Matching events on event field values
You can use all of the JSON data types and values to match events. The following examples show events and the event patterns that match them.
Field matching
You can match on the value of a field. Consider the following Amazon EC2 Auto Scaling event.
{
"version": "0",
"id": "3e3c153a-8339-4e30-8c35-687ebef853fe",
"detail-type": "EC2 Instance Launch Successful",
"source": "aws.autoscaling",
"account": "123456789012",
"time": "2015-11-11T21:31:47Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "",
"responseElements": null
}
}For the preceding event, you can use the "responseElements" field to
match.
{
"source": ["aws.autoscaling"],
"detail-type": ["EC2 Instance Launch Successful"],
"detail": {
"responseElements": [null]
}
}Value matching
Consider the following Amazon Macie event, which is truncated.
{
"version": "0",
"id": "0948ba87-d3b8-c6d4-f2da-732a1example",
"detail-type": "Macie Finding",
"source": "aws.macie",
"account": "123456789012",
"time": "2021-04-29T23:12:15Z",
"region":"us-east-1",
"resources": [
],
"detail": {
"schemaVersion": "1.0",
"id": "64b917aa-3843-014c-91d8-937ffexample",
"accountId": "123456789012",
"partition": "aws",
"region": "us-east-1",
"type": "Policy:IAMUser/S3BucketEncryptionDisabled",
"title": "Encryption is disabled for the S3 bucket",
"description": "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn’t encrypted
using server-side encryption.",
"severity": {
"score": 1,
"description": "Low"
},
"createdAt": "2021-04-29T15:46:02Z",
"updatedAt": "2021-04-29T23:12:15Z",
"count": 2,
.
.
.The following event pattern matches any event that has a severity score of 1 and a count of 2.
{
"source": ["aws.macie"],
"detail-type": ["Macie Finding"],
"detail": {
"severity": {
"score": [1]
},
"count":[2]
}
}