Hal Pomeranz · Apr 15, 2021 · 10:03 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

15 Apr 2021

Complex query run over 4.5T of CloudTrail data-- jq + xargs (for parallelism) banged it out in under 4hrs #CommandLineSkillz

J P · Apr 15, 2021 · 10:11 PM UTC

J P @JPoForenso

15 Apr 2021

Highly recommend checking out Athena to query CT logs from S3. Exponential time savings and relatively cheap (as compared to using other services/methods). Even better time & cost savings w/ partition mgmt. docs.aws.amazon.com/athena/l… workshop.aws-management.tool… wellarchitectedlabs.com/secu…

Hal Pomeranz · Apr 15, 2021 · 10:14 PM UTC

Hal Pomeranz · Apr 15, 2021 · 10:14 PM UTC

Hal Pomeranz @hal_pomeranz

15 Apr 2021

Replying to @JPoForenso

Well hello, Mr Fancypants! :-) For reason's that don't bear discussing, I'm dealing with logs exported as JSON on disk.

Apr 15, 2021 · 10:14 PM UTC

J P · Apr 15, 2021 · 10:18 PM UTC

J P @JPoForenso

15 Apr 2021

Replying to @hal_pomeranz

Ha, yeah right... Oh, I absolutely get it. Cut my teeth doing it the exact same way. Just throwing it out there as a "for possible future use" type thing. Cross-account Bucket/data sharing has been made a lot easier to facilitate direct access to stuff now (if/when able). 👍