-
Notifications
You must be signed in to change notification settings - Fork 11
/
list-all-events-in-a-flatten-table-format.sql
75 lines (70 loc) · 2.63 KB
/
list-all-events-in-a-flatten-table-format.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/*
This query displays the CloudTrail Lake logs in a flatten table format. This query expands the following objecs:
userIdentity, userIdentity.sessionContext, userIdentity.sessionContext.attributes, userIdentity.sessionContext.sessionIssuer,
userIdentity.sessionContext.webidfederationData, and tlsDetails. This query is useful when you are trying to display all
attributes in an object. This query is helpful to see what colums you can use to pull from the objects available in CloudTrail.
Limitation: This query does not expand Array object. If you are going to attempt to flatten an array, use element_at function.
Eg: element_at(requestParameters, 'ipPermissions')
Note: Add filter Criteria in the where clause to filter the result set. Without a filter criteria, this query will scann all
the data and will result to very slow query.
*/
SELECT
eventVersion,
userIdentity.principalID,
userIdentity.arn,
userIdentity.accountID,
userIdentity.accessKeyID,
userIdentity.username,
userIdentity.sessionContext.attributes.creationDate,
userIdentity.sessionContext.attributes.mfaAuthenticated,
userIdentity.sessionContext.sessionIssuer.type,
userIdentity.sessionContext.sessionIssuer.principalID,
userIdentity.sessionContext.sessionIssuer.arn,
userIdentity.sessionContext.sessionIssuer.accountID,
userIdentity.sessionContext.sessionIssuer.username,
userIdentity.sessionContext.webidfederationData.federatedProvider,
userIdentity.sessionContext.webidfederationData.attributes,
userIdentity.sessionContext.sourceIdentity,
userIdentity.sessionContext.ec2RoleDelivery,
userIdentity.sessionContext.ec2IssuedInVPC,
userIdentity.invokedBy,
userIdentity.identityProvider,
eventTime,
eventSource,
eventName,
awsRegion,
sourceIpAddress,
userAgent,
errorCode,
errorMessage,
requestParameters,
responseElements,
additionalEventData,
requestID,
eventID,
readOnly,
resources,
eventType,
apiVersion,
managementEvent,
recipientAccountID,
sharedEventID,
annotation,
vpcEndPointID,
serviceEventDetails,
addendum,
edgeDeviceDetails,
insightDetails,
eventCategory,
tlsDetails.tlsVersion,
tlsDetails.cipherSuite,
tlsDetails.clientProvidedHostHeader,
sessionCredentialFromConsole,
eventJson,
eventJsonChecksum
FROM
<event_data_store_id>
WHERE eventTime >= '${date_filter}'
AND eventTime <= '${date_filter}'
-- Add filter Criteria in the where clause to filter the result set.
-- Without a filter criteria, this query will scann all the data and will result to very slow query.