AWS Cloud Trail Activity With AWS Break Glass User
Query
let _BreakGlassUserId = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSBreakGlass"
| summarize make_list(ActorId)
);
AWSCloudTrail
| where UserIdentityPrincipalid in (_BreakGlassUserId)
| summarize arg_min(TimeGenerated, *) by EventTypeName, EventName, UserIdentityType, SessionCreationDate, SourceIpAddress, ErrorCode
| invoke AWSIdentityRole()
| sort by TimeGenerated asc
| project
SessionCreationDate,
TimeGenerated,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
UserIdentityType,
UserIdentityInvokedBy,
UserIdentityPrincipalid,
UserIdentityArn,
UserIdentityUserName,
SourceIpAddress,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
EventSource,
EventTypeName,
EventName,
ErrorCode,
ErrorMessage,
TargetRole,
TargetRoleSessionName,
RequestParameters,
ResponseElements,
Resources,
AdditionalEventData,
ReadOnly,
ManagementEvent,
UserAgentExplanation
This KQL query is designed to analyze AWS CloudTrail logs for specific user activities related to "break glass" scenarios. Here's a simplified breakdown of what the query does:
-
Identify Break Glass Users:
- It retrieves a list of user IDs from a watchlist named "Activity-ExpectedSignificantActivity" where the activity type is "AWSBreakGlass". These users are considered to have performed significant or emergency actions.
-
Filter CloudTrail Logs:
- It filters the AWS CloudTrail logs to include only the events where the user identity matches one of the identified "break glass" user IDs.
-
Summarize Events:
- It summarizes the filtered events to find the earliest occurrence (
arg_min) of each unique combination of event type, event name, user identity type, session creation date, source IP address, and error code.
- It summarizes the filtered events to find the earliest occurrence (
-
Invoke Additional Role Information:
- It uses the
AWSIdentityRole()function to enrich the data with additional identity role information.
- It uses the
-
Sort and Select Data:
- The results are sorted by the time the event was generated in ascending order.
-
Project Relevant Fields:
- Finally, it selects and displays a wide range of fields related to the event, including session details, user identity information, source IP, event specifics, error details, and additional context.
In essence, this query helps to monitor and analyze critical actions performed by specific users in AWS, focusing on those who have been flagged for significant activities, often in emergency or high-privilege scenarios.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrailEventTypeNameEventNameUserIdentityTypeSessionCreationDateSourceIpAddressErrorCodeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameUserIdentityInvokedByUserIdentityPrincipalidUserIdentityArnUserIdentityUserNameRecipientAccountIdRecipientAccountNameAWSRegionEventSourceErrorMessageTargetRoleTargetRoleSessionNameRequestParametersResponseElementsResourcesAdditionalEventDataReadOnlyManagementEventUserAgent
Operators
lettoscalar_GetWatchlistwheresummarizemake_listinarg_minbyinvokesortproject