Query Details
AWS Cloud Trail AWS User MFA Modified
Query
AWSCloudTrail
| where EventName in ("CreateVirtualMFADevice", "EnableMFADevice", "DeleteVirtualMFADevice", "DeactivateMFADevice")
| extend
UserName = tostring(todynamic(RequestParameters)["userName"]),
Device = tostring(todynamic(RequestParameters)["serialNumber"])
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
UserName,
Device,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific events from the AWSCloudTrail logs. It filters for events related to creating, enabling, deleting, or deactivating virtual MFA devices. It then extends the query to extract the username and device information from the request parameters. The query also invokes the AWSIdentityRole function and projects various fields from the logs, including time generated, user identity information, event details, error codes, and more.
Details
Jose Sebastián Canós
Released: February 15, 2024
Tables
AWSCloudTrail
Keywords
Devices,User
Operators
AWSCloudTrailwhereinextendtostringinvokeproject