Query Details
AWS Cloud Trail Events
Query
let event_list = dynamic([
// signin.amazonaws.com
"PasswordRecoveryRequested",
"PasswordRecoveryCompleted",
"AccountNameUpdated",
// https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html
"CreateManagedAccount",
"UpdateManagedAccount",
"EnableGuardrail",
"DisableGuardrail",
"RegisterOrganizationalUnit",
"DeregisterOrganizationalUnit",
"SetupLandingZone",
"UpdateLandingZone",
// https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html
"AddUserToGroup",
"RemoveUserFromGroup",
"AddRoleToInstanceProfile",
"RemoveRoleFromInstanceProfile",
"AttachGroupPolicy",
"DetachGroupPolicy",
"PutGroupPolicy",
"DeleteGroupPolicy",
"AttachRolePolicy",
"DetachRolePolicy",
"PutRolePolicy",
"DeleteRolePolicy",
"UpdateAssumeRolePolicy",
"AttachUserPolicy",
"PutUserPolicy",
"DeleteUserPolicy",
"CreatePolicy",
"DeletePolicy",
"CreateRole",
"UpdateRole",
"DeleteRole",
//"CreateUser",
"UpdateUser",
"DeleteUser",
"EnableMFADevice",
"ResyncMFADevice",
"DeactivateMFADevice",
"CreateVirtualMFADevice",
"DeleteVirtualMFADevice",
"CreateLoginProfile",
"UpdateLoginProfile",
"DeleteLoginProfile",
"ChangePassword",
"CreateServiceSpecificCredential",
"UpdateServiceSpecificCredential",
"ResetServiceSpecificCredential",
"DeleteServiceSpecificCredential",
"UploadSSHPublicKey",
"UpdateSSHPublicKey",
"DeleteSSHPublicKey",
"UpdateSigningCertificate",
"UploadSigningCertificate",
"DeleteSigningCertificate",
"CreateAccessKey",
"ListAccessKeys",
"UpdateAccessKey",
"DeleteAccessKey",
"CreateSAMLProvider",
"UpdateSAMLProvider",
"GetAccountAuthorizationDetails",
// https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html
"AllocateAddress",
"CreateRoute",
"ReplaceRoute",
"DeleteRoute",
"CreateRouteTable",
"AssociateRouteTable",
"DisassociateRouteTable",
"DeleteRouteTable",
"CreateInternetGateway",
"AttachInternetGateway",
"DetachInternetGateway",
"DeleteInternetGateway",
"CreateCustomerGateway",
"DeleteCustomerGateway",
"CreateNatGateway",
"AssociateNatGatewayAddress",
"DisassociateNatGatewayAddress",
"AssignPrivateNatGatewayAddress",
"UnassignPrivateNatGatewayAddress",
"DeleteNatGateway",
"CreateDhcpOptions",
"AssociateDhcpOptions",
"DeleteDhcpOptions",
"CreateSecurityGroup",
"AuthorizeSecurityGroupIngress",
"AuthorizeSecurityGroupEgress",
"ModifySecurityGroupRules",
"RevokeSecurityGroupIngress",
"RevokeSecurityGroupEgress",
"DeleteSecurityGroup",
"CreateNetworkAcl",
"ReplaceNetworkAclAssociation",
"DeleteNetworkAcl",
"CreateNetworkAclEntry",
"ReplaceNetworkAclEntry",
"DeleteNetworkAclEntry",
"CreateFlowLogs",
"DeleteFlowLogs",
"RunInstances",
"StartInstances",
"StopInstances",
"UnmonitorInstances",
"TerminateInstances",
"CreateImage",
"CopyImage",
"ImportImage",
"ModifyImageAttribute",
"DeregisterImage",
"CreateFpgaImage",
"CopyFpgaImage",
"ModifyFpgaImageAttribute",
"DeleteFpgaImage",
"CreateSnapshots",
"CreateSnapshot",
"ModifySnapshotAttribute",
"CopySnapshot",
"DeleteSnapshot",
"SharedSnapshotCopyInitiated",
"SharedSnapshotVolumeCreated",
"GetPasswordData",
// https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_Operations.html
"ModifyRule",
"SetRulePriorities",
"SetSecurityGroups",
"SetSubnets",
// https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html
"CreateTrail",
"UpdateTrail",
"DeleteTrail",
"StartLogging",
"StopLogging",
"CreateEventDataStore",
"UpdateEventDataStore",
"DeleteEventDataStore",
"StartEventDataStoreIngestion",
"StopEventDataStoreIngestion",
"PutEventSelectors",
"PutInsightSelectors",
// https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html
"CreateEventBus",
"DeleteEventBus",
"CreateConnection",
"DeactivateEventSource",
// https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_Operations.html
//"CreateLogStream",
"DeleteLogStream",
//"CreateLogGroup",
"DeleteLogGroup",
// https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html
"SetRepositoryPolicy",
"PutRegistryScanningConfiguration",
// https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html
"CreateDBInstance",
"ModifyDBInstance",
"CreateDBProxy",
"ModifyDBProxy",
"CreateDBProxyEndpoint",
"ModifyDBProxyEndpoint",
"AuthorizeDBSecurityGroupIngress",
"RevokeDBSecurityGroupIngress",
"CreateDBSecurityGroup",
"DeleteDBSecurityGroup",
"CreateDBSnapshot",
"CopyDBSnapshot",
"ModifyDBSnapshot",
"ModifyDBSnapshotAttribute",
"DeleteDBSnapshot",
"CreateDBClusterSnapshot",
"CopyDBClusterSnapshot",
"ModifyDBClusterSnapshotAttribute",
"DeleteDBClusterSnapshot",
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
"PutAccessPointPolicy",
"PutAccessPointPolicyForObjectLambda",
"PutMultiRegionAccessPointPolicy",
"PutBucketVersioning",
"PutBucketPolicy",
"PutBucketAcl",
"PutObjectAcl",
"PutPublicAccessBlock",
"GetPublicAccessBlock",
"DeletePublicAccessBlock",
// https://docs.aws.amazon.com/lambda/latest/dg/API_Operations.html
"Invoke",
// https://docs.aws.amazon.com/acm/latest/APIReference/API_Operations.html
"GetCertificate",
"RequestCertificate",
"ImportCertificate",
"RenewCertificate",
"DeleteCertificate",
"UpdateCertificateOptions",
// https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_Operations.html
"GetSecretValue",
"PutSecretValue",
"CreateSecret",
"UpdateSecret",
"RotateSecret",
"DeleteSecret",
"ReplicateSecretToRegions",
"RemoveRegionsFromReplication",
"StopReplicationToReplica",
// https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html
"PutConfigRule",
"DeleteConfigRule",
"PutOrganizationConfigRule",
"DeleteOrganizationConfigRule",
// https://docs.aws.amazon.com/organizations/latest/APIReference/API_Operations.html
"CreateAccount",
"MoveAccount",
"CloseAccount",
"InviteAccountToOrganization",
"RemoveAccountFromOrganization",
"LeaveOrganization",
// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Operations.html
"CreateIPSet",
"UpdateIPSet",
"UpdatePublishingDestination",
"DeletePublishingDestination",
"UpdateThreatIntelSet",
"DeleteThreatIntelSet",
"UpdateDetector",
"DeleteDetector",
"UpdateMemberDetectors",
"UpdateMalwareScanSettings",
"CreateMembers",
"DeleteMembers",
"InviteMembers",
"StopMonitoringMembers",
"DisassociateMembers",
"DisassociateFromMasterAccount",
// https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Operations.html
"ModifyDocumentPermission",
"SendCommand",
"CreateAssociation",
"CreateAssociationBatch",
"UpdateAssociation",
// https://docs.aws.amazon.com/workspaces/latest/api/API_Operations.html
"ModifyAccount",
"ModifyBilling",
"ModifyPaymentMethods"
]);
let version_event_list = dynamic([
"CreatePolicy",
"SetDefaultPolicy",
"DeletePolicy"
]);
let _ExcludedRoles =
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSAssumedRole"
| project RoleName = Auxiliar, UserIdentity = ActorPrincipalName
;
let _ExcludedAWSAccountEventNames =
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSAccountIdEventName"
| project UserIdentityAccountId = tostring(ActorId), EventName = Auxiliar
;
AWSCloudTrail
| where EventName has_any (event_list)
or EventName matches regex strcat("^(", strcat_array(version_event_list, "|"), ")")
| extend UserIdentity = tostring(split(UserIdentityPrincipalid, ":")[1])
| join kind=leftanti _ExcludedRoles on $left.SessionIssuerUserName == $right.RoleName, UserIdentity
| join kind=leftanti _ExcludedAWSAccountEventNames on UserIdentityAccountId, EventName
Explanation
The query is filtering events from the AWSCloudTrail based on a list of specific event names. It also excludes events associated with certain roles and AWS account IDs.
Details
Jose Sebastián Canós
Released: September 1, 2023
Tables
AWSCloudTrail
Keywords
Keywords:Devices,Intune,User
Operators
wherehas_anymatches regexextendtostringsplitjoinkind=leftanti