KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail AWS Suspicious Command EC2

Query

let query_period = 1d;
let query_frequency = 1h;
AWSCloudTrail
| where TimeGenerated > ago(query_period)
| where EventName in ("SendCommand", "CreateAssociation", "UpdateAssociation", "CreateAssociationBatch")
| extend DynamicRequestParameters = todynamic(RequestParameters)
| mv-expand DynamicRequestParameter = iff(EventName == "CreateAssociationBatch", DynamicRequestParameters["Entries"], DynamicRequestParameters)
| extend OutputS3BucketName = case(
    EventName == "SendCommand", tostring(DynamicRequestParameter["OutputS3BucketName"]),
    EventName in ("CreateAssociation", "UpdateAssociation", "CreateAssociationBatch"), tostring(DynamicRequestParameter["OutputLocation"]["S3Location"]["OutputS3BucketName"]),
    "")
| where isnotempty(OutputS3BucketName)
| join kind=leftouter (
    AWSCloudTrail
    | where TimeGenerated > ago(query_frequency)
    | where EventName == "PutObject"
    | project
        BucketName = tostring(todynamic(RequestParameters)["bucketName"]),
        PutObject_TimeGenerated = TimeGenerated,
        PutObject_Resources = Resources
    ) on $left.OutputS3BucketName == $right.BucketName
| mv-expand Resource = todynamic(PutObject_Resources)
| where tostring(Resource["type"]) == "AWS::S3::Bucket"
| extend BucketAccountId = tostring(Resource["accountId"])
| where RecipientAccountId != BucketAccountId
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    OutputS3BucketName,
    PutObject_TimeGenerated,
    PutObject_Resources,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

The query retrieves data from the AWSCloudTrail table and filters it based on certain conditions. It expands and extends certain columns, performs a left outer join with another table, and further filters the data. Finally, it selects specific columns to be displayed in the output.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: December 7, 2023

Tables

AWSCloudTrail

Keywords

AWSCloudTrail,SendCommand,CreateAssociation,UpdateAssociation,CreateAssociationBatch,DynamicRequestParameters,Entries,OutputS3BucketName,OutputLocation,S3Location,PutObject,BucketName,PutObject_TimeGenerated,PutObject_Resources,Resource,AWS::S3::Bucket,BucketAccountId,RecipientAccountId,AWSIdentityRole,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

whereextendmv-expandcaseisnotemptyjoinonprojectinvoketostring

Actions