turbot
diff --git a/‎CHANGELOG.md
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 9 additions & 0 deletions
diff --git a/‎dashboards/activity_dashboard.pp
Lines changed: 42 additions & 9 deletions b/‎dashboards/activity_dashboard.pp
Lines changed: 42 additions & 9 deletions
diff --git a/‎dashboards/root_user_activity_report.pp
Lines changed: 9 additions & 3 deletions b/‎dashboards/root_user_activity_report.pp
Lines changed: 9 additions & 3 deletions
diff --git a/‎detections/cloudfront.pp
Lines changed: 5 additions & 0 deletions b/‎detections/cloudfront.pp
Lines changed: 5 additions & 0 deletions
diff --git a/‎detections/cloudtrail.pp
Lines changed: 9 additions & 4 deletions b/‎detections/cloudtrail.pp
Lines changed: 9 additions & 4 deletions
diff --git a/‎detections/cloudwatch.pp
Lines changed: 3 additions & 0 deletions b/‎detections/cloudwatch.pp
Lines changed: 3 additions & 0 deletions
diff --git a/‎detections/codebuild.pp
Lines changed: 9 additions & 0 deletions b/‎detections/codebuild.pp
Lines changed: 9 additions & 0 deletions
diff --git a/‎detections/config.pp
Lines changed: 5 additions & 0 deletions b/‎detections/config.pp
Lines changed: 5 additions & 0 deletions
diff --git a/‎detections/ebs.pp
Lines changed: 10 additions & 3 deletions b/‎detections/ebs.pp
Lines changed: 10 additions & 3 deletions
@@ -1,3 +1,12 @@
+## v0.3.0 [2025-03-03]
+
+_Enhancements_
+
+- Added `title`, `description`, and `folder = "Account"` tag to `Activity Dashboard` queries for improved organization and clarity. https://github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections/pull/11
+- Removed `title` and added `folder = "Hidden"` tag to `Root User Activity Report` queries to streamline visibility. https://github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections/pull/11
+- Added `folder = "<service>"` tag to `service common tag locals` for better query categorization. https://github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections/pull/11
+- Standardized all queries to use `service common tags`, ensuring consistency across detection queries. https://github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections/pull/11
+
 ## v0.2.0 [2025-02-06]
 
 _Enhancements_
 
@@ -69,18 +69,24 @@
 # Query definitions
 
 query "activity_dashboard_total_logs" {
-  title = "Log Count"
+  title       = "Log Count"
+  description = "Count the total log entries."
 
   sql = <<-EOQ
     select
       count(*) as "Total Logs"
     from
       aws_cloudtrail_log;
   EOQ
+
+  tags = {
+    folder = "Account"
+  }
 }
 
 query "activity_dashboard_logs_by_source_ip" {
-  title = "Top 10 Source IPs (Non-AWS)"
+  title       = "Top 10 Source IPs (Excluding AWS Services and Internal)"
+  description = "List the top 10 source IPs by frequency, excluding events from AWS services and internal."
 
   sql = <<-EOQ
     select
@@ -97,10 +103,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Account"
+  }
 }
 
 query "activity_dashboard_logs_by_actor" {
-  title = "Top 10 Actors (Non-AWS)"
+  title       = "Top 10 Actors (Excluding AWS Services)"
+  description = "List the top 10 actors by frequency, excluding AWS services and service roles."
 
   sql = <<-EOQ
     select
@@ -117,11 +128,15 @@
       count(*) desc
     limit 10;
   EOQ
-}
 
+  tags = {
+    folder = "Account"
+  }
+}
 
 query "activity_dashboard_logs_by_service" {
-  title = "Top 10 Services"
+  title       = "Top 10 Services (Excluding Read-Only)"
+  description = "List the top 10 services by frequency, excluding read-only events."
 
   sql = <<-EOQ
     select
@@ -137,10 +152,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Account"
+  }
 }
 
 query "activity_dashboard_logs_by_event" {
-  title = "Top 10 Events"
+  title       = "Top 10 Events (Excluding Read-Only)"
+  description = "List the 10 most frequently called events, excluding read-only events."
 
   sql = <<-EOQ
     select
@@ -156,11 +176,15 @@
       count(*) desc
     limit 10;
   EOQ
-}
 
+  tags = {
+    folder = "Account"
+  }
+}
 
 query "activity_dashboard_logs_by_account" {
-  title = "Activity by Account"
+  title       = "Logs by Account"
+  description = "Count log entries grouped by account ID."
 
   sql = <<-EOQ
     select
@@ -173,10 +197,15 @@
     order by
       count(*) desc;
   EOQ
+
+  tags = {
+    folder = "Account"
+  }
 }
 
 query "activity_dashboard_logs_by_region" {
-  title = "Activity by Region"
+  title       = "Logs by Region"
+  description = "Count log entries grouped by region."
 
   sql = <<-EOQ
     select
@@ -189,4 +218,8 @@
     order by
       count(*) desc;
   EOQ
+
+  tags = {
+    folder = "Account"
+  }
 }
@@ -65,6 +65,10 @@
       and recipient_account_id in $2
       and user_identity.type = 'Root'
   EOQ
+
+  tags = {
+    folder = "Hidden"
+  }
 }
 
 query "root_user_activity_report_table" {
@@ -88,13 +92,15 @@
       timestamp desc
     limit 10000;
   EOQ
+
+  tags = {
+    folder = "Hidden"
+  }
 }
 
 # Input queries
 
 query "root_user_activity_report_aws_accounts_input" {
-  title = "Root User Activity Report AWS Accounts Input"
-
   sql = <<-EOQ
     with aws_account_ids as (
       select
@@ -112,6 +118,6 @@
   EOQ
 
   tags = {
-    folder = "Internal"
+    folder = "Hidden"
   }
 }
@@ -1,5 +1,6 @@
 locals {
   cloudfront_common_tags = merge(local.aws_cloudtrail_log_detections_common_tags, {
+    folder  = "CloudFront"
     service = "AWS/CloudFront"
   })
 
@@ -45,6 +46,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.cloudfront_common_tags
 }
 
 detection "cloudfront_distribution_logging_disabled" {
@@ -73,4 +76,6 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.cloudfront_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   cloudtrail_common_tags = merge(local.aws_cloudtrail_log_detections_common_tags, {
+    folder  = "CloudTrail"
     service = "AWS/CloudTrail"
   })
 
@@ -48,9 +49,7 @@
       event_time desc;
   EOQ
 
-  tags = {
-    recommended = "true"
-  }
+  tags = local.cloudtrail_common_tags
 }
 
 detection "cloudtrail_trail_kms_key_updated" {
@@ -83,6 +82,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.cloudtrail_common_tags
 }
 
 detection "cloudtrail_trail_s3_logging_bucket_updated" {
@@ -115,6 +116,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.cloudtrail_common_tags
 }
 
 detection "cloudtrail_trail_global_service_logging_disabled" {
@@ -139,11 +142,13 @@
     where
       event_source = 'cloudtrail.amazonaws.com'
       and event_name = 'UpdateTrail'
-      and (request_parameters -> 'includeGlobalServiceEvents') = 'false'
+      and (request_parameters -> 'includeGlobalServiceEvents') = false
       -- here we exclude console-based events by requiring 'session_credential_from_console' to be null, because console requests show all fields while CLI only shows updated fields.
       and session_credential_from_console is null
       ${local.detection_sql_where_conditions}
     order by
       event_time desc;
   EOQ
+
+  tags = local.cloudtrail_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   cloudwatch_common_tags = merge(local.aws_cloudtrail_log_detections_common_tags, {
+    folder  = "CloudWatch"
     service = "AWS/CloudWatch"
   })
 }
@@ -44,4 +45,6 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.cloudwatch_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   codebuild_common_tags = merge(local.aws_cloudtrail_log_detections_common_tags, {
+    folder  = "CodeBuild"
     service = "AWS/CodeBuild"
   })
 
@@ -48,6 +49,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.codebuild_common_tags
 }
 
 detection "codebuild_project_service_role_updated" {
@@ -77,6 +80,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.codebuild_common_tags
 }
 
 detection "codebuild_project_source_repository_updated" {
@@ -106,6 +111,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.codebuild_common_tags
 }
 
 detection "codebuild_project_environment_variable_updated" {
@@ -135,4 +142,6 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.codebuild_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   config_common_tags = merge(local.aws_cloudtrail_log_detections_common_tags, {
+    folder  = "Config"
     service = "AWS/Config"
   })
 
@@ -45,6 +46,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.config_common_tags
 }
 
 detection "config_configuration_recorder_stopped" {
@@ -73,4 +76,6 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.config_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   ebs_common_tags = merge(local.aws_cloudtrail_log_detections_common_tags, {
+    folder  = "EBS"
     service = "AWS/EBS"
   })
 }
@@ -47,6 +48,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.ebs_common_tags
 }
 
 detection "ebs_volume_detached" {
@@ -75,6 +78,8 @@
     order by
       event_time desc;
   EOQ
+
+  tags = local.ebs_common_tags
 }
 
 detection "ebs_snapshot_shared_publicly" {
@@ -108,9 +113,7 @@
       event_time desc;
   EOQ
 
-  tags = {
-    recommended  = "true"
-  }
+  tags = local.ebs_common_tags
 }
 
 detection "ebs_snapshot_created_with_encryption_disabled" {
@@ -140,6 +143,8 @@
     order by
       tp_timestamp desc;
   EOQ
+
+  tags = local.ebs_common_tags
 }
 
 detection "ebs_snapshot_unlocked" {
@@ -168,4 +173,6 @@
     order by
       tp_timestamp desc;
   EOQ
+
+  tags = local.ebs_common_tags
 }
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`locals {`
`2`	`2`	`cloudwatch_common_tags = merge(local.aws_cloudtrail_log_detections_common_tags, {`
	`3`	`+ folder = "CloudWatch"`
`3`	`4`	`service = "AWS/CloudWatch"`
`4`	`5`	`})`
`5`	`6`	`}`
`@@ -44,4 +45,6 @@`
`44`	`45`	`order by`
`45`	`46`	`event_time desc;`
`46`	`47`	`EOQ`
	`48`	`+`
	`49`	`+ tags = local.cloudwatch_common_tags`
`47`	`50`	`}`