检索某账号AKSK在指定时间范围内做了什么

如果不是使用us-east-1的日志，注意替换"amazon_security_lake_table_us_east_1_cloud_trail_mgmt_1_0"

需要替换里面的<your account id>，比如123456789012；

替换里面的<your credential uid>，比如AKIAY625JPUY55PBUEWT

替换eventday为你想要查询的时间范围：

SELECT api.operation, api.service.name, src_endpoint.ip, severity, status
FROM "amazon_security_lake_table_us_east_1_cloud_trail_mgmt_1_0" 
WHERE accountid = <your account id>
AND actor.user.credential_uid = <your credential uid>
AND eventday >= '20231008'
AND eventday <= '20231008'
GROUP BY api.operation, api.service.name, src_endpoint.ip, severity, status
ORDER BY src_endpoint.ip

上一页调查可疑用户下一页调查GuardDuty的发现

最后更新于6个月前