- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can someone help me to build a search query for the below use case ?
My use case is to detect if any S3 buckets have been set for Public access via PutBucketPolicy event. So far thanks to help from Folks ( @ITWhisperer and @isoutamo on this Community, i have got my search to check for fields Effect and Principal both should have values "Allow" and " * or {AWS:*} " respectively for the same SID. Basically the following 2 conditions must be met for a particular SID.
Effect: Allow
Principal: * OR {AWS:*}
-----------------------
Next i want to further filter based on the field "Condition" . How to just filter if "Condition" exists or not ?
Below is a snippet of raw event data
"eventName": "PutBucketPolicy"
"awsRegion": "us-east-1"
"sourceIPAddress": "N.N.N.N"
"userAgent": "[S3Console/0.4
aws-internal/3 aws-sdk-java/1.11.1002 Linux/5.4.129-72.229.amzn2int.x86_64]"
"requestParameters": {"bucketPolicy": {"Version": "2012-10-17"
"Statement": [{"Sid": "Access-to-specific-VPCE-only"
"Effect": "Allow"
"Principal": "*"
"Action": "s3:*"
"Resource": "arn:aws:s3:::abc-logs/*"
"Condition": {"StringEquals": {"aws:sourceVpce": "XXX"}}}]
"Id": "Policy14151152"}
"bucketName": "Bucket-name"
"Host": "host.xyz.com"
"policy": ""}
=============
"eventName": "PutBucketPolicy"
"awsRegion": "us-east-1"
"sourceIPAddress": "N.N.N.N"
"userAgent": "[S3Console/0.4
aws-internal/3 aws-sdk-java/1.11.1002 Linux/5.4.116-64.217.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/Oracle_Corporation cfg/retry-mode/legacy]"
"requestParameters": {"bucketPolicy": {"Version": "2012-10-17"
"Statement": [{"Effect": "Allow"
"Principal": "*"
"Action": ["s3:List*"
"s3:Get*"]
"Resource": "arn:aws:s3::/*"
"Condition": {"IpAddress": {"aws:SourceIp": ["N.N.N.N"
"N.N.N.N"]}}}]}
"bucketName": "bucket-name"
"Host": "abc.xyz.com"
"policy": ""}
I have tried the below 3 options to check for the presence of the field Condition , but none are working. These end up showing Events where the raw data contains a Condition defined. I want my search to not exclude those events which contain Condition
| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*
| where isnull(Condition)
OR
| where Condition=""
OR
|search Condition=""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| spath input=Statement Condition output=Condition
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*"
| where isnull(Condition)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please can you check the raw data you have share as it seems to have mismatched brackets, curly brackets and missing commas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kindly ignore the brackets or syntax errors if possible. I have manually copy pasted different values of Conditions from multiple events , into this one common snippet here.
Can you help me how to exclude events which have Condition defined?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without the correct JSON, it is more difficult to determine what the correct spath etc. should be
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer i have now fixed the syntax of the raw events in my original question. Have provided 2 samples of such events where Condition exists. Pls let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| spath input=Statement Condition output=Condition
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*"
| where isnull(Condition)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never mind. It was my oversight that i didn't see the option of "Exclude from Search" if you click on that field in the Splunk UI itself. I used that and below filter worked. Any idea as in why isnull() didnt work here but this one did. Thank you for your help as always
| search NOT Condition- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is hard to say without access to the real data - it works in my test environment based on the doctored events that you posted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can i send you the full raw event offline via DM ? Apparently came across one event that had multiple conditions within it and confusing the hell.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK - I will delete it as soon as we are finished with it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have already tried that "where isnull(Condition)" and "where isnull('Condition') in single quotes" as i mentioned in my post, surprisingly it still shows events have Condition in them.
