Query Details

AWS Cloud Trail Activity With AWS Break Glass User

Query

let _BreakGlassUserId = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "AWSBreakGlass"
    | summarize make_list(ActorId)
);
AWSCloudTrail
| where UserIdentityPrincipalid in (_BreakGlassUserId)
| summarize arg_min(TimeGenerated, *) by EventTypeName, EventName, UserIdentityType, SessionCreationDate, SourceIpAddress, ErrorCode
| invoke AWSIdentityRole()
| sort by TimeGenerated asc
| project
    SessionCreationDate,
    TimeGenerated,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    UserIdentityType,
    UserIdentityInvokedBy,
    UserIdentityPrincipalid,
    UserIdentityArn,
    UserIdentityUserName,
    SourceIpAddress,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    EventSource,
    EventTypeName,
    EventName,
    ErrorCode,
    ErrorMessage,
    TargetRole,
    TargetRoleSessionName,
    RequestParameters,
    ResponseElements,
    Resources,
    AdditionalEventData,
    ReadOnly,
    ManagementEvent,
    UserAgent

Explanation

This KQL query is designed to analyze AWS CloudTrail logs for specific user activities related to "break glass" scenarios. Here's a simplified breakdown of what the query does:

  1. Identify Break Glass Users:

    • It retrieves a list of user IDs from a watchlist named "Activity-ExpectedSignificantActivity" where the activity type is "AWSBreakGlass". These users are considered to have performed significant or emergency actions.
  2. Filter CloudTrail Logs:

    • It filters the AWS CloudTrail logs to include only the events where the user identity matches one of the identified "break glass" user IDs.
  3. Summarize Events:

    • It summarizes the filtered events to find the earliest occurrence (arg_min) of each unique combination of event type, event name, user identity type, session creation date, source IP address, and error code.
  4. Invoke Additional Role Information:

    • It uses the AWSIdentityRole() function to enrich the data with additional identity role information.
  5. Sort and Select Data:

    • The results are sorted by the time the event was generated in ascending order.
  6. Project Relevant Fields:

    • Finally, it selects and displays a wide range of fields related to the event, including session details, user identity information, source IP, event specifics, error details, and additional context.

In essence, this query helps to monitor and analyze critical actions performed by specific users in AWS, focusing on those who have been flagged for significant activities, often in emergency or high-privilege scenarios.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailEventTypeNameEventNameUserIdentityTypeSessionCreationDateSourceIpAddressErrorCodeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameUserIdentityInvokedByUserIdentityPrincipalidUserIdentityArnUserIdentityUserNameRecipientAccountIdRecipientAccountNameAWSRegionEventSourceErrorMessageTargetRoleTargetRoleSessionNameRequestParametersResponseElementsResourcesAdditionalEventDataReadOnlyManagementEventUserAgent

Operators

lettoscalar_GetWatchlistwheresummarizemake_listinarg_minbyinvokesortproject

Actions

GitHub