Query Details
AWS Cloud Trail AWS IAM User Password Modified
Query
AWSCloudTrail
| where EventName in ("CreateLoginProfile", "UpdateLoginProfile", "DeleteLoginProfile")
| extend UserName = tostring(todynamic(RequestParameters)["userName"])
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
UserName,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific events from the AWSCloudTrail table and projects a set of columns for analysis. The events of interest are "CreateLoginProfile", "UpdateLoginProfile", and "DeleteLoginProfile". The query also extends the UserName column by extracting the value from the RequestParameters field. Additionally, it invokes the AWSIdentityRole function. The projected columns include various attributes such as TimeGenerated, UserIdentityType, Identity, ActorRole, UserIdentityAccountId, UserIdentityAccountName, RecipientAccountId, RecipientAccountName, SessionCreationDate, UserIdentityPrincipalid, UserIdentityArn, SourceIpAddress, EventSource, EventTypeName, EventName, ManagementEvent, ReadOnly, ErrorCode, ErrorMessage, UserName, RequestParameters, ResponseElements, Resources, SessionMfaAuthenticated, UserAgent, and AwsEventId.
Details
Jose Sebastián Canós
Released: February 12, 2024
Tables
Keywords
Operators