KQL Search

Query Details

AWS Cloud Trail Aws Detect Sts Get Session Token Abuse

Query

AWSCloudTrail
| where EventName in ("GetSessionToken")
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query is looking at AWS CloudTrail logs for the event "GetSessionToken" and extracting various details such as time generated, user identity information, session creation date, event details, error codes, request and response parameters, and more. It is filtering for a specific event and then displaying relevant information related to that event.

Details

Jose Sebastián Canós

Released: March 5, 2024

Tables

AWSCloudTrail

Keywords

Devices,User,Intune

Operators

whereininvokeproject

KQL Search

AWS Cloud Trail Aws Detect Sts Get Session Token Abuse

Query

Explanation

Details

Actions