Fix filter query for log_metric_filter_unauthorized_api (#294)

turbot · Oct 11, 2021 · 1cdff16 · 1cdff16
1 parent 64ca29f
commit 1cdff16
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/query/cloudwatch/log_metric_filter_unauthorized_api.sql b/query/cloudwatch/log_metric_filter_unauthorized_api.sql
@@ -24,7 +24,7 @@ with filter_data as (
     and filter.log_group_name = split_part(trail.log_group_arn, ':', 7)
     -- As per cis recommended exact pattern order
     -- {($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") || ($.sourceIPAddress!="delivery.logs.amazonaws.com") || ($.eventName!="HeadBucket") }
-    and filter.filter_pattern ~ '\$\.errorCode\s*=\s*"*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"'
+    and filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"'
     and alarm.metric_name = filter.metric_transformation_name
     and subscription.topic_arn = action_arn
 )