Unable to perform a Regex Search for Asterisk

GreenBlueSkys · December 6, 2021, 12:16pm

[Edit: Elastic parsed out the Asterisk, the proper log is now visible]

I am trying to perform a search against an AWS CloudTrail log identifying different instances of the asterisk (or escaped wildcard).

To do this I am attempting to use Lucene Queries (because KQL does not treat the * as a string, instead as a wildcard).

The log in question is:
{\"Records\":[{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"95c655dc-ec80\",\"eventName\":\"CreatePolicy\",\"eventSource\":\"iam.amazonaws.com\",\"eventTime\":\"2021-11-30T15:27:55Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"managementEvent\":true,\"readOnly\":false,\"recipientAccountId\":\"\",\"requestID\":\"3921499e\",\"requestParameters\":{\"path\":\"/service-role/\",\"policyDocument\":\"{\\n \\\"Version\\\": \\\"2012-10-17\\\",\\n \\\"Statement\\\": [\\n {\\n \\\"Effect\\\": \\\"Allow\\\",\\n \\\"Action\\\": \\\"logs:CreateLogGroup\\\",\\n \\\"Resource\\\": \\\"arn:aws:logs:eu-west-2:082:*\\\"\\n },\\n {\\n \\\"Effect\\\": \\\"Allow\\\",\\n \\\"Action\\\": [\\n \\\"logs:CreateLogStream\\\",\\n \\\"logs:PutLogEvents\\\"\\n ],\\n \\\"Resource\\\": [\\n \\\"arn:aws:logs:eu-west-2:082:log-group:/aws/lambda:*\\\"\\n ]\\n }\\n ]\\n}\",\"policyName\":\"AWSLambda-c3a8\"},\"responseElements\":{\"policy\":{\"arn\":\"arn:aws:iam::082:policy/service-role/AWSLambda-c3a8\",\"attachmentCount\":0,\"createDate\":\"\",\"defaultVersionId\":\"v1\",\"isAttachable\":true,\"path\":\"/service-role/\",\"policyId\":\"WEP\",\"policyName\":\"AWSLambda-c3a8\",\"updateDate\":\"\"}},\"sourceIPAddress\":\"\",\"userAgent\":\"aws-internal/1.1\",\"userIdentity\":{\"accessKeyId\":\"33W\",\"accountId\":\"082\",\"arn\":\"arn:aws:sts::082:assumed-role/access-role/roleSessionName\",\"principalId\":\"RVR:roleSessionName\",\"sessionContext\":{\"attributes\":{\"creationDate\":\"\",\"mfaAuthenticated\":\"true\"},\"sessionIssuer\":{\"accountId\":\"082\",\"arn\":\"arn:aws:iam::082:role/\",\"principalId\":\"RVR\",\"type\":\"Role\",\"userName\":\"access-role\"},\"webIdFederationData\":{}},\"type\":\"AssumedRole\"}}]}

Please excuse the redundant backspaces but I am trying to focus on the instance of :*.

Previous attempts do not return any results such as: /.:*./

dokmic · December 9, 2021, 4:44pm

Hey @GreenBlueSkys,

Thanks for bringing this here.

First of all, I would like to assure you that KQL does support asterisk in the wildcard matching:
You can match your sample record something like that:

Resource: *\:\*

or:

Resource: arn\:aws\:logs\:eu-west-2\:082\:\*

You just need to escape : and *.

Concerning Lucene, you can achieve that by escaping the asterisk symbol only:

Resource: /.*:\*/

Please let us know if that works.

Best regards,
Mike

system · January 6, 2022, 4:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.