I have reviewed a number of already answered questions related to case statements but none that seem to address the issue I am having. I am trying to create a table to show AWS CloudTrail events associated with creating, deleting, modifying IAM groups in AWS.
I have no problem with basic details but I am attempting to use a case statement so I can display additional detail for events associated with attaching or detaching a policy to a group, namely the policy that is being attached or detached.
Here is my search string, and the results:
sourcetype="aws:cloudtrail" eventName= *Group*
| eval Detail=case(eventName == DetachGroupPolicy, requestParameters.policyArn, eventName == AttachGroupPolicy, requestParameters.policyArn, 1=1, "N/A" )
| rename requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| table _time, eventName, Group, Detail, requestParameters.policyArn
RESULTS:
| _time | eventName | Group | Detail | requestParameters.policyArn |
|--------------------------------------------|-----------------------------|------------------|----------|-----------------------------------------------------------|
| 2017-11-14T13:01:30.000-0700 | DeleteGroup | TestGroup | N/A | |
| 2017-11-14T13:01:30.000-0700 | DetachGroupPolicy | TestGroup | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:01:19.000-0700 | UpdateGroup | tst_grp | N/A | |
| 2017-11-14T13:00:40.000-0700 | AttachGroupPolicy | tst_grp | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:00:40.000-0700 | CreateGroup | tst_grp | N/A | |
It seems that none of my case comparisons are evaluating to true. I've included the policyArn field to ensure it is actually populated and there are no typos.
... View more