Query Details

AWS Cloud Trail Aws Detect Sts Get Session Token Abuse

Query

AWSCloudTrail
| where EventName in ("GetSessionToken")
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs specifically for events where the "GetSessionToken" action was performed. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by accessing the AWSCloudTrail data, which contains logs of AWS API calls.

  2. Filter: It filters the logs to only include events where the EventName is "GetSessionToken". This event typically involves requests for temporary security credentials.

  3. Invoke Function: The query uses the invoke AWSIdentityRole() function to enrich the data with additional identity-related information.

  4. Select Columns: It projects (selects) a specific set of columns to include in the output. These columns provide detailed information about each "GetSessionToken" event, such as:

    • TimeGenerated: When the event occurred.
    • UserIdentityType, Identity, ActorRole: Information about the user or role that initiated the event.
    • UserIdentityAccountId, UserIdentityAccountName: Account details of the user.
    • RecipientAccountId, RecipientAccountName: Account details of the recipient.
    • AWSRegion: The AWS region where the event took place.
    • SessionCreationDate: When the session was created.
    • UserIdentityPrincipalid, UserIdentityArn: Principal identifiers.
    • SourceIpAddress: IP address from which the request was made.
    • EventSource, EventTypeName, EventName: Details about the event type and source.
    • ManagementEvent, ReadOnly: Flags indicating the nature of the event.
    • ErrorCode, ErrorMessage: Information about any errors that occurred.
    • RequestParameters, ResponseElements: Details of the request and response.
    • Resources: Resources involved in the event.
    • SessionMfaAuthenticated: Indicates if MFA was used.
    • UserAgent: Information about the client making the request.
    • AwsEventId: Unique identifier for the event.

In summary, this query is used to extract and display detailed information about "GetSessionToken" events from AWS CloudTrail logs, providing insights into who requested session tokens, when, and from where, along with other relevant details.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailEventNameAWSIdentityRoleTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

whereininvokeproject

Actions

GitHub