Researching Through Data Monitored by Amazon Macie
You can use the Research tab in the Macie console to construct and run queries in the query parser and conduct in-depth investigative research of your data and activity that Macie monitors. You can navigate to the Research tab at any time and construct queries in the empty parser. For more information, see Constructing Queries in Macie. You can be redirected to the Research tab from various places throughout the Macie console: for example, any of the Dashboard views (see Using the Amazon Macie Dashboard) or the Basic alerts list (see Amazon Macie Alerts). When redirected to the Research tab from other places in the console, your data selection is translated into an automatically generated query that appears in the query parser.
Topics
Constructing Queries in Macie
Macie enables you to construct queries in the query parser in the Research tab. The query parser is a lexer that interprets a string into a Lucene Query using JavaCC. For more information about query syntax, see Apache Lucene - Query Parser Syntax.
The following are example queries for common searches:
-
To search for any console login not that didn't originate from IP addresses owned by Amazon:
eventNameIsp.compound:/ConsoleLogin:~(Amazon.*)/ -
To search for PII artifacts inside a public S3 bucket:
filesystem_metadata.bucket:"my-public-bucket" AND (pii_impact:"moderate" OR pii_impact:"high")
The following tables contains example queries for the Macie date, integer, and string field types.
Example Queries: Date Field Type
|
Example Query |
Description |
Data Repository |
|---|---|---|
|
|
Search for S3 objects read in the fourth quarter of 2017. |
CloudTrail data |
|
|
Search for anonymous accesses to your Macie-monitored data from Tor exit notes over the last month. |
CloudTrail data |
|
|
Search for AWS activities of an assumed role named "malicious_user" in the AWS account ID 085924634393, starting from January 18, 2018. |
CloudTrail data |
Example Queries: Integer Field Type
|
Example Query |
Description |
Data Repository |
|---|---|---|
|
|
Search for S3 objects with a |
S3 objects |
|
|
Search for S3 objects between the sizes of 10 MB to 1 GB that contain potential PII data. |
S3 objects |
Example Queries: String Field Type
|
Example Query |
Description |
Data Repository |
|---|---|---|
|
|
Search for S3 object keys (names) that contain the keywords "contract," "agreement,"
or
"terms," with a Note Some regex queries might result in long search times. We recommend conducting searches for limited time frames. |
S3 objects |
|
|
Search for S3 objects containing PDF data but in files with file extensions other than PDF/pdf. Note This query also returns archived objects (zip,7z, etc.) containing PDF documents. |
S3 objects |
|
|
Search for S3 buckets with ACL grantee display names set to "admin." |
S3 bucket properties |
|
|
Search for S3 buckets with ACL grantee display names set to "admi(?)" (wildcard), including "admin." |
S3 bucket properties |
|
|
Search for S3 buckets with keywords "test." |
S3 bucket properties |
Research Filters
In the Macie Research tab, you can apply the following filters to your searches.
Data Index
The first Research tab filter (dropdown) with the preselected default value of CloudTrail data, enables you to specifying the index (or the data repository) that you want Macie to search through. This filter includes the following options:
-
CloudTrail data – A collection of 5-minute aggregates of raw CloudTrail data
-
S3 bucket properties – A collection of metadata about the S3 buckets that Macie is monitoring
-
S3 objects – A collection of metadata about the S3 objects that are stored in the buckets that Macie is monitoring
Number of Results to Display
The next Research tab filter with the preselected default value of Top 10 enables you to control the number of results to display when you do your initial search and the number of additional results to display if more results are available. This filter includes the following options:
-
Top 10
-
Top 50
-
Top 100
-
Top 500
Time Range
The third Research tab filter with the preselected default value of Past 30 days enables you to define a time range that you want to display your search results for. This filter includes the following options:
-
Past 7 days
-
Past 30 days
-
Past 90 days
-
Past 365 days
-
All
-
Custom time range
Saving a Query as an Alert
You can use the following procedure to save a query that appears in the query parser as a basic alert. For more information about basic alerts, see Amazon Macie Alerts.
-
In the Macie console's Research tab, either autogenerate or construct a query in the query parser.
-
Choose the Save query as alert icon.
-
Fill out the Basic alert definition form and choose Save. For more information, see Adding New and Editing Existing Custom Basic Alerts.
Favorite Queries
You can mark queries that you frequently run as favorites and view a list of your favorite queries.
-
In the Macie console's Research tab, either autogenerate or construct a query in the query parser.
-
Choose the Mark query as favorite icon.
-
Fill out the Favorite query definition form by specifying the name and the description for the favorite query and choose Save.
-
To view the list of your favorite queries, in the Macie console's Research tab, choose the Favorite queries icon.
