Event Query Examples

Some examples for Event Queries for all cloud types.
Use this section to review examples that show you how to use Event Query Attributes in RQL for investigating issues on each cloud platform:

AWS—Event Query Examples

DESCRIPTION
RQL
Detect activities from non-automated events and from specific IP addresses.
event from cloud.audit_logs where ip EXISTS AND ip IN ( 152.1.1.1)
Detect potentially sensitive or suspicious changes to the network configuration that impact your Security posture.
event from cloud.audit_logs where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')
Detect potentially sensitive or suspicious changes to configuration settings.
event from cloud.audit_logs where operation IN ('DeleteBucket', 'DeleteConfigRule', 'DeleteTrail', 'PutBucketAcl', 'PutBucketLogging', 'PutBucketPolicy')
Sensitive Activities by Userevent from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy', 'AttachGroupPolicy', 'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair', 'DeleteLogGroup' )
Detect risky changes executed by a root user.
event from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'
Exclude results that match a specific string within an array in the event details.
To exclude results that include a specific string within an array, use the matches or does not match operator instead of contains/does not contain or exists/does not exist.
event from cloud.audit_logs where operation IN ('AttachGroupPolicy', 'AttachRolePolicy', 'DeleteGroupPolicy', 'DeleteKeyPair', 'DeleteLogGroup') AND json.rule = $.userIdentity.arn does not match "AWSCloudFormationStackSetExecutionRole" or $.userIdentity.arn does not match "INST-SR-EC2-GRAAS-ROLE"

Azure—Event Query Examples

DESCRIPTION
RQL
List specific operations performed on a specific Microsoft Azure account.
event from cloud.audit_logs where cloud.account = 'RedLock - Azure Subscription' AND operation IN ( 'AttachRolePolicy', 'AttachLoadBalancers')
List Classic compute register operations performed by a specific user on a specifid Microsoft Azure account.
event from cloud.audit_logs where cloud.account in ( 'RedLock - Azure Subscription' ) and user = 'abc@redlock.io' and operation IN ('Microsoft.ClassicCompute/register/action (BeginRequest)')

GCP—Event Query Examples

DESCRIPTION
RQL
View sensitive network configuration updates on GCP
event from cloud.audit_logs where operation IN ('v1.compute.networks.delete','beta.compute.networks.insert','v1.compute.routes.delete','v1.compute.firewalls.insert','v1.compute.firewalls.delete')
View sensitive SQL instance updates in GCP.
event from cloud.audit_logs where operation IN ('cloudsql.instances.update', 'cloudsql.sslCerts.create',' cloudsql.instances.create', 'cloudsql.instances.delete')
List all events with sensitive user actions on GCP.
event from cloud.audit_logs where operation IN ('CreateCryptoKey','DestroyCryptoKeyVersion','v1.compute.disks.createSnapshot')

Recommended For You