Advanced inventory search allows you to query your entire cloud inventory (perform asset lookups) based on custom criteria. The queries you build here can be used to create Custom Alerts, and you can model queries for use with Alert Automations.
Note: This article describes the current inventory advanced search capabilities. Due to ongoing development, future releases may change the existing functionality and introduce additional features.
Getting started with advanced inventory search
- Navigate to Inventory ( icon) from the main menu on the left.
- Click into the Search field in the upper-left corner of the page and then click the Advanced search link.
- Your inventory query filter (rules).
- Several options for working with query rules:
- Negate query - nullifies the query and query results without deleting the query.
- Copy rule - convenient shortcut so you can copy the entire query.
- Clear rule - clear the query canvas and reset the search results.
- Change the edit mode -
- Raw Mode disable auto-complete suggestions and turn the query canvas into a free-form query editor.
- Assisted mode - enable auto-complete suggestions in response to your input.
- Create Alert - navigate to the Custom Alerts page. Make sure to first copy your query before leaving the inventory advanced search page.
- The Search button executes your query against data in your Orca account.
- Predefined queries you can execute instantly by clicking on them.
Example CloudTrail event queries to get you started
|Rule Name||AWS Service||Primary Query|
|CloudTrail Service Changes||CloudTrail||AwsCloudTrailEvent with EventSource = "cloudtrail.amazonaws.com"|
|CloudTrail Deletes Only||CloudTrail||AwsCloudTrailEvent with EventName = "DeleteTrail"|
|Creating Instances in Non-Approved Regions||EC2||AwsCloudTrailEvent with EventName = "CreateInstances" and AwsRegion !="your_whitelisted_regions"|
|Access Key Changes||IAM||AwsCloudTrailEvent with EventName = "CreateAccessKey" and EventName = "DeleteAccessKey" and EventName = "UpdateAccessKey"|
|Non-Approved Console Logins||IAM||AwsCloudTrailEvent with EventName = "ConsoleLogin" and SourceIpAddress != ""your_expected_ips""|
|Access Key Updates||IAM||AwsCloudTrailEvent with EventSource = "iam.amazonaws.com" and EventName like "Access"|
|Console MFA Changes||IAM||AwsCloudTrailEvent with EventSource = "iam.amazonaws.com" and EventName like "MFA"|
|Root User Actions||User Actions||AwsCloudTrailEvent with UserIdentity . type = "Root"|
|All Non-Read Actions in the Account||All||AwsCloudTrailEvent without ReadOnly|
|User Initiated EC2 Modification||EC2||AwsCloudTrailEvent with EventName like "Instances" and SourceIpAddress != "autoscaling.amazonaws.com"|
|New IAM Assets Created||IAM||AwsCloudTrailEvent with EventSource = "iam.amazonaws.com" and EventName like "Create"|