Query Details

AWS Cloud Trail AWS IAM User Password Modified

Query

AWSCloudTrail
| where EventName in ("CreateLoginProfile", "UpdateLoginProfile", "DeleteLoginProfile")
| extend UserName = tostring(todynamic(RequestParameters)["userName"])
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    UserName,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query is designed to analyze AWS CloudTrail logs specifically for events related to managing login profiles. Here's a simplified breakdown of what it does:

  1. Filter Events: It looks for events where the action is either creating, updating, or deleting a login profile. These actions are identified by the event names "CreateLoginProfile", "UpdateLoginProfile", and "DeleteLoginProfile".

  2. Extract UserName: It extracts the userName from the RequestParameters field and assigns it to a new column called UserName.

  3. Invoke AWSIdentityRole: This part of the query likely enriches the data with additional identity-related information, although the exact details depend on the implementation of AWSIdentityRole().

  4. Select Specific Columns: Finally, it selects a variety of columns to be included in the output. These columns provide detailed information about each event, such as the time it was generated, the identity of the user who initiated the event, the AWS region, the source IP address, and other relevant details.

Overall, this query helps in auditing and monitoring changes to login profiles in AWS by providing detailed insights into who made the changes, when, and from where.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailEventNameUserNameUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

AWSCloudTrailwhereinextendtostringtodynamicinvokeAWSIdentityRoleproject

Actions

GitHub