Query Details
AWS Cloud Trail Asl Aws Multi Factor Authentication Disabled
Query
AWSCloudTrail
| where EventName in ("DeleteVirtualMFADevice", "DeactivateMFADevice")
| extend
UserName = tostring(todynamic(RequestParameters)["userName"]),
Device = tostring(todynamic(RequestParameters)["serialNumber"])
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
UserName,
Device,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific events from the AWSCloudTrail logs related to deleting or deactivating virtual MFA devices. It then extends the query to extract additional information such as the username and device serial number. The query also invokes the AWSIdentityRole function and projects various fields from the logs including time generated, user identity details, event source, event type, error code, error message, and more.
Details
Jose Sebastián Canós
Released: February 12, 2024
Tables
AWSCloudTrail
Keywords
Devices,User
Operators
whereinextendtostringinvokeproject