I have reviewed a number of already answered questions related to case statements but none that seem to address the issue I am having. I am trying to create a table to show AWS CloudTrail events associated with creating, deleting, modifying IAM groups in AWS.
I have no problem with basic details but I am attempting to use a case statement so I can display additional detail for events associated with attaching or detaching a policy to a group, namely the policy that is being attached or detached.
Here is my search string, and the results:
sourcetype="aws:cloudtrail" eventName= *Group*
| eval Detail=case(eventName == DetachGroupPolicy, requestParameters.policyArn, eventName == AttachGroupPolicy, requestParameters.policyArn, 1=1, "N/A" )
| rename requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| table _time, eventName, Group, Detail, requestParameters.policyArn
RESULTS:
| _time | eventName | Group | Detail | requestParameters.policyArn |
|--------------------------------------------|-----------------------------|------------------|----------|-----------------------------------------------------------|
| 2017-11-14T13:01:30.000-0700 | DeleteGroup | TestGroup | N/A | |
| 2017-11-14T13:01:30.000-0700 | DetachGroupPolicy | TestGroup | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:01:19.000-0700 | UpdateGroup | tst_grp | N/A | |
| 2017-11-14T13:00:40.000-0700 | AttachGroupPolicy | tst_grp | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:00:40.000-0700 | CreateGroup | tst_grp | N/A | |
It seems that none of my case comparisons are evaluating to true. I've included the policyArn field to ensure it is actually populated and there are no typos.
Hi
Can you please try this?
sourcetype="aws:cloudtrail" eventName= *Group*
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn
Thanks
Hi
Can you please try this?
sourcetype="aws:cloudtrail" eventName= *Group*
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn
Thanks
Renaming requestParameters.policyArn worked. Thank you.
Please post this as an answer so I can mark it as the accepted answer.
@tgrogan_stack, please accept @kamlesh_vaghela's answer to mark this question as answered.
Try this!
| eval Detail=case(eventName == "DetachGroupPolicy", requestParameters.policyArn, eventName == "AttachGroupPolicy", requestParameters.policyArn, 1=1, "N/A" )
This did address the issue of the comparison, but renaming the requestParameters.policyArn field, as suggested by kamlish provided the results I was seeking.