Query Details
AWS Cloud Trail AWS Guard Duty Configuration Modified
Query
let event_list = dynamic([
"CreateIPSet",
"UpdateIPSet",
"UpdatePublishingDestination",
"DeletePublishingDestination",
"UpdateThreatIntelSet",
"DeleteThreatIntelSet",
"UpdateDetector",
"DeleteDetector",
"UpdateFilter",
"DeleteFilter",
"StopMonitoringMembers",
"UpdateMemberDetectors",
"DisassociateMembers",
"DeleteMembers",
"UpdateOrganizationConfiguration",
"DisableOrganizationAdminAccount",
"UpdateMalwareScanSettings"
]);
AWSCloudTrail
| where EventName in (event_list)
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
TargetRole,
TargetRoleSessionName,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific events from the AWS CloudTrail logs. It filters the events based on a predefined list of event names. The query then performs some transformations on the data and selects specific fields to display in the output.
Details
Jose Sebastián Canós
Released: October 25, 2023
Tables
AWSCloudTrail
Keywords
EventName,AWSCloudTrail,TimeGenerated,UserIdentityType,Identity,ActorRole,TargetRole,TargetRoleSessionName,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId
Operators
whereininvokeproject