Query Details

AWS Cloud Trail AWS Logging Modified

Query

let event_list = dynamic([
    "DeleteFlowLogs",
    "UpdateTrail",
    "DeleteTrail",
    "StopLogging",
    "StopEventDataStoreIngestion",
    "UpdateEventDataStore",
    "DeleteEventDataStore",
    "PutEventSelectors",
    "PutInsightSelectors",
    "DeleteEventBus",
    "DeactivateEventSource",
    "DeleteArchive",
    "DeleteLogStream",
    "DeleteLogGroup",
    "DeleteLoggingConfiguration"
]);
AWSCloudTrail
| where EventName in (event_list)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs for specific security-related events. Here's a simple breakdown of what the query does:

  1. Define a List of Events: It starts by creating a list of specific AWS CloudTrail event names that are of interest. These events are related to actions that could potentially impact security, such as deleting logs, stopping logging, or modifying event data stores.

  2. Filter CloudTrail Logs: The query then filters the AWSCloudTrail logs to only include entries where the event name matches one of the events in the predefined list.

  3. Invoke Role Information: It uses the invoke AWSIdentityRole() function to enrich the data with information about the AWS Identity and Access Management (IAM) role associated with each event.

  4. Select Specific Fields: Finally, it projects (selects) a set of fields from the filtered and enriched log data. These fields include details about the event, such as the time it was generated, user identity information, account details, the AWS region, source IP address, event source, event type, whether the event was read-only, any error codes or messages, request parameters, response elements, resources involved, and user agent information.

In summary, this query is used to monitor and investigate specific security-related actions within AWS by analyzing CloudTrail logs for potentially sensitive operations.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailAWSIdentityRoleEventNameTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

letdynamicininvokeprojectwhere

Actions

GitHub