Query Details
AWS Cloud Trail Activity With AWS Break Glass User
Query
let _BreakGlassUserId = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSBreakGlass"
| summarize make_list(ActorId)
);
AWSCloudTrail
| where UserIdentityPrincipalid in (_BreakGlassUserId)
| summarize arg_min(TimeGenerated, *) by EventTypeName, EventName, UserIdentityType, SessionCreationDate, SourceIpAddress, ErrorCode
| invoke AWSIdentityRole()
| sort by TimeGenerated asc
| project
SessionCreationDate,
TimeGenerated,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
UserIdentityType,
UserIdentityInvokedBy,
UserIdentityPrincipalid,
UserIdentityArn,
UserIdentityUserName,
SourceIpAddress,
RecipientAccountId,
RecipientAccountName,
EventSource,
EventTypeName,
EventName,
ErrorCode,
ErrorMessage,
TargetRole,
TargetRoleSessionName,
RequestParameters,
ResponseElements,
Resources,
AdditionalEventData,
ReadOnly,
ManagementEvent,
UserAgent
Explanation
This query retrieves information from the AWSCloudTrail logs based on a watchlist of expected significant activity. It filters the logs to only include events where the user identity principal ID is found in the watchlist. It then summarizes the data by various fields and invokes the AWSIdentityRole function. The results are sorted by the time the events were generated and specific columns are projected for display.
Details
Jose Sebastián Canós
Released: September 19, 2023
Tables
AWSCloudTrail
Keywords
Devices,Intune,User
Operators
| wheresummarizearg_minbyinvokesortproject