Query: hidden_file_access

select
  tp_timestamp as timestamp,
  request_method as operation,
  request_uri as resource,
  status,
  http_user_agent as actor,
  tp_source_ip as source_ip,
  tp_id as source_id,
  -- Create new aliases to preserve original row data
  status as status_src,
  timestamp as timestamp_src,
  * exclude (status, timestamp)
from
  apache_access_log
where
  request_uri is not null
  and (
    -- Common hidden files and directories
    request_uri ilike '%/.git/%'
    or request_uri ilike '%/.svn/%'
    or request_uri ilike '%/.DS_Store%'
    or request_uri ilike '%/.htpasswd%'
    or request_uri ilike '%/.npmrc%'
    or request_uri ilike '%/.env%'
    or request_uri ilike '%/.aws/%'
    or request_uri ilike '%/.ssh/%'
    or request_uri ilike '%/.bash_history%'
    or request_uri ilike '%/.htaccess%'
    or request_uri ilike '%/.htpasswd%'
    or request_uri ilike '%/.config/%'
    or request_uri ilike '%/.vscode/%'
    or request_uri ilike '%/.idea/%' -- Docker/Kubernetes files
    or request_uri ilike '%/docker-compose%'
    or request_uri ilike '%/Dockerfile%'
    or request_uri ilike '%/kubernetes/%'
    or request_uri ilike '%/kubeconfig%'
  )
order by
  tp_timestamp desc;