AWS Event Queries | Develop with Palo Alto Networks

Skip to main content

Sample AWS Event RQL Queries

note

The following guide will walk you through AWS Event RQL Query Examples, based on audit logs

Alert on sensitive user activities from non-automation users

event from cloud.audit_logs where operation IN ( 'AddUserToGroup', 'AttachGroupPolicy',
'AttachUserPolicy' , 'AttachRolePolicy' , 'CreateAccessKey', 'CreateKeyPair', 'DeleteKeyPair',
'DeleteLogGroup' ) AND json.rule = $.userIdentity.arn does not contain 'AWSCloudFormation'
and $.userIdentity.arn does not contain 'ocp_installer' and $.userIdentity.arn does not contain 'automation_user'

Alert when someone deletes a key

event from cloud.audit_logs where cloud.type = 'aws' AND operation IN ( 'DeleteAccessKey' )

Failed AWS API calls

event from cloud.audit_logs where json.rule = $.errorCode exists ADDCOLUMN $.errorCode

Sample AWS Event RQL Queries