Query Details
AWS Cloud Trail AWS SAML Update Identity
Query
AWSCloudTrail
| where EventName in ("CreateSAMLProvider", "UpdateSAMLProvider", "DeleteSAMLProvider") and isempty(ErrorCode) and isempty(ErrorMessage)
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query is filtering events from the AWSCloudTrail data source where the event name is either "CreateSAMLProvider", "UpdateSAMLProvider", or "DeleteSAMLProvider". It also filters out events that have an error code or error message. The query then invokes the AWSIdentityRole function and projects specific fields from the data, such as the time generated, user identity information, session details, event source, error code and message, request and response parameters, and other relevant information.
Details
Jose Sebastián Canós
Released: December 7, 2023
Tables
AWSCloudTrail
Keywords
Devices,Intune,User
Operators
whereinandisemptyinvokeproject