KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail Aws Createaccesskey

Query

let query_frequency = 1h;
let query_period = 2h;
AWSCloudTrail
| where TimeGenerated > ago(query_frequency)
| where EventName in ("CreateAccessKey", "DeleteAccessKey")
| extend UserName = tostring(todynamic(ResponseElements)["accessKey"]["userName"])
| join kind=leftanti (
    AWSCloudTrail
    | where TimeGenerated > ago(query_period)
    | where EventName == "CreateUser" and not(EventSource == "sso-directory.amazonaws.com")// and EventSource == "iam.amazonaws.com"
    | extend CreatedUserName = tostring(todynamic(RequestParameters)["userName"])
    ) on $left.UserName == $right.CreatedUserName, RecipientAccountId
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    UserName,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

The query retrieves data from the AWSCloudTrail table and filters it based on certain conditions. It joins the filtered data with another table and performs additional operations. The final result includes various columns related to user identity, event details, and other information.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 13, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail,CreateAccessKey,DeleteAccessKey,CreateUser,sso-directory.amazonaws.com,iam.amazonaws.com,AWSIdentityRole,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,UserName,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

| whereTimeGenerated>agoEventNameinextendUserNametostringtodynamicjoinkind=leftantion$left.UserName$right.CreatedUserNameRecipientAccountIdinvokeAWSIdentityRole()projectUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountNameSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageUserNameRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId.

Actions