# Log Type Definition
```sql
CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
               type:STRING,
               principalid:STRING,
               arn:STRING,
               accountid:STRING,
               invokedby:STRING,
               accesskeyid:STRING,
               userName:STRING,
sessioncontext:STRUCT<
attributes:STRUCT<
               mfaauthenticated:STRING,
               creationdate:STRING>,
sessionissuer:STRUCT<  
               type:STRING,
               principalId:STRING,
               arn:STRING, 
               accountId:STRING,
               userName:STRING>>>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
               ARN:STRING,
               accountId:STRING,
               type:STRING>>,
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
);
```

In [1]:
from dataclasses import dataclass

@dataclass
class userIdentity:
    type:    str
    principalid: str
    arn:         str
    accountid:   str
    invokedby:   str
    accesskeyid: str
    userName:    str

@dataclass
class attributes:
    mfaauthenticated: str
    creationdate:     str

@dataclass
class sessionissuer:
    type:    str
    principalId: str
    arn:         str
    accountId:   str
    userName:    str


@dataclass
class sessioncontext:
    attributes: attributes
    sessionissuer: sessionissuer

@dataclass
class resources:
    ARN: str
    accountId: str
    type: str

@dataclass
class CloudtrailLog:
    eventversion: str
    useridentity: userIdentity
    sessioncontext: sessioncontext
    eventtime: str
    eventsource: str
    eventname: str
    awsregion: str
    sourceipaddress: str
    useragent: str
    errorcode: str
    errormessage: str
    requestparameters: str
    responseelements: str
    additionaleventdata: str
    requestid: str
    eventid: str
    resources: [resources]
    eventtype: str
    apiversion: str
    readonly: str
    recipientaccountid: str
    serviceeventdetails: str
    sharedeventid: str
    vpcendpointid: str

In [1]:
import polars as pl

In [5]:
# Dtypes-Schema for polars
cloudtrails_log_schema = {
    "eventVersion": pl.Utf8,
    "userIdentity": pl.Struct({
        "type": pl.Utf8,
        "principalId": pl.Utf8,
        "arn": pl.Utf8,
        "accountId": pl.Utf8,
        "invokedBy": pl.Utf8,
        "accesskeyId": pl.Utf8,
        "userName": pl.Utf8,
    }),
    "sessionContext": pl.Struct({
        "attributes": pl.Struct({
            "mfaAuthenticated": pl.Utf8,
            "creationDate": pl.Utf8,
        }),
        "sessionIssuer": pl.Struct({
            "type": pl.Utf8,
            "principalId": pl.Utf8,
            "arn": pl.Utf8,
            "accountId": pl.Utf8,
            "userName": pl.Utf8,
        }),
    }),
    "eventTime": pl.Utf8,
    "eventSource": pl.Utf8,
    "eventName": pl.Utf8,
    "awsRegion": pl.Utf8,
    "sourceIPAddress": pl.Utf8,
    "userAgent": pl.Utf8,
    "errorCode": pl.Utf8,
    "errorMessage": pl.Utf8,
    "requestParameters": pl.Utf8,
    "responseElements": pl.Utf8,
    "additionalEventData": pl.Utf8,
    "requestID": pl.Utf8,
    "eventID": pl.Utf8,
    "resources": pl.List(pl.Struct({
        "arn": pl.Utf8,
        "accountId": pl.Utf8,
        "type": pl.Utf8,
    })),
    "eventType": pl.Utf8,
    "apiVersion": pl.Utf8,
    "readOnly": pl.Utf8,
    "recipientAccountId": pl.Utf8,
    "serviceEventDetails": pl.Utf8,
    "sharedEventId": pl.Utf8,
    "vpcEndpointId": pl.Utf8,
}

In [11]:
dlp = pl.read_ndjson("../data/raw/flaws_cloudtrail00.ndjson", schema=cloudtrails_log_schema)

In [12]:
dlp

eventVersion,userIdentity,sessionContext,eventTime,eventSource,eventName,awsRegion,sourceIPAddress,userAgent,errorCode,errorMessage,requestParameters,responseElements,additionalEventData,requestID,eventID,resources,eventType,apiVersion,readOnly,recipientAccountId,serviceEventDetails,sharedEventId,vpcEndpointId
str,struct[7],struct[2],str,str,str,str,str,str,str,str,str,str,str,str,str,list[null],str,str,str,str,str,str,str
"""1.04""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""s3.amazonaws.c…","""ListBuckets""","""us-east-1""","""255.253.125.11…","""[S3Console/0.4…",,,,,,"""83A6C73FE87F51…","""3038ebd2-c98a-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""GetAccountPass…","""us-east-1""","""255.253.125.11…","""console.amazon…","""NoSuchEntityEx…","""The Password P…",,,,"""b833be53-f15d-…","""22a0d9b1-deea-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""GetAccountSumm…","""us-east-1""","""255.253.125.11…","""console.amazon…",,,,,,"""b110697b2-f15d…","""9facf7ca-cb76-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""ListAccountAli…","""us-east-1""","""255.253.125.11…","""console.amazon…",,,,,,"""b8382b24-f15d-…","""6596d3b4-7c98-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""ListMFADevices…","""us-east-1""","""255.253.125.11…","""console.amazon…",,,,,,"""b567111c6-f15d…","""9f9d038c-e5a5-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""ListAccessKeys…","""us-east-1""","""255.253.125.11…","""console.amazon…",,,,,,"""b83d3435-f15d-…","""4babc3a3-77b1-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""ListAccessKeys…","""us-east-1""","""255.253.125.11…","""console.amazon…",,,,,,"""b80f4627-f15d-…","""c2f959326-973c…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""GetAccountPass…","""us-east-1""","""255.253.125.11…","""console.amazon…","""NoSuchEntityEx…","""The Password P…",,,,"""b8077df5-f15d-…","""eec27e8a-b750-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""GetAccountSumm…","""us-east-1""","""255.253.125.11…","""console.amazon…",,,,,,"""b7faacb4-f15d-…","""30f077e5-6c11-…",,"""AwsApiCall""",,,"""811596193553""",,,
"""1.02""","{""Root"",""811596193553"",""arn:aws:iam::811596193553:root"",""811596193553"",null,null,null}","{{null,null},{null,null,null,null,null}}","""2017-02-12T19:…","""iam.amazonaws.…","""ListAccountAli…","""us-east-1""","""255.253.125.11…","""console.amazon…",,,,,,"""b80b0066-f15d-…","""dc97bcac-91e6-…",,"""AwsApiCall""",,,"""811596193553""",,,
