AWS Cloud Trail AWS SAML Update Identity
Query
AWSCloudTrail
| where EventName in ("CreateSAMLProvider", "UpdateSAMLProvider", "DeleteSAMLProvider") and isempty(ErrorCode) and isempty(ErrorMessage)
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs for specific events related to SAML providers. Here's a simple summary of what the query does:
-
Filter Events: It looks for events where a SAML provider is created, updated, or deleted. Specifically, it checks for the event names "CreateSAMLProvider," "UpdateSAMLProvider," and "DeleteSAMLProvider."
-
Error Check: It ensures that these events do not have any associated errors by checking that both the
ErrorCodeandErrorMessagefields are empty. -
Invoke Function: The query uses the
invoke AWSIdentityRole()function, which likely enriches the data with additional identity-related information. -
Select Fields: It selects a wide range of fields to display from the filtered events, including details about the time of the event, user identity, roles, account information, AWS region, event source and type, network details, and more.
Overall, this query is used to monitor and review successful SAML provider management activities in AWS, providing detailed context about each event without any errors.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators