-2

I want to parse the nested JSON from Cloud Trail logs to get the username Data and time how can I do it is there a code I can use in Lambda or there is some tool for example the JSON file looks like this

{"version":"0","id":"5bd0a964-0969-4b1a-badd-3b4f7e9e077f","detail-type":"AWS API Call via CloudTrail","source":"aws.ec2","account":"111111111","time":"2017-04-25T16:07:33Z","region":"us-west-2","resources":[],"detail":{"eventVersion":"1.05","userIdentity":{"type":"Root","principalId":"1111111","arn":"arn:aws:iam::137247507067:root","accountId":"111111111","accessKeyId":"AAAAAAAA","userName":"roger","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2017-04-25T05:44:56Z"}}},"eventTime":"2017-04-25T16:07:33Z","eventSource":"ec2.amazonaws.com","eventName":"ModifyImageAttribute","awsRegion":"us-west-2","sourceIPAddress":"X.X.X.X","userAgent":"console.ec2.amazonaws.com","requestParameters":{"imageId":"ami-36e85556","launchPermission":{"add":{"items":[{"userId":"879125893843"}]}},"attributeType":"launchPermission"},"responseElements":{"_return":true},"requestID":"06ae4745-2d29-4a3b-b526-c5d8c4b4a7fc","eventID":"fc57b805-ae30-4ec7-bf4f-7a9c971ae0c7","eventType":"AwsApiCall"}}
kosa
  • 65,990
  • 13
  • 130
  • 167
Anuj Butail
  • 111
  • 1
  • 5

1 Answers1

0

You can use AWS Athena.

It basically loads the cloudtrail logs into a table, so we can easily query all the things.

It has more option to analyze the cloudtrail logs.For example, if you want to know who launched the ec2 instance, then query like this,

SELECT date_format(from_iso8601_timestamp(eventTime), '%Y-%m-%d') AS EventDate,useridentity.arn UserARN,
       awsregion AS Region,
       json_extract_scalar(item,'$.instanceId') AS InstanceId
FROM cloudtrail_logs
CROSS JOIN UNNEST (cast(json_extract(responseElements,'$.instancesSet.items') AS array(json))) AS i (item)
WHERE eventsource='ec2.amazonaws.com'
  AND eventname = 'RunInstances'
  AND eventtime >= '2017-04-25T02:00:00.000'
 order by eventtime desc limit 2;

The result is, enter image description here

https://aws.amazon.com/blogs/big-data/aws-cloudtrail-and-amazon-athena-dive-deep-to-analyze-security-compliance-and-operational-activity/

TheDataGuy
  • 2,712
  • 6
  • 37
  • 89