AWS Cloud Trail Aws Concurrent Sessions From Different Ips

let query_frequency = 5m; let query_period = 10m; let threshold = 1; AWSCloudTrail | where TimeGenerated > ago(query_period) | where EventName has "DescribeEventAggregates" and not(SourceIpAddress has "health.amazonaws.com") | invoke AWSIdentityRole() | summarize arg_min(TimeGenerated, *) by Identity, SourceIpAddress | as _Events | join kind=leftsemi ( _Events // query_period should be 2 * query_frequency | evaluate activity_counts_metrics(Type, TimeGenerated, ago(query_period), now(), query_frequency, Identity) | summarize arg_min(PreviousTimeGenerated = TimeGenerated, PreviousCount = ["count"]), arg_max(CurrentTimeGenerated = TimeGenerated, CurrentCount = ["count"]) by Identity | where CurrentTimeGenerated > ago(query_period) | extend PreviousCount = iff(PreviousTimeGenerated == CurrentTimeGenerated, 0, PreviousCount) | where (not(PreviousCount > threshold) and CurrentCount > threshold) or ((CurrentCount - PreviousCount) > threshold) ) on Identity | project TimeGenerated, UserIdentityType, Identity, ActorRole, UserIdentityAccountId, UserIdentityAccountName, RecipientAccountId, RecipientAccountName, SessionCreationDate, UserIdentityPrincipalid, UserIdentityArn, SourceIpAddress, EventSource, EventTypeName, EventName, ManagementEvent, ReadOnly, ErrorCode, ErrorMessage, RequestParameters, ResponseElements, Resources, SessionMfaAuthenticated, UserAgent, AwsEventId

Explanation

This query is used to analyze AWS CloudTrail logs and identify suspicious activity related to the "DescribeEventAggregates" event. It filters out events from a specific source IP address and then performs various calculations and comparisons to determine if there are any anomalies in the event counts. The final result includes several fields related to the event, such as the user identity, source IP address, event name, and more.

KQL Search

AWS Cloud Trail Aws Concurrent Sessions From Different Ips

Query

Explanation

Details

Actions