AWS EventBridge规则模式“任何-但是”带有“前缀”
AWS EventBridge规则模式“任何-但是”带有“前缀”
提问于 2022-07-13 18:59:18
我正在尝试设置一个AWS EventBridge规则,它将过滤所有Okta用户事件,其中rawUserAgent作为“任意-但是”带有“前缀”的libwww-perl。我的问题是,是否有一种方法可以在事件中的同一个字段上链接AWS规则语法?我试过这样的方法,但没成功-
{
"detail": {
"eventType": [{
"prefix": "user.session.start"
}],
"outcome": {
"result": [{
"prefix": "FAILURE"
}]
},
"client": {
"userAgent": {
"rawUserAgent": [{
"anything-but": [{"prefix": "libwww-perl"}]
}]
}
}
}
}对于我如何做到这一点,有什么建议吗?
下面是一个示例事件:
{
"version": "0",
"id": "123",
"detail-type": "SystemLog",
"source": "okta",
"account": "123",
"time": "2022-06-24T13:07:02Z",
"region": "us-east-1",
"resources": [],
"detail": {
"uuid": "123",
"published": "2022-06-24T13:07:02.586Z",
"eventType": "user.session.start",
"version": "0",
"displayMessage": "User login to Okta",
"severity": "INFO",
"client": {
"userAgent": {
"rawUserAgent": "libwww-perl/6.15",
"os": "Unknown",
"browser": "UNKNOWN"
},
"zone": "null",
"device": "Unknown",
"id": null,
"ipAddress": "192.168.1.1",
"geographicalContext": {
"city": null,
"state": null,
"country": "United States",
"postalCode": null,
"geolocation": {
"lat": 37.751,
"lon": -97.822
}
},
"ipChain": [
{
"ip": "192.168.1.1.",
"geographicalContext": {
"city": null,
"state": null
"country": "Canada",
"postalCode": null,
"geolocation": {
"lat": 37.751,
"lon": -97.822
}
},
"version": "V4",
"source": null
}
]
},
"device": null,
"actor": {
"id": "unknown",
"type": "User",
"alternateId": "abc@gmail.com",
"displayName": "unknown",
"detailEntry": null
},
"outcome": {
"result": "FAILURE",
"reason": "VERIFICATION_ERROR"
},
"target": null,
"transaction": {
"type": "WEB",
"id": "YrW29nCfOE-MgiNf6-1UkQAAA8I",
"detail": {}
},
"debugContext": {
"debugData": {
"loginResult": "VERIFICATION_ERROR",
"requestId": "abcd",
"threatSuspected": "true",
"requestUri": "",
"url": ""
}
},
"legacyEventType": "core.user_auth.login_failed",
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"authenticationStep": 0,
"externalSessionId": "unknown",
"interface": null
},
"securityContext": {
"asNumber": 11174,
"asOrg": "qwerty",
"isp": "qwerty",
"domain": "qwerty.com",
"isProxy": false
},
"insertionTimestamp": null
}
}回答 1
Stack Overflow用户
回答已采纳
发布于 2022-07-13 19:36:11
您可以使用以下模式:
{
"detail": {
"eventType": [{
"prefix": "user.session.start"
}],
"client": {
"userAgent": {
"rawUserAgent": [{
"anything-but": {
"prefix": "libwww-perl"
}
}]
}
},
"outcome": {
"result": [{
"prefix": "FAILURE"
}]
}
}
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72971333
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号