/Rds-App.json
@@ -10653,7 +10653,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "account={{account}} region={{region}} namespace=aws/rds _sourceHost=/aws/rds/*postgresql dbidentifier={{dbidentifier}} connection\n| json \"message\" nodrop | if (_raw matches \"{*\", message, _raw) as message\n| parse field=message \"* * *:*(*):*@*:[*]:*:*\" as date,time,time_zone,host,thread_id,user,database,processid,severity,msg\n| where user matches \"{{user}}\" and database matches \"{{database}}\" and host matches \"{{host}}\" \n| parse field=msg \"connection received: host=* port=*\" as ip,port \n| count by ip\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip\n| where type=\"ip_address\" \n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| count by type, actor, ip, malicious_confidence, label_name",
+                            "queryString": "account={{account}} region={{region}} namespace=aws/rds _sourceHost=/aws/rds/*postgresql dbidentifier={{dbidentifier}} connection\n| json \"message\" nodrop | if (_raw matches \"{*\", message, _raw) as message\n| parse field=message \"* * *:*(*):*@*:[*]:*:*\" as date,time,time_zone,host,thread_id,user,database,processid,severity,msg\n| where user matches \"{{user}}\" and database matches \"{{database}}\" and host matches \"{{host}}\" \n| parse field=msg \"connection received: host=* port=*\" as ip,port \n| count by ip\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| count by type, actor, ip, malicious_confidence, label_name",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,

Original file line number	Diff line number	Diff line change
`@@ -3188,7 +3188,7 @@`
`3188`	`3188`	`"queries": [`
`3189`	`3189`	`{`
`3190`	`3190`	`"transient": false,`
`3191`		- "queryString": "account={{account}} region={{region}} namespace={{namespace}}\n\| parse \"* * * * * * * * * * * \\\"\\\" \\\"\\\" * \" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n\| where tolowercase(loadbalancername) matches tolowercase(\"{{loadbalancername}}\")\n\| parse field=request \" ://:/ HTTP\" as Method, Protocol, Domain, ServerPort, URI nodrop\n\| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n\| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n\| count as ip_count by ClientIp, URI\n\| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n\| json field=raw \"labels[*].name\" as LabelName nodrop\n\| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n\| replace(LabelName, \"\\\"\",\" \") as LabelName\n\| where type=\"ip_address\" // and MaliciousConfidence=\"high\"\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| count(ip_count) as UniqueThreatIPs by URI\n\| top 20 URI by UniqueThreatIPs, URI asc",
	`3191`	+ "queryString": "account={{account}} region={{region}} namespace={{namespace}}\n\| parse \"* * * * * * * * * * * \\\"\\\" \\\"\\\" * \" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n\| where tolowercase(loadbalancername) matches tolowercase(\"{{loadbalancername}}\")\n\| parse field=request \" ://:/ HTTP\" as Method, Protocol, Domain, ServerPort, URI nodrop\n\| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n\| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n\| count as ip_count by ClientIp, URI\n\| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n\| json field=raw \"labels[*].name\" as LabelName nodrop\n\| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n\| replace(LabelName, \"\\\"\",\" \") as LabelName\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| count(ip_count) as UniqueThreatIPs by URI\n\| top 20 URI by UniqueThreatIPs, URI asc",
`3192`	`3192`	`"queryType": "Logs",`
`3193`	`3193`	`"queryKey": "A",`
`3194`	`3194`	`"metricsQueryMode": null,`
Original file line number	Diff line number	Diff line change
`@@ -1805,7 +1805,7 @@`
`1805`	`1805`	`"queries": [`
`1806`	`1806`	`{`
`1807`	`1807`	`"transient": false,`
`1808`		- "queryString": "region={{region}} account={{account}} namespace={{namespace}} \"\\\"eventSource\\\":\\\"dynamodb.amazonaws.com\\\"\"\n\| json \"eventName\", \"awsRegion\", \"requestParameters.tableName\", \"sourceIPAddress\", \"userIdentity.userName\", \"userIdentity.sessionContext.sessionIssuer.userName\" as EventName, Region, tablename, SourceIp, UserName, ContextUserName nodrop\n\| if (isEmpty(UserName), ContextUserName, UserName) as UserName\n\| where (tolowercase(tablename) matches tolowercase(\"{{tablename}}\")) or isBlank(tablename)\n\| where SourceIp != \"0.0.0.0\" and SourceIp != \"127.0.0.1\" and !(SourceIp matches \".amazonaws.com\")\n\| count as ip_count by SourceIp\n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=SourceIp\n\| where type=\"ip_address\"\n\| json field=raw \"labels[].name\" as label_name nodrop\n\| replace(label_name, \"\\\\/\",\"->\") as label_name\n\| replace(label_name, \"\\\"\",\" \") as label_name\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| sum(ip_count) as ThreatCount by malicious_confidence\n\| sort by ThreatCount, malicious_confidence asc",
	`1808`	+ "queryString": "region={{region}} account={{account}} namespace={{namespace}} \"\\\"eventSource\\\":\\\"dynamodb.amazonaws.com\\\"\"\n\| json \"eventName\", \"awsRegion\", \"requestParameters.tableName\", \"sourceIPAddress\", \"userIdentity.userName\", \"userIdentity.sessionContext.sessionIssuer.userName\" as EventName, Region, tablename, SourceIp, UserName, ContextUserName nodrop\n\| if (isEmpty(UserName), ContextUserName, UserName) as UserName\n\| where (tolowercase(tablename) matches tolowercase(\"{{tablename}}\")) or isBlank(tablename)\n\| where SourceIp != \"0.0.0.0\" and SourceIp != \"127.0.0.1\" and !(SourceIp matches \".amazonaws.com\")\n\| count as ip_count by SourceIp\n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=SourceIp\n\| json field=raw \"labels[].name\" as label_name nodrop\n\| replace(label_name, \"\\\\/\",\"->\") as label_name\n\| replace(label_name, \"\\\"\",\" \") as label_name\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| sum(ip_count) as ThreatCount by malicious_confidence\n\| sort by ThreatCount, malicious_confidence asc",
`1809`	`1809`	`"queryType": "Logs",`
`1810`	`1810`	`"queryKey": "A",`
`1811`	`1811`	`"metricsQueryMode": null,`
Original file line number	Diff line number	Diff line change
`@@ -10653,7 +10653,7 @@`
`10653`	`10653`	`"queries": [`
`10654`	`10654`	`{`
`10655`	`10655`	`"transient": false,`
`10656`		- "queryString": "account={{account}} region={{region}} namespace=aws/rds _sourceHost=/aws/rds/postgresql dbidentifier={{dbidentifier}} connection\n\| json \"message\" nodrop \| if (_raw matches \"{\", message, _raw) as message\n\| parse field=message \"* * :():@:[]::\" as date,time,time_zone,host,thread_id,user,database,processid,severity,msg\n\| where user matches \"{{user}}\" and database matches \"{{database}}\" and host matches \"{{host}}\" \n\| parse field=msg \"connection received: host=* port=\" as ip,port \n\| count by ip\n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip\n\| where type=\"ip_address\" \n\| json field=raw \"labels[].name\" as label_name nodrop\n\| replace(label_name, \"\\\\/\",\"->\") as label_name\n\| replace(label_name, \"\\\"\",\" \") as label_name\n\| count by type, actor, ip, malicious_confidence, label_name",
	`10656`	+ "queryString": "account={{account}} region={{region}} namespace=aws/rds _sourceHost=/aws/rds/postgresql dbidentifier={{dbidentifier}} connection\n\| json \"message\" nodrop \| if (_raw matches \"{\", message, _raw) as message\n\| parse field=message \"* * :():@:[]::\" as date,time,time_zone,host,thread_id,user,database,processid,severity,msg\n\| where user matches \"{{user}}\" and database matches \"{{database}}\" and host matches \"{{host}}\" \n\| parse field=msg \"connection received: host=* port=\" as ip,port \n\| count by ip\n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip\n\| json field=raw \"labels[].name\" as label_name nodrop\n\| replace(label_name, \"\\\\/\",\"->\") as label_name\n\| replace(label_name, \"\\\"\",\" \") as label_name\n\| count by type, actor, ip, malicious_confidence, label_name",
`10657`	`10657`	`"queryType": "Logs",`
`10658`	`10658`	`"queryKey": "A",`
`10659`	`10659`	`"metricsQueryMode": null,`