I'm trying to setup an AWS EventBridge rule that will filter all Okta user events with rawUserAgent as "anything-but" with the "prefix" libwww-perl. My question is that is there a way to chain AWS rule syntax on the same field in the event? I tried something like this, but it didn't work -
{
"detail": {
"eventType": [{
"prefix": "user.session.start"
}],
"outcome": {
"result": [{
"prefix": "FAILURE"
}]
},
"client": {
"userAgent": {
"rawUserAgent": [{
"anything-but": [{"prefix": "libwww-perl"}]
}]
}
}
}
}
Any suggestions on how I can achieve this?
Here's a sample event:
{
"version": "0",
"id": "123",
"detail-type": "SystemLog",
"source": "okta",
"account": "123",
"time": "2022-06-24T13:07:02Z",
"region": "us-east-1",
"resources": [],
"detail": {
"uuid": "123",
"published": "2022-06-24T13:07:02.586Z",
"eventType": "user.session.start",
"version": "0",
"displayMessage": "User login to Okta",
"severity": "INFO",
"client": {
"userAgent": {
"rawUserAgent": "libwww-perl/6.15",
"os": "Unknown",
"browser": "UNKNOWN"
},
"zone": "null",
"device": "Unknown",
"id": null,
"ipAddress": "192.168.1.1",
"geographicalContext": {
"city": null,
"state": null,
"country": "United States",
"postalCode": null,
"geolocation": {
"lat": 37.751,
"lon": -97.822
}
},
"ipChain": [
{
"ip": "192.168.1.1.",
"geographicalContext": {
"city": null,
"state": null
"country": "Canada",
"postalCode": null,
"geolocation": {
"lat": 37.751,
"lon": -97.822
}
},
"version": "V4",
"source": null
}
]
},
"device": null,
"actor": {
"id": "unknown",
"type": "User",
"alternateId": "[email protected]",
"displayName": "unknown",
"detailEntry": null
},
"outcome": {
"result": "FAILURE",
"reason": "VERIFICATION_ERROR"
},
"target": null,
"transaction": {
"type": "WEB",
"id": "YrW29nCfOE-MgiNf6-1UkQAAA8I",
"detail": {}
},
"debugContext": {
"debugData": {
"loginResult": "VERIFICATION_ERROR",
"requestId": "abcd",
"threatSuspected": "true",
"requestUri": "",
"url": ""
}
},
"legacyEventType": "core.user_auth.login_failed",
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"authenticationStep": 0,
"externalSessionId": "unknown",
"interface": null
},
"securityContext": {
"asNumber": 11174,
"asOrg": "qwerty",
"isp": "qwerty",
"domain": "qwerty.com",
"isProxy": false
},
"insertionTimestamp": null
}
}
CodePudding user response:
You can use this pattern:
{
"detail": {
"eventType": [{
"prefix": "user.session.start"
}],
"client": {
"userAgent": {
"rawUserAgent": [{
"anything-but": {
"prefix": "libwww-perl"
}
}]
}
},
"outcome": {
"result": [{
"prefix": "FAILURE"
}]
}
}
}