KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail Aws Credential Access Failed Login

Query

let query_frequency = 1h;
let query_period = 14d;
let _SuccessResultTypes = toscalar(
    _GetWatchlist("ResultType-SignInLogsErrorCodes")
    | where Notes has_all ("[Success]", "[Complete]") and isnotempty(ResultDescription)
    | summarize make_list(ResultType)
);
AWSCloudTrail
| where TimeGenerated > ago(query_frequency)
| where EventName == "ConsoleLogin" and isnotempty(ErrorMessage)
| extend MFAUsed = tostring(coalesce(todynamic(AdditionalEventData)["MFAUsed"], todynamic(AdditionalEventData)["AFAUsed"]))
// | where MFAUsed == "Yes"
| summarize arg_min(TimeGenerated, *) by UserIdentityType, UserIdentityAccountId, SourceIpAddress, ErrorMessage, MFAUsed
| extend Location = geo_info_from_ip_address(SourceIpAddress)
| join kind=leftouter (
    SignInLogsTables
    | where TimeGenerated > ago(query_period)
    | where ResultType in (_SuccessResultTypes)
    | summarize IPAddressUserPrincipalNames = make_set(UserPrincipalName) by IPAddress
    ) on $left.SourceIpAddress == $right.IPAddress
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    Location,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    MFAUsed,
    IPAddressUserPrincipalNames,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

The query retrieves data from AWS CloudTrail and SignInLogsTables to analyze console login events. It filters events where the EventName is "ConsoleLogin" and there is an ErrorMessage. It then extends the data by adding a column called MFAUsed, which indicates whether multi-factor authentication was used during the login. The query then summarizes the data by grouping it based on UserIdentityType, UserIdentityAccountId, SourceIpAddress, ErrorMessage, and MFAUsed. It also adds the location information based on the SourceIpAddress. The query joins the summarized data with SignInLogsTables to retrieve additional information about the IP address and user principal names associated with successful login events. Finally, it invokes AWSIdentityRole to retrieve additional information about the user's role and project the desired columns in the output.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 13, 2024

Tables

AWSCloudTrailSignInLogsTables

Keywords

Devices,Intune,User

Operators

| where| summarize| extend| join| on| project

Actions