Query Details
AWS Cloud Trail Asl Aws Password Policy Changes
Query
let _ExcludedEventNames = dynamic(["GetAccountPasswordPolicy"]);
let _ExcludedRoleIdentityRegex = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSAssumedRoleIdentityEventName_Regex" and Auxiliar has_any (_ExcludedEventNames)
| summarize RegEx = make_set(strcat(SourceResource, ActorPrincipalName))
| extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
AWSCloudTrail
| where EventName in ("GetAccountPasswordPolicy", "UpdateAccountPasswordPolicy", "DeleteAccountPasswordPolicy")
| extend UserIdentityUserName = tostring(split(UserIdentityPrincipalid, ":")[1])
| where not(EventName in (_ExcludedEventNames) and strcat(SessionIssuerUserName, UserIdentityUserName) matches regex _ExcludedRoleIdentityRegex)
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
The query filters AWS CloudTrail events based on certain conditions and then projects specific fields from the filtered events. The conditions include excluding certain event names, excluding certain role identities, and matching specific patterns in the session issuer and user identity usernames. The projected fields include various attributes related to the events.
Details
Jose Sebastián Canós
Released: February 12, 2024
Tables
AWSCloudTrail
Keywords
Devices,Intune,User
Operators
| where| extend| toscalar| make_set| strcat| strcat_array| in| matches| project