Skip to content

Commit b6a7d5b

Browse files
akhil-sumologicakhil-sumologic
committed
Removed space from where clause
1 parent 3fd3877 commit b6a7d5b

File tree

4 files changed

+5
-5
lines changed

4 files changed

+5
-5
lines changed

aws-observability/json/Alb-App.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3048,7 +3048,7 @@
30483048
"queries": [
30493049
{
30503050
"transient": false,
3051-
"queryString": "account={{account}} region={{region}} namespace={{namespace}}\n| parse \"* * * * * * * * * * * * \\\"*\\\" \\\"*\\\" * * * \\\"*\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n| where tolowercase(loadbalancer) matches tolowercase(\"{{loadbalancer}}\")\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp\n| where !isNull(MaliciousConfidence) \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum (ip_count) as threat_count",
3051+
"queryString": "account={{account}} region={{region}} namespace={{namespace}}\n| parse \"* * * * * * * * * * * * \\\"*\\\" \\\"*\\\" * * * \\\"*\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n| where tolowercase(loadbalancer) matches tolowercase(\"{{loadbalancer}}\")\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp\n| where !isNull(MaliciousConfidence) \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum (ip_count) as threat_count",
30523052
"queryType": "Logs",
30533053
"queryKey": "A",
30543054
"metricsQueryMode": null,
@@ -3156,7 +3156,7 @@
31563156
"queries": [
31573157
{
31583158
"transient": false,
3159-
"queryString": "account={{account}} region={{region}} namespace={{namespace}}\n| parse \"* * * * * * * * * * * * \\\"*\\\" \\\"*\\\" * * * \\\"*\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n| where tolowercase(loadbalancer) matches tolowercase(\"{{loadbalancer}}\")\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as Count by ClientIp\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp\n| where !isNull(MaliciousConfidence) \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| count by ClientIp\n| lookup latitude, longitude from geo://location on ip = ClientIp\n| count by latitude, longitude\n| where !isnull(latitude)",
3159+
"queryString": "account={{account}} region={{region}} namespace={{namespace}}\n| parse \"* * * * * * * * * * * * \\\"*\\\" \\\"*\\\" * * * \\\"*\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n| where tolowercase(loadbalancer) matches tolowercase(\"{{loadbalancer}}\")\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as Count by ClientIp\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp\n| where !isNull(MaliciousConfidence) \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| count by ClientIp\n| lookup latitude, longitude from geo://location on ip = ClientIp\n| count by latitude, longitude\n| where !isnull(latitude)",
31603160
"queryType": "Logs",
31613161
"queryKey": "A",
31623162
"metricsQueryMode": null,

aws-observability/json/Api-Gateway-App.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6379,7 +6379,7 @@
63796379
"queries": [
63806380
{
63816381
"transient": false,
6382-
"queryString": "\"\\\"eventSource\\\":\\\"apigateway.amazonaws.com\\\"\" account={{account}} Namespace={{namespace}} region={{region}}\n| json \"eventName\", \"eventSource\", \"awsRegion\", \"userAgent\", \"recipientAccountId\", \"userIdentity\", \"requestParameters\", \"responseElements\", \"sourceIPAddress\", \"errorCode\", \"errorMessage\", \"requestID\" as event_name, event_source, Region, user_agent, accountId1, userIdentity, requestParameters, responseElements, src_ip, error_code, error_message, requestID nodrop\n| where event_source = \"apigateway.amazonaws.com\" and !(src_ip matches \"*.amazonaws.com\")\n| json field=userIdentity \"accountId\", \"arn\", \"userName\", \"type\" as accountId2, arn, username, type nodrop | parse field=arn \":assumed-role/*\" as user nodrop | parse field=arn \"arn:aws:iam::*:*\" as accountId, user nodrop\n| json field=requestParameters \"basePath\", \"domainName\" as basePath, domainName nodrop | json field=responseElements \"name\" as ApiName nodrop // CreateRestApi, CreateApiKey, CreateUsagePlan, CreateUsagePlanKey, CreateUsagePlanKey, ImportApi, ImportRestApi, UpdateRestApi, UpdateUsagePlan provides ApiName\n| where (tolowercase(ApiName) matches tolowercase(\"{{apiname}}\")) or isBlank(apiname)\n| if (!isEmpty(accountId1), accountId1, accountId2) as accountId\n| if (isEmpty(userName), user, userName) as user\n| count by src_ip, event_name // , user, user_agent, apiname\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip \n| where malicious_confidence = \"high\"\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sort by _count\n| fields src_ip, event_name, type, actor, malicious_confidence // , user, user_agent, apiname",
6382+
"queryString": "\"\\\"eventSource\\\":\\\"apigateway.amazonaws.com\\\"\" account={{account}} Namespace={{namespace}} region={{region}}\n| json \"eventName\", \"eventSource\", \"awsRegion\", \"userAgent\", \"recipientAccountId\", \"userIdentity\", \"requestParameters\", \"responseElements\", \"sourceIPAddress\", \"errorCode\", \"errorMessage\", \"requestID\" as event_name, event_source, Region, user_agent, accountId1, userIdentity, requestParameters, responseElements, src_ip, error_code, error_message, requestID nodrop\n| where event_source = \"apigateway.amazonaws.com\" and !(src_ip matches \"*.amazonaws.com\")\n| json field=userIdentity \"accountId\", \"arn\", \"userName\", \"type\" as accountId2, arn, username, type nodrop | parse field=arn \":assumed-role/*\" as user nodrop | parse field=arn \"arn:aws:iam::*:*\" as accountId, user nodrop\n| json field=requestParameters \"basePath\", \"domainName\" as basePath, domainName nodrop | json field=responseElements \"name\" as ApiName nodrop // CreateRestApi, CreateApiKey, CreateUsagePlan, CreateUsagePlanKey, CreateUsagePlanKey, ImportApi, ImportRestApi, UpdateRestApi, UpdateUsagePlan provides ApiName\n| where (tolowercase(ApiName) matches tolowercase(\"{{apiname}}\")) or isBlank(apiname)\n| if (!isEmpty(accountId1), accountId1, accountId2) as accountId\n| if (isEmpty(userName), user, userName) as user\n| count by src_ip, event_name // , user, user_agent, apiname\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip \n| where malicious_confidence = \"high\"\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sort by _count\n| fields src_ip, event_name, type, actor, malicious_confidence // , user, user_agent, apiname",
63836383
"queryType": "Logs",
63846384
"queryKey": "A",
63856385
"metricsQueryMode": null,

aws-observability/json/EC2-CW-Metrics-App.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2628,7 +2628,7 @@
26282628
"queries": [
26292629
{
26302630
"transient": false,
2631-
"queryString": "account={{account}} region={{region}} namespace={{namespace}} eventname eventsource \"ec2.amazonaws.com\" sourceIPAddress\n| json \"eventSource\", \"awsRegion\", \"requestParameters\", \"responseElements\", \"recipientAccountId\" as event_source, region, requestParameters, responseElements, accountid nodrop\n| json \"userIdentity\", \"eventName\", \"sourceIPAddress\", \"userAgent\", \"eventType\", \"requestID\", \"errorCode\", \"errorMessage\", \"eventCategory\", \"managementEvent\" as userIdentity, event_name, src_ip, user_agent, event_type, request_id, error_code, error_message, event_category, management_event nodrop\n| where event_source = \"ec2.amazonaws.com\" and !(src_ip matches \"*.amazonaws.com\")\n| \"aws/ec2\" as namespace\n| json field=userIdentity \"type\", \"principalId\", \"arn\", \"userName\", \"accountId\" nodrop\n| json field=userIdentity \"sessionContext.attributes.mfaAuthenticated\" as mfaAuthenticated nodrop\n| parse field=arn \":assumed-role/*\" as user nodrop \n| parse field=arn \"arn:aws:iam::*:*\" as accountId, user nodrop\n| json field=requestParameters \"instanceType\", \"instancesSet\", \"instanceId\", \"DescribeInstanceCreditSpecificationsRequest.InstanceId.content\" as req_instancetype, req_instancesSet, req_instanceid_1, req_instanceid_2 nodrop\n| json field=req_instancesSet \"item\", \"items\" as req_instancesSet_item, req_instancesSet_items nodrop\n| parse regex field=req_instancesSet_item \"\\\"instanceId\\\":\\s*\\\"(?<req_instanceid_3>.*?)\\\"\" nodrop\n| parse regex field=req_instancesSet_items \"\\\"instanceId\\\":\\s*\\\"(?<req_instanceid_4>.*?)\\\"\" nodrop\n| json field=responseElements \"instancesSet.items\" as res_responseElements_items nodrop\n| parse regex field=res_responseElements_items \"\\\"instanceType\\\":\\s*\\\"(?<res_instanceType>.*?)\\\"\" nodrop\n| parse regex field=res_responseElements_items \"\\\"instanceId\\\":\\s*\\\"(?<res_instanceid>.*?)\\\"\" nodrop\n| if (!isBlank(req_instanceid_1), req_instanceid_1, if (!isBlank(req_instanceid_2), req_instanceid_2, if (!isBlank(req_instanceid_3), req_instanceid_3, if (!isBlank(req_instanceid_4), req_instanceid_4, \"\")))) as req_instanceid\n| if (!isBlank(req_instanceid), req_instanceid, res_instanceid) as instanceid\n| if (!isBlank(req_instancetype), req_instancetype, res_instancetype) as instanceType \n| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status\n| if (isEmpty(userName), user, userName) as user\n| tolowercase(instanceid) as instanceid\n| where instanceid matches \"{{instanceid}}\" OR isBlank(instanceid)\n| count by src_ip, event_name // , user, user_agent, instanceid\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip\n| where malicious_confidence = \"high\"\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sort by _count\n| fields src_ip, event_name, type, actor, malicious_confidence // , user, user_agent, instanceid",
2631+
"queryString": "account={{account}} region={{region}} namespace={{namespace}} eventname eventsource \"ec2.amazonaws.com\" sourceIPAddress\n| json \"eventSource\", \"awsRegion\", \"requestParameters\", \"responseElements\", \"recipientAccountId\" as event_source, region, requestParameters, responseElements, accountid nodrop\n| json \"userIdentity\", \"eventName\", \"sourceIPAddress\", \"userAgent\", \"eventType\", \"requestID\", \"errorCode\", \"errorMessage\", \"eventCategory\", \"managementEvent\" as userIdentity, event_name, src_ip, user_agent, event_type, request_id, error_code, error_message, event_category, management_event nodrop\n| where event_source = \"ec2.amazonaws.com\" and !(src_ip matches \"*.amazonaws.com\")\n| \"aws/ec2\" as namespace\n| json field=userIdentity \"type\", \"principalId\", \"arn\", \"userName\", \"accountId\" nodrop\n| json field=userIdentity \"sessionContext.attributes.mfaAuthenticated\" as mfaAuthenticated nodrop\n| parse field=arn \":assumed-role/*\" as user nodrop \n| parse field=arn \"arn:aws:iam::*:*\" as accountId, user nodrop\n| json field=requestParameters \"instanceType\", \"instancesSet\", \"instanceId\", \"DescribeInstanceCreditSpecificationsRequest.InstanceId.content\" as req_instancetype, req_instancesSet, req_instanceid_1, req_instanceid_2 nodrop\n| json field=req_instancesSet \"item\", \"items\" as req_instancesSet_item, req_instancesSet_items nodrop\n| parse regex field=req_instancesSet_item \"\\\"instanceId\\\":\\s*\\\"(?<req_instanceid_3>.*?)\\\"\" nodrop\n| parse regex field=req_instancesSet_items \"\\\"instanceId\\\":\\s*\\\"(?<req_instanceid_4>.*?)\\\"\" nodrop\n| json field=responseElements \"instancesSet.items\" as res_responseElements_items nodrop\n| parse regex field=res_responseElements_items \"\\\"instanceType\\\":\\s*\\\"(?<res_instanceType>.*?)\\\"\" nodrop\n| parse regex field=res_responseElements_items \"\\\"instanceId\\\":\\s*\\\"(?<res_instanceid>.*?)\\\"\" nodrop\n| if (!isBlank(req_instanceid_1), req_instanceid_1, if (!isBlank(req_instanceid_2), req_instanceid_2, if (!isBlank(req_instanceid_3), req_instanceid_3, if (!isBlank(req_instanceid_4), req_instanceid_4, \"\")))) as req_instanceid\n| if (!isBlank(req_instanceid), req_instanceid, res_instanceid) as instanceid\n| if (!isBlank(req_instancetype), req_instancetype, res_instancetype) as instanceType \n| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status\n| if (isEmpty(userName), user, userName) as user\n| tolowercase(instanceid) as instanceid\n| where instanceid matches \"{{instanceid}}\" OR isBlank(instanceid)\n| count by src_ip, event_name // , user, user_agent, instanceid\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip\n| where malicious_confidence = \"high\"\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sort by _count\n| fields src_ip, event_name, type, actor, malicious_confidence // , user, user_agent, instanceid",
26322632
"queryType": "Logs",
26332633
"queryKey": "A",
26342634
"metricsQueryMode": null,

0 commit comments

Comments
 (0)