SumoLogic
diff --git a/‎aws-observability-terraform/app-modules/alb/app.tf‎
Lines changed: 1 addition & 1 deletion b/‎aws-observability-terraform/app-modules/alb/app.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎aws-observability-terraform/app-modules/elb/app.tf‎
Lines changed: 1 addition & 1 deletion b/‎aws-observability-terraform/app-modules/elb/app.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎aws-observability-terraform/app-modules/sns/app.tf‎
Lines changed: 1 addition & 1 deletion b/‎aws-observability-terraform/app-modules/sns/app.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎aws-observability-terraform/app-modules/sqs/app.tf‎
Lines changed: 1 addition & 1 deletion b/‎aws-observability-terraform/app-modules/sqs/app.tf‎
Lines changed: 1 addition & 1 deletion
@@ -29,7 +29,7 @@ module "alb_module" {
       monitor_is_disabled  = var.monitors_disabled
       monitor_evaluation_delay = "0m"
       queries = {
-        A = "account=* region=* namespace=aws/applicationelb\n| parse \"* * * * * * * * * * * * \\\"*\\\" \\\"*\\\" * * * \\\"*\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp, loadbalancer, account, region, namespace\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n| json field=raw \"labels[*].name\" as LabelName \n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| where type=\"ip_address\" and MaliciousConfidence=\"high\"\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum (ip_count) as ThreatCount by ClientIp, loadbalancer, account, region, namespace, MaliciousConfidence, Actor, LabelName"
+        A = "account=* region=* namespace=aws/applicationelb\n| parse \"* * * * * * * * * * * * \\\"*\\\" \\\"*\\\" * * * \\\"*\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp, loadbalancer, account, region, namespace\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| where MaliciousConfidence=\"high\"\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum (ip_count) as ThreatCount by ClientIp, loadbalancer, account, region, namespace, MaliciousConfidence, Actor, LabelName"
       }
       triggers = [
         {
 
@@ -27,7 +27,7 @@ module "classic_elb_module" {
       monitor_is_disabled  = var.monitors_disabled
       monitor_evaluation_delay = "0m"
       queries = {
-        A = "account=* region=* namespace=aws/elb\n| parse \"* * * * * * * * * * * \\\"*\\\" \\\"*\\\" * *\" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp, loadbalancername, account, region, namespace\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n| json field=raw \"labels[*].name\" as LabelName \n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| where type=\"ip_address\" and MaliciousConfidence=\"high\"\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum (ip_count) as ThreatCount by ClientIp, loadbalancername, account, region, namespace, MaliciousConfidence, Actor, LabelName"
+        A = "account=* region=* namespace=aws/elb\n| parse \"* * * * * * * * * * * \\\"*\\\" \\\"*\\\" * *\" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n| count as ip_count by ClientIp, loadbalancername, account, region, namespace\n| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n| json field=raw \"labels[*].name\" as LabelName nodrop\n| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n| replace(LabelName, \"\\\"\",\" \") as LabelName\n| where MaliciousConfidence=\"high\"\n| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n| sum (ip_count) as ThreatCount by ClientIp, loadbalancername, account, region, namespace, MaliciousConfidence, Actor, LabelName"
       }
       triggers = [
         {
 
@@ -99,7 +99,7 @@ module "sns_module" {
       monitor_is_disabled  = var.monitors_disabled
       monitor_evaluation_delay = "0m"
       queries = {   
-        A = "account=* region=* namespace=aws/sns \"\\\"eventsource\\\":\\\"sns.amazonaws.com\\\"\" sourceIPAddress \n| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"sourceIPAddress\", \"userAgent\", \"eventType\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"requestID\", \"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, src_ip, user_agent, event_type, recipient_account_id, requestParameters, responseElements, request_id, error_code, error_message nodrop \n| where event_source = \"sns.amazonaws.com\" \n| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\"  as accountid, user_type, arn, username nodrop \n| parse field=arn \":assumed-role/*\" as user nodrop \n| parse field=arn \"arn:aws:iam::*:*\" as accountid, user nodrop \n| json field=requestParameters \"topicArn\", \"name\", \"resourceArn\", \"subscriptionArn\" as req_topic_arn, req_topic_name, resource_arn, subscription_arn  nodrop \n| json field=responseElements \"topicArn\" as res_topic_arn nodrop \n| if (isBlank(req_topic_arn), res_topic_arn, req_topic_arn) as topic_arn \n| if (isBlank(topic_arn), resource_arn, topic_arn) as topic_arn \n| parse field=topic_arn \"arn:aws:sns:*:*:*\" as region_temp, accountid_temp, topic_arn_name_temp nodrop \n| parse field=subscription_arn \"arn:aws:sns:*:*:*:*\" as region_temp, accountid_temp, topic_arn_name_temp, arn_value_temp nodrop \n| if (isBlank(req_topic_name), topic_arn_name_temp, req_topic_name) as topicname \n| if (isBlank(accountid), recipient_account_id, accountid) as accountid \n| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n| if (isEmpty(username), user_type, username) as user_type \n| count as ip_count by src_ip, event_name, region, accountid,user_type \n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip \n| where type=\"ip_address\" and malicious_confidence = \"high\" \n| json field=raw \"labels[*].name\" as label_name \n| replace(label_name, \"\\\\/\",\"->\") as label_name \n| replace(label_name, \"\\\"\",\" \") as label_name \n| if (isEmpty(actor), \"Unassigned\", actor) as actor \n| sum(ip_count) as threat_count by src_ip, event_name, region, accountid, malicious_confidence, actor, label_name"
+        A = "account=* region=* namespace=aws/sns \"\\\"eventsource\\\":\\\"sns.amazonaws.com\\\"\" sourceIPAddress \n| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"sourceIPAddress\", \"userAgent\", \"eventType\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"requestID\", \"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, src_ip, user_agent, event_type, recipient_account_id, requestParameters, responseElements, request_id, error_code, error_message nodrop \n| where event_source = \"sns.amazonaws.com\" \n| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\"  as accountid, user_type, arn, username nodrop \n| parse field=arn \":assumed-role/*\" as user nodrop \n| parse field=arn \"arn:aws:iam::*:*\" as accountid, user nodrop \n| json field=requestParameters \"topicArn\", \"name\", \"resourceArn\", \"subscriptionArn\" as req_topic_arn, req_topic_name, resource_arn, subscription_arn  nodrop \n| json field=responseElements \"topicArn\" as res_topic_arn nodrop \n| if (isBlank(req_topic_arn), res_topic_arn, req_topic_arn) as topic_arn \n| if (isBlank(topic_arn), resource_arn, topic_arn) as topic_arn \n| parse field=topic_arn \"arn:aws:sns:*:*:*\" as region_temp, accountid_temp, topic_arn_name_temp nodrop \n| parse field=subscription_arn \"arn:aws:sns:*:*:*:*\" as region_temp, accountid_temp, topic_arn_name_temp, arn_value_temp nodrop \n| if (isBlank(req_topic_name), topic_arn_name_temp, req_topic_name) as topicname \n| if (isBlank(accountid), recipient_account_id, accountid) as accountid \n| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n| if (isEmpty(username), user_type, username) as user_type \n| count as ip_count by src_ip, event_name, region, accountid,user_type \n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip \n| where malicious_confidence = \"high\" \n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name \n| replace(label_name, \"\\\"\",\" \") as label_name \n| if (isEmpty(actor), \"Unassigned\", actor) as actor \n| sum(ip_count) as threat_count by src_ip, event_name, region, accountid, malicious_confidence, actor, label_name"
 
       }
       triggers = [
 
@@ -99,7 +99,7 @@ module "sqs_module" {
       monitor_is_disabled  = var.monitors_disabled
       monitor_evaluation_delay = "0m"
       queries = {
-        A = "account=* region=* namespace=\"aws/sqs\" eventname eventsource \"sqs.amazonaws.com\" sourceIPAddress\n| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"sourceIPAddress\",\"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, recipient_account_id, requestParameters, responseElements, src_ip, error_code, error_message nodrop\n| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\" as accountid, type, arn, username nodrop\n| json field=requestParameters \"queueUrl\" as queueUrlReq nodrop \n| json field=responseElements \"queueUrl\" as queueUrlRes nodrop\n| where event_source=\"sqs.amazonaws.com\" and !(src_ip matches \"*.amazonaws.com\")\n| if(event_name=\"CreateQueue\", queueUrlRes, queueUrlReq) as queueUrl \n| parse regex field=queueUrl \"(?<queueName>[^\\/]*$)\"\n| if (isBlank(recipient_account_id), accountid, recipient_account_id) as accountid\n| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n| count as ip_count by src_ip\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip\n| json field=raw \"labels[*].name\" as label_name \n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as actor\n| where type=\"ip_address\" and malicious_confidence = \"high\"\n| sort by ip_count, src_ip\n| fields src_ip, malicious_confidence, actor, label_name"
+        A = "account=* region=* namespace=\"aws/sqs\" eventname eventsource \"sqs.amazonaws.com\" sourceIPAddress\n| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"sourceIPAddress\",\"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, recipient_account_id, requestParameters, responseElements, src_ip, error_code, error_message nodrop\n| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\" as accountid, type, arn, username nodrop\n| json field=requestParameters \"queueUrl\" as queueUrlReq nodrop \n| json field=responseElements \"queueUrl\" as queueUrlRes nodrop\n| where event_source=\"sqs.amazonaws.com\" and !(src_ip matches \"*.amazonaws.com\")\n| if(event_name=\"CreateQueue\", queueUrlRes, queueUrlReq) as queueUrl \n| parse regex field=queueUrl \"(?<queueName>[^\\/]*$)\"\n| if (isBlank(recipient_account_id), accountid, recipient_account_id) as accountid\n| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n| count as ip_count by src_ip\n| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip\n| json field=raw \"labels[*].name\" as label_name nodrop\n| replace(label_name, \"\\\\/\",\"->\") as label_name\n| replace(label_name, \"\\\"\",\" \") as label_name\n| if (isEmpty(actor), \"Unassigned\", actor) as actor\n| where malicious_confidence = \"high\"\n| sort by ip_count, src_ip\n| fields src_ip, malicious_confidence, actor, label_name"
       }
       triggers = [
         {
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ module "alb_module" {`
`29`	`29`	`monitor_is_disabled = var.monitors_disabled`
`30`	`30`	`monitor_evaluation_delay = "0m"`
`31`	`31`	`queries = {`
`32`		- A = "account=* region=* namespace=aws/applicationelb\n\| parse \"* * * * * * * * * * * * \\\"\\\" \\\"\\\" * * * \\\"\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n\| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n\| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n\| count as ip_count by ClientIp, loadbalancer, account, region, namespace\n\| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n\| json field=raw \"labels[].name\" as LabelName \n\| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n\| replace(LabelName, \"\\\"\",\" \") as LabelName\n\| where type=\"ip_address\" and MaliciousConfidence=\"high\"\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| sum (ip_count) as ThreatCount by ClientIp, loadbalancer, account, region, namespace, MaliciousConfidence, Actor, LabelName"
	`32`	+ A = "account=* region=* namespace=aws/applicationelb\n\| parse \"* * * * * * * * * * * * \\\"\\\" \\\"\\\" * * * \\\"\\\"\" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId\n\| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n\| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n\| count as ip_count by ClientIp, loadbalancer, account, region, namespace\n\| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n\| json field=raw \"labels[].name\" as LabelName nodrop\n\| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n\| replace(LabelName, \"\\\"\",\" \") as LabelName\n\| where MaliciousConfidence=\"high\"\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| sum (ip_count) as ThreatCount by ClientIp, loadbalancer, account, region, namespace, MaliciousConfidence, Actor, LabelName"
`33`	`33`	`}`
`34`	`34`	`triggers = [`
`35`	`35`	`{`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ module "classic_elb_module" {`
`27`	`27`	`monitor_is_disabled = var.monitors_disabled`
`28`	`28`	`monitor_evaluation_delay = "0m"`
`29`	`29`	`queries = {`
`30`		- A = "account=* region=* namespace=aws/elb\n\| parse \"* * * * * * * * * * * \\\"\\\" \\\"\\\" * \" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n\| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n\| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n\| count as ip_count by ClientIp, loadbalancername, account, region, namespace\n\| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n\| json field=raw \"labels[].name\" as LabelName \n\| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n\| replace(LabelName, \"\\\"\",\" \") as LabelName\n\| where type=\"ip_address\" and MaliciousConfidence=\"high\"\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| sum (ip_count) as ThreatCount by ClientIp, loadbalancername, account, region, namespace, MaliciousConfidence, Actor, LabelName"
	`30`	+ A = "account=* region=* namespace=aws/elb\n\| parse \"* * * * * * * * * * * \\\"\\\" \\\"\\\" * \" as datetime, loadbalancername, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request, user_agent, ssl_cipher, ssl_protocol\n\| parse regex \"(?<ClientIp>\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" multi\n\| where ClientIp != \"0.0.0.0\" and ClientIp != \"127.0.0.1\"\n\| count as ip_count by ClientIp, loadbalancername, account, region, namespace\n\| lookup type, actor, raw, threatlevel as MaliciousConfidence from sumo://threat/cs on threat=ClientIp \n\| json field=raw \"labels[].name\" as LabelName nodrop\n\| replace(LabelName, \"\\\\/\",\"->\") as LabelName\n\| replace(LabelName, \"\\\"\",\" \") as LabelName\n\| where MaliciousConfidence=\"high\"\n\| if (isEmpty(actor), \"Unassigned\", actor) as Actor\n\| sum (ip_count) as ThreatCount by ClientIp, loadbalancername, account, region, namespace, MaliciousConfidence, Actor, LabelName"
`31`	`31`	`}`
`32`	`32`	`triggers = [`
`33`	`33`	`{`
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ module "sns_module" {`
`99`	`99`	`monitor_is_disabled = var.monitors_disabled`
`100`	`100`	`monitor_evaluation_delay = "0m"`
`101`	`101`	`queries = {`
`102`		- A = "account=* region=* namespace=aws/sns \"\\\"eventsource\\\":\\\"sns.amazonaws.com\\\"\" sourceIPAddress \n\| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"sourceIPAddress\", \"userAgent\", \"eventType\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"requestID\", \"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, src_ip, user_agent, event_type, recipient_account_id, requestParameters, responseElements, request_id, error_code, error_message nodrop \n\| where event_source = \"sns.amazonaws.com\" \n\| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\" as accountid, user_type, arn, username nodrop \n\| parse field=arn \":assumed-role/\" as user nodrop \n\| parse field=arn \"arn:aws:iam:::\" as accountid, user nodrop \n\| json field=requestParameters \"topicArn\", \"name\", \"resourceArn\", \"subscriptionArn\" as req_topic_arn, req_topic_name, resource_arn, subscription_arn nodrop \n\| json field=responseElements \"topicArn\" as res_topic_arn nodrop \n\| if (isBlank(req_topic_arn), res_topic_arn, req_topic_arn) as topic_arn \n\| if (isBlank(topic_arn), resource_arn, topic_arn) as topic_arn \n\| parse field=topic_arn \"arn:aws:sns:::\" as region_temp, accountid_temp, topic_arn_name_temp nodrop \n\| parse field=subscription_arn \"arn:aws:sns::::\" as region_temp, accountid_temp, topic_arn_name_temp, arn_value_temp nodrop \n\| if (isBlank(req_topic_name), topic_arn_name_temp, req_topic_name) as topicname \n\| if (isBlank(accountid), recipient_account_id, accountid) as accountid \n\| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n\| if (isEmpty(username), user_type, username) as user_type \n\| count as ip_count by src_ip, event_name, region, accountid,user_type \n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip \n\| where type=\"ip_address\" and malicious_confidence = \"high\" \n\| json field=raw \"labels[*].name\" as label_name \n\| replace(label_name, \"\\\\/\",\"->\") as label_name \n\| replace(label_name, \"\\\"\",\" \") as label_name \n\| if (isEmpty(actor), \"Unassigned\", actor) as actor \n\| sum(ip_count) as threat_count by src_ip, event_name, region, accountid, malicious_confidence, actor, label_name"
	`102`	+ A = "account=* region=* namespace=aws/sns \"\\\"eventsource\\\":\\\"sns.amazonaws.com\\\"\" sourceIPAddress \n\| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"sourceIPAddress\", \"userAgent\", \"eventType\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"requestID\", \"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, src_ip, user_agent, event_type, recipient_account_id, requestParameters, responseElements, request_id, error_code, error_message nodrop \n\| where event_source = \"sns.amazonaws.com\" \n\| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\" as accountid, user_type, arn, username nodrop \n\| parse field=arn \":assumed-role/\" as user nodrop \n\| parse field=arn \"arn:aws:iam:::\" as accountid, user nodrop \n\| json field=requestParameters \"topicArn\", \"name\", \"resourceArn\", \"subscriptionArn\" as req_topic_arn, req_topic_name, resource_arn, subscription_arn nodrop \n\| json field=responseElements \"topicArn\" as res_topic_arn nodrop \n\| if (isBlank(req_topic_arn), res_topic_arn, req_topic_arn) as topic_arn \n\| if (isBlank(topic_arn), resource_arn, topic_arn) as topic_arn \n\| parse field=topic_arn \"arn:aws:sns:::\" as region_temp, accountid_temp, topic_arn_name_temp nodrop \n\| parse field=subscription_arn \"arn:aws:sns::::\" as region_temp, accountid_temp, topic_arn_name_temp, arn_value_temp nodrop \n\| if (isBlank(req_topic_name), topic_arn_name_temp, req_topic_name) as topicname \n\| if (isBlank(accountid), recipient_account_id, accountid) as accountid \n\| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n\| if (isEmpty(username), user_type, username) as user_type \n\| count as ip_count by src_ip, event_name, region, accountid,user_type \n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip \n\| where malicious_confidence = \"high\" \n\| json field=raw \"labels[*].name\" as label_name nodrop\n\| replace(label_name, \"\\\\/\",\"->\") as label_name \n\| replace(label_name, \"\\\"\",\" \") as label_name \n\| if (isEmpty(actor), \"Unassigned\", actor) as actor \n\| sum(ip_count) as threat_count by src_ip, event_name, region, accountid, malicious_confidence, actor, label_name"
`103`	`103`
`104`	`104`	`}`
`105`	`105`	`triggers = [`
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ module "sqs_module" {`
`99`	`99`	`monitor_is_disabled = var.monitors_disabled`
`100`	`100`	`monitor_evaluation_delay = "0m"`
`101`	`101`	`queries = {`
`102`		- A = "account=* region=* namespace=\"aws/sqs\" eventname eventsource \"sqs.amazonaws.com\" sourceIPAddress\n\| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"sourceIPAddress\",\"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, recipient_account_id, requestParameters, responseElements, src_ip, error_code, error_message nodrop\n\| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\" as accountid, type, arn, username nodrop\n\| json field=requestParameters \"queueUrl\" as queueUrlReq nodrop \n\| json field=responseElements \"queueUrl\" as queueUrlRes nodrop\n\| where event_source=\"sqs.amazonaws.com\" and !(src_ip matches \".amazonaws.com\")\n\| if(event_name=\"CreateQueue\", queueUrlRes, queueUrlReq) as queueUrl \n\| parse regex field=queueUrl \"(?<queueName>[^\\/]$)\"\n\| if (isBlank(recipient_account_id), accountid, recipient_account_id) as accountid\n\| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n\| count as ip_count by src_ip\n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip\n\| json field=raw \"labels[*].name\" as label_name \n\| replace(label_name, \"\\\\/\",\"->\") as label_name\n\| replace(label_name, \"\\\"\",\" \") as label_name\n\| if (isEmpty(actor), \"Unassigned\", actor) as actor\n\| where type=\"ip_address\" and malicious_confidence = \"high\"\n\| sort by ip_count, src_ip\n\| fields src_ip, malicious_confidence, actor, label_name"
	`102`	+ A = "account=* region=* namespace=\"aws/sqs\" eventname eventsource \"sqs.amazonaws.com\" sourceIPAddress\n\| json \"userIdentity\", \"eventSource\", \"eventName\", \"awsRegion\", \"recipientAccountId\", \"requestParameters\", \"responseElements\", \"sourceIPAddress\",\"errorCode\", \"errorMessage\" as userIdentity, event_source, event_name, region, recipient_account_id, requestParameters, responseElements, src_ip, error_code, error_message nodrop\n\| json field=userIdentity \"accountId\", \"type\", \"arn\", \"userName\" as accountid, type, arn, username nodrop\n\| json field=requestParameters \"queueUrl\" as queueUrlReq nodrop \n\| json field=responseElements \"queueUrl\" as queueUrlRes nodrop\n\| where event_source=\"sqs.amazonaws.com\" and !(src_ip matches \".amazonaws.com\")\n\| if(event_name=\"CreateQueue\", queueUrlRes, queueUrlReq) as queueUrl \n\| parse regex field=queueUrl \"(?<queueName>[^\\/]$)\"\n\| if (isBlank(recipient_account_id), accountid, recipient_account_id) as accountid\n\| if (isEmpty(error_code), \"Success\", \"Failure\") as event_status \n\| count as ip_count by src_ip\n\| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip\n\| json field=raw \"labels[*].name\" as label_name nodrop\n\| replace(label_name, \"\\\\/\",\"->\") as label_name\n\| replace(label_name, \"\\\"\",\" \") as label_name\n\| if (isEmpty(actor), \"Unassigned\", actor) as actor\n\| where malicious_confidence = \"high\"\n\| sort by ip_count, src_ip\n\| fields src_ip, malicious_confidence, actor, label_name"
`103`	`103`	`}`
`104`	`104`	`triggers = [`
`105`	`105`	`{`