athena_query_events
Query AWS CloudTrail logs using Athena to filter and retrieve specific event data based on parameters like event names, user details, and IP addresses. Requires a pre-configured Athena table for the region.
Instructions
Query Athena for granular granular searches on CloudTrail logs.
<IMPORTANT>
Before calling this tool, you must call the athena_create_cloudtrail_table tool to create the table.
If the user asks for a different region, you must call the athena_create_cloudtrail_table tool to create the table in that region.
</IMPORTANT>
Parameters:
aws_region: The AWS region - use 'us-east-1' if not specified.
start_time: ISO string of the start time
end_time: ISO string of the end time
database: Athena database name to be used - use 'default' if not specified.
output_bucket: S3 bucket URI (e.g. 's3://my-athena-query-results/') for query results - different from cloudtrail_bucket.
event_names: List of event names to filter on (e.g. ["GetObject", "DeleteObject"])
principal_id: Optional principal ID to filter on. Use the percent sign (%) as a wildcard character.
user_arn: Optional user ARN to filter on. Use the percent sign (%) as a wildcard character. This is the ARN of the user performing the action.
user_name: Optional user name to filter on. This is the name of the user performing the action.
role_name: Optional role name to filter on. This is the name of the role assumed by the user performing the action.
ip_address: Optional IP address to filter on. Use the percent sign (%) as a wildcard character. This is the IP address of the user performing the action.
bucket_name: Optional bucket name to filter on. Use the percent sign (%) as a wildcard character.
limit: Maximum number of results to return (default is 50).
Returns:
str: JSON-formatted result of the Athena query.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| aws_region | Yes | ||
| bucket_name | No | ||
| database | Yes | ||
| end_time | Yes | ||
| event_names | Yes | ||
| ip_address | No | ||
| limit | No | ||
| output_bucket | Yes | ||
| principal_id | No | ||
| role_name | No | ||
| start_time | Yes | ||
| user_arn | No | ||
| user_name | No |
Input Schema (JSON Schema)
{
"properties": {
"aws_region": {
"title": "Aws Region",
"type": "string"
},
"bucket_name": {
"default": null,
"title": "Bucket Name",
"type": "string"
},
"database": {
"title": "Database",
"type": "string"
},
"end_time": {
"title": "End Time",
"type": "string"
},
"event_names": {
"items": {},
"title": "Event Names",
"type": "array"
},
"ip_address": {
"default": null,
"title": "Ip Address",
"type": "string"
},
"limit": {
"default": 50,
"title": "Limit",
"type": "integer"
},
"output_bucket": {
"title": "Output Bucket",
"type": "string"
},
"principal_id": {
"default": null,
"title": "Principal Id",
"type": "string"
},
"role_name": {
"default": null,
"title": "Role Name",
"type": "string"
},
"start_time": {
"title": "Start Time",
"type": "string"
},
"user_arn": {
"default": null,
"title": "User Arn",
"type": "string"
},
"user_name": {
"default": null,
"title": "User Name",
"type": "string"
}
},
"required": [
"aws_region",
"start_time",
"end_time",
"database",
"output_bucket",
"event_names"
],
"title": "athena_query_eventsArguments",
"type": "object"
}