Query Details

AWS Cloud Trail AWS SAML Update Identity

Query

AWSCloudTrail
| where EventName in ("CreateSAMLProvider", "UpdateSAMLProvider", "DeleteSAMLProvider") and isempty(ErrorCode) and isempty(ErrorMessage)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs for specific events related to SAML providers. Here's a simple summary of what the query does:

  1. Filter Events: It looks for events where a SAML provider is created, updated, or deleted. Specifically, it checks for the event names "CreateSAMLProvider," "UpdateSAMLProvider," and "DeleteSAMLProvider."

  2. Error Check: It ensures that these events do not have any associated errors by checking that both the ErrorCode and ErrorMessage fields are empty.

  3. Invoke Function: The query uses the invoke AWSIdentityRole() function, which likely enriches the data with additional identity-related information.

  4. Select Fields: It selects a wide range of fields to display from the filtered events, including details about the time of the event, user identity, roles, account information, AWS region, event source and type, network details, and more.

Overall, this query is used to monitor and review successful SAML provider management activities in AWS, providing detailed context about each event without any errors.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailAWSIdentityRoleEventNameErrorCodeErrorMessageTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

whereinisemptyandinvokeproject

Actions

GitHub