JQ

jq is similar to command line tools like sed, awk and grep. it is a lightweight and flexible command line processor that can be used on JSON formatted data. it transforms and filter JSON formatted data into meaningful data that can be understood to gain security insights

#display all the elements contained in the json file
root@dco:~$ jq '.[]' filename.json
 * jq takes two inputs, the filter to use and the json file
    - the . is used for accessing the current input
    - the [] is used for accessing the array of values stored in the JSON file named filename.json

#once the keys are identified, the values can be extracted separately
root@dco:~$ jq '.[] | .book_title' filename.json
 * | .book_title represents the key to the values that will be extracted
#display all fields
root@thm:~$ jq '.[]' cloudtrail_log.json

#extract only pertinent information
root@thm:~$ jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"], (.Records[] | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .userAgent // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

#query specific user
root@thm:~$ jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"], (.Records[] | select(.userIdentity.userName=="glitch") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .userAgent // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

PreviousUTILITIESNextREVERSE ENGINEERING

Last updated