Query Details
AWS Cloud Trail AWS Logging Modified
Query
let event_list = dynamic([
"DeleteFlowLogs",
"UpdateTrail",
"DeleteTrail",
"StopLogging",
"StopEventDataStoreIngestion",
"UpdateEventDataStore",
"DeleteEventDataStore",
"PutEventSelectors",
"PutInsightSelectors",
"DeleteEventBus",
"DeactivateEventSource",
"DeleteLogStream",
"DeleteLogGroup"
]);
AWSCloudTrail
| where EventName in (event_list)
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
TargetRole,
TargetRoleSessionName,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific events from the AWS CloudTrail logs and includes various attributes related to the events. The events that are included in the query are specified in the "event_list" variable. The query filters the CloudTrail logs based on the events in the "event_list" and then retrieves the specified attributes for those events.
Details
Jose Sebastián Canós
Released: October 25, 2023
Tables
AWSCloudTrail
Keywords
Devices,Intune,User
Operators
whereininvokeproject