Query Details
AWS Cloud Trail AWS Admin Emergency Access Token
Query
AWSCloudTrail
| where EventName contains "EmergencyAccessToken" //EventName == "AdminGetEmergencyAccessToken"
| project
TimeGenerated,
UserIdentityAccountId,
UserIdentityUserName,
UserIdentityArn,
SourceIpAddress,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
SessionCreationDate,
SessionMfaAuthenticated,
UserAgent,
RequestParameters,
AwsEventId,
AwsRequestId_
Explanation
This query is searching through AWS CloudTrail logs for events where the event name contains "EmergencyAccessToken". For these events, it is extracting and displaying the following information: the time the event was generated, the account ID and username of the user, the user's Amazon Resource Name (ARN), the source IP address, the type and name of the event, whether it was a management event, whether it was read-only, any error codes, the session creation date, whether the session was authenticated with multi-factor authentication (MFA), the user agent, the request parameters, the AWS event ID, and the AWS request ID.
Details
Jose Sebastián Canós
Released: August 4, 2023
Tables
AWSCloudTrail
Keywords
AWSCloudTrail,EventName,EmergencyAccessToken,TimeGenerated,UserIdentityAccountId,UserIdentityUserName,UserIdentityArn,SourceIpAddress,EventTypeName,ManagementEvent,ReadOnly,ErrorCode,SessionCreationDate,SessionMfaAuthenticated,UserAgent,RequestParameters,AwsEventId,AwsRequestId
Operators
AWSCloudTrailwherecontainsprojectTimeGeneratedUserIdentityAccountIdUserIdentityUserNameUserIdentityArnSourceIpAddressEventTypeNameEventNameManagementEventReadOnlyErrorCodeSessionCreationDateSessionMfaAuthenticatedUserAgentRequestParametersAwsEventIdAwsRequestId_