Query Details
AWS Cloud Trail Aws Credential Access Getpassworddata
Query
AWSCloudTrail
| where EventName == "GetPasswordData"
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific information from the AWSCloudTrail logs for events with the EventName "GetPasswordData". The selected fields include details about the event, such as the time it was generated, the user identity, the actor role, account information, session details, source IP address, event source, event type, management event, read-only status, error code and message, request and response parameters, resources involved, session MFA authentication status, user agent, and AWS event ID.
Details
Jose Sebastián Canós
Released: February 13, 2024
Tables
AWSCloudTrail
Keywords
Devices,Intune,User
Operators
where==invokeprojectTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId