KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail Aws Credential Access Rds Password Reset

Query

AWSCloudTrail
| where EventName == "ModifyDBInstance" and RequestParameters has_any ("manageMasterUserPassword", "masterUserPassword", "masterUserSecretKmsKeyId", "rotateMasterUserPassword", "tdeCredentialPassword")
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query retrieves specific events from the AWSCloudTrail logs where the event name is "ModifyDBInstance" and the request parameters contain any of the specified keywords. It then invokes the AWSIdentityRole function and projects a set of selected fields from the logs.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 13, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail,EventName,RequestParameters,manageMasterUserPassword,masterUserPassword,masterUserSecretKmsKeyId,rotateMasterUserPassword,tdeCredentialPassword,AWSIdentityRole,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

where==has_anyinvokeprojectTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Actions