AWS Cloud Trail Events
Query
let event_list = dynamic([
// signin.amazonaws.com
"PasswordRecoveryRequested",
"PasswordRecoveryCompleted",
"AccountNameUpdated",
// https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html
"CreateManagedAccount",
"UpdateManagedAccount",
"EnableGuardrail",
"DisableGuardrail",
"RegisterOrganizationalUnit",
"DeregisterOrganizationalUnit",
"SetupLandingZone",
"UpdateLandingZone",
// https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html
"AddUserToGroup",
"RemoveUserFromGroup",
"AddRoleToInstanceProfile",
"RemoveRoleFromInstanceProfile",
"AttachGroupPolicy",
"DetachGroupPolicy",
"PutGroupPolicy",
"DeleteGroupPolicy",
"AttachRolePolicy",
"DetachRolePolicy",
"PutRolePolicy",
"DeleteRolePolicy",
"UpdateAssumeRolePolicy",
"AttachUserPolicy",
"DetachUserPolicy",
"PutUserPolicy",
"DeleteUserPolicy",
"CreatePolicy",
"DeletePolicy",
"CreateRole",
"UpdateRole",
"DeleteRole",
//"CreateUser",
"UpdateUser",
"DeleteUser",
"EnableMFADevice",
"ResyncMFADevice",
"DeactivateMFADevice",
"CreateVirtualMFADevice",
"DeleteVirtualMFADevice",
"CreateLoginProfile",
"UpdateLoginProfile",
"DeleteLoginProfile",
"ChangePassword",
"CreateServiceSpecificCredential",
"UpdateServiceSpecificCredential",
"ResetServiceSpecificCredential",
"DeleteServiceSpecificCredential",
"UploadSSHPublicKey",
"UpdateSSHPublicKey",
"DeleteSSHPublicKey",
"UpdateSigningCertificate",
"UploadSigningCertificate",
"DeleteSigningCertificate",
"CreateAccessKey",
"ListAccessKeys",
"UpdateAccessKey",
"DeleteAccessKey",
"CreateSAMLProvider",
"UpdateSAMLProvider",
"GetAccountAuthorizationDetails",
"UpdateAccountPasswordPolicy",
"DeleteAccountPasswordPolicy",
// https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html
"AllocateAddress",
"CreateRoute",
"ReplaceRoute",
"DeleteRoute",
"CreateRouteTable",
"AssociateRouteTable",
"DisassociateRouteTable",
"DeleteRouteTable",
"CreateInternetGateway",
"AttachInternetGateway",
"DetachInternetGateway",
"DeleteInternetGateway",
"CreateCustomerGateway",
"DeleteCustomerGateway",
"CreateNatGateway",
"AssociateNatGatewayAddress",
"DisassociateNatGatewayAddress",
"AssignPrivateNatGatewayAddress",
"UnassignPrivateNatGatewayAddress",
"DeleteNatGateway",
"CreateDhcpOptions",
"AssociateDhcpOptions",
"DeleteDhcpOptions",
"CreateSecurityGroup",
"AuthorizeSecurityGroupIngress",
"AuthorizeSecurityGroupEgress",
"ModifySecurityGroupRules",
"RevokeSecurityGroupIngress",
"RevokeSecurityGroupEgress",
"DeleteSecurityGroup",
"CreateNetworkAcl",
"ReplaceNetworkAclAssociation",
"DeleteNetworkAcl",
"CreateNetworkAclEntry",
"ReplaceNetworkAclEntry",
"DeleteNetworkAclEntry",
"CreateFlowLogs",
"DeleteFlowLogs",
"RunInstances",
"StartInstances",
"StopInstances",
"UnmonitorInstances",
"TerminateInstances",
"CreateImage",
"CopyImage",
"ImportImage",
"ModifyImageAttribute",
"DeregisterImage",
"CreateFpgaImage",
"CopyFpgaImage",
"ModifyFpgaImageAttribute",
"DeleteFpgaImage",
"CreateSnapshots",
"CreateSnapshot",
"ModifySnapshotAttribute",
"CopySnapshot",
"DeleteSnapshot",
"SharedSnapshotCopyInitiated",
"SharedSnapshotVolumeCreated",
"GetPasswordData",
"CreateVpc",
"ModifyVpcAttribute",
"DeleteVpc",
"CreateVpcLink",
"DeleteVpcLink",
"CreateVpcPeeringConnection",
"AcceptVpcPeeringConnection",
"ModifyVpcPeeringConnectionOptions",
"DeleteVpcPeeringConnection",
// https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_Operations.html
"ModifyRule",
"SetRulePriorities",
"SetSecurityGroups",
"SetSubnets",
// https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html
"CreateTrail",
"UpdateTrail",
"DeleteTrail",
"StartLogging",
"StopLogging",
"CreateEventDataStore",
"UpdateEventDataStore",
"DeleteEventDataStore",
"StartEventDataStoreIngestion",
"StopEventDataStoreIngestion",
"PutEventSelectors",
"PutInsightSelectors",
"ConsoleLogin",
// https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html
"CreateEventBus",
"DeleteEventBus",
"CreateConnection",
"DeactivateEventSource",
"DeleteArchive",
// https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_Operations.html
//"CreateLogStream",
"DeleteLogStream",
//"CreateLogGroup",
"DeleteLogGroup",
// https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_Operations.html
"DeleteAlarms",
"DisableAlarmActions",
"DeleteInsightRules",
// https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html
"SetRepositoryPolicy",
"PutRegistryScanningConfiguration",
// https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html
"CreateDBInstance",
"ModifyDBInstance",
"CreateDBProxy",
"ModifyDBProxy",
"CreateDBProxyEndpoint",
"ModifyDBProxyEndpoint",
"AuthorizeDBSecurityGroupIngress",
"RevokeDBSecurityGroupIngress",
"CreateDBSecurityGroup",
"DeleteDBSecurityGroup",
"CreateDBSnapshot",
"CopyDBSnapshot",
"ModifyDBSnapshot",
"ModifyDBSnapshotAttribute",
"DeleteDBSnapshot",
"CreateDBClusterSnapshot",
"CopyDBClusterSnapshot",
"ModifyDBClusterSnapshotAttribute",
"DeleteDBClusterSnapshot",
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
"PutAccessPointPolicy",
"PutAccessPointPolicyForObjectLambda",
"PutMultiRegionAccessPointPolicy",
"PutBucketVersioning",
"PutBucketPolicy",
"DeleteBucketPolicy",
"PutBucketAcl",
"PutObjectAcl",
"PutBucketCors",
"DeleteBucketCors",
"PutBucketLifecycle",
"DeleteBucketLifecycle",
"PutBucketReplication",
"PutPublicAccessBlock",
"GetPublicAccessBlock",
"DeletePublicAccessBlock",
// https://docs.aws.amazon.com/lambda/latest/dg/API_Operations.html
"Invoke",
// https://docs.aws.amazon.com/acm/latest/APIReference/API_Operations.html
"GetCertificate",
"RequestCertificate",
"ImportCertificate",
"RenewCertificate",
"DeleteCertificate",
"UpdateCertificateOptions",
// https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_Operations.html
"GetSecretValue",
"PutSecretValue",
"CreateSecret",
"UpdateSecret",
"RotateSecret",
"DeleteSecret",
"ReplicateSecretToRegions",
"RemoveRegionsFromReplication",
"StopReplicationToReplica",
// https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html
"PutConfigRule",
"DeleteConfigRule",
"PutOrganizationConfigRule",
"DeleteOrganizationConfigRule",
// https://docs.aws.amazon.com/organizations/latest/APIReference/API_Operations.html
"CreateAccount",
"MoveAccount",
"CloseAccount",
"InviteAccountToOrganization",
"RemoveAccountFromOrganization",
"LeaveOrganization",
// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Operations.html
"CreateIPSet",
"UpdateIPSet",
"UpdatePublishingDestination",
"DeletePublishingDestination",
"UpdateThreatIntelSet",
"DeleteThreatIntelSet",
"UpdateDetector",
"DeleteDetector",
"UpdateMemberDetectors",
"UpdateMalwareScanSettings",
"CreateMembers",
"DeleteMembers",
"InviteMembers",
"StopMonitoringMembers",
"DisassociateMembers",
"DisassociateFromMasterAccount",
// https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Operations.html
"ModifyDocumentPermission",
"SendCommand",
"CreateAssociation",
"CreateAssociationBatch",
"UpdateAssociation",
// https://docs.aws.amazon.com/workspaces/latest/api/API_Operations.html
"ModifyAccount",
"ModifyBilling",
"ModifyPaymentMethods",
// https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations_AWS_WAFV2.html
"CreateWebACL",
"UpdateWebACL",
"DeleteWebACL",
"CreateIPSet",
"UpdateIPSet",
"DeleteIPSet",
"UpdateRuleGroup",
"DeleteRuleGroup",
"DeleteLoggingConfiguration"
]);
let version_event_list = dynamic([
"CreatePolicy",
"SetDefaultPolicy",
"DeletePolicy"
]);
let _ExcludedRoles =
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSAssumedRole"
| project RoleName = tostring(Auxiliar), UserIdentity = tostring(ActorPrincipalName)
;
let _ExcludedAWSAccountEventNames =
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSAccountIdEventName"
| project UserIdentityAccountId = tostring(ActorId), EventName = tostring(Auxiliar)
;
AWSCloudTrail
| where EventName has_any (event_list)
or EventName matches regex strcat("^(", strcat_array(version_event_list, "|"), ")")
| extend UserIdentity = tostring(split(UserIdentityPrincipalid, ":")[1])
| join kind=leftanti _ExcludedRoles on $left.SessionIssuerUserName == $right.RoleName, UserIdentity
| join kind=leftanti _ExcludedAWSAccountEventNames on UserIdentityAccountId, EventNameExplanation
This KQL query is designed to filter and analyze AWS CloudTrail logs for specific events while excluding certain roles and account events. Here's a simplified breakdown:
-
Event Lists:
- The query defines two lists of AWS event names (
event_listandversion_event_list) that are of interest. These events cover a wide range of AWS services and actions, such as IAM operations, EC2 actions, and more.
- The query defines two lists of AWS event names (
-
Exclusion Lists:
- It retrieves two exclusion lists from a watchlist named "Activity-ExpectedSignificantActivity":
_ExcludedRoles: Contains roles that should be excluded from the analysis._ExcludedAWSAccountEventNames: Contains specific AWS account IDs and event names that should be excluded.
- It retrieves two exclusion lists from a watchlist named "Activity-ExpectedSignificantActivity":
-
Filtering CloudTrail Logs:
- The query filters the
AWSCloudTraillogs to include only those events that match the specifiedevent_listorversion_event_list. - It extracts the
UserIdentityfrom theUserIdentityPrincipalidfield for further processing.
- The query filters the
-
Excluding Specific Roles and Events:
- It performs a left anti-join with
_ExcludedRolesto remove any logs associated with the excluded roles. - It performs another left anti-join with
_ExcludedAWSAccountEventNamesto remove logs associated with the excluded account IDs and event names.
- It performs a left anti-join with
In summary, this query is used to monitor specific AWS events from CloudTrail logs while excluding certain roles and account-specific events that are deemed insignificant or expected.
Details

Jose Sebastián Canós
Released: February 26, 2025
Tables
AWSCloudTrail
Keywords
AWSIAMEC2VPCElasticLoadBalancingCloudTrailEventBridgeCloudWatchLogsCloudWatchECRRDSS3LambdaACMSecretsManagerConfigOrganizationsGuardDutySystemsManagerWorkspacesWAF
Operators
letdynamicprojectwherehas_anymatches regexstrcatstrcat_arrayextendsplitjoinonleftanti