i ran the command to get the lookup-events for ConsoleLogin activities in AWS Account.I want to extract the key values for mfaAuthenticated , eventSource and eventType from this given json output
The output i got from the above command
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXXXXXXXXXXX:dkboss",
"arn": "XXXXXXXXXXXXXXXXXXXXXXXXX/dkboss",
"accountId": "XXXXXXXXXXXXXXXX",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
"arn": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"accountId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"userName": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-11-27T15:24:28Z",
"mfaAuthenticated": "false" ---------> i want this key value
}
}
},
"eventTime": "2022-11-27T15:24:29Z",
"eventSource": "signin.amazonaws.com", ---------> i want this key value
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"readOnly": false,
"eventType": "AwsConsoleSignIn", ---------> i want this key value
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXXXXXXXXXXXXX",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}
I ran this command to get the above json output :
aws cloudtrail --region us-east-1 lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --start-time $(date -d "-60 minutes" +%s) --query 'Events[].CloudTrailEvent.attributes' --output text | jq
You didn't give any conditions how to select the nodes, or how to format your output. So, how about just traversing to their locations. With the --raw-output
(or -r
) option, jq will output their decoded values. Making it a stream in the filter (by separating them with commas ,
) will make it a newline-separated list in the output.
jq --raw-output '
.userIdentity.sessionContext.attributes.mfaAuthenticated,
.eventSource,
.eventType
'
false
signin.amazonaws.com
AwsConsoleSignIn