AWS Cloud Trail Aws Detect Sts Get Session Token Abuse
Query
AWSCloudTrail
| where EventName in ("GetSessionToken")
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs specifically for events where the "GetSessionToken" action was performed. Here's a simple breakdown of what the query does:
-
Data Source: It starts by accessing the
AWSCloudTraildata, which contains logs of AWS API calls. -
Filter: It filters the logs to only include events where the
EventNameis "GetSessionToken". This event typically involves requests for temporary security credentials. -
Invoke Function: The query uses the
invoke AWSIdentityRole()function to enrich the data with additional identity-related information. -
Select Columns: It projects (selects) a specific set of columns to include in the output. These columns provide detailed information about each "GetSessionToken" event, such as:
TimeGenerated: When the event occurred.UserIdentityType,Identity,ActorRole: Information about the user or role that initiated the event.UserIdentityAccountId,UserIdentityAccountName: Account details of the user.RecipientAccountId,RecipientAccountName: Account details of the recipient.AWSRegion: The AWS region where the event took place.SessionCreationDate: When the session was created.UserIdentityPrincipalid,UserIdentityArn: Principal identifiers.SourceIpAddress: IP address from which the request was made.EventSource,EventTypeName,EventName: Details about the event type and source.ManagementEvent,ReadOnly: Flags indicating the nature of the event.ErrorCode,ErrorMessage: Information about any errors that occurred.RequestParameters,ResponseElements: Details of the request and response.Resources: Resources involved in the event.SessionMfaAuthenticated: Indicates if MFA was used.UserAgent: Information about the client making the request.AwsEventId: Unique identifier for the event.
In summary, this query is used to extract and display detailed information about "GetSessionToken" events from AWS CloudTrail logs, providing insights into who requested session tokens, when, and from where, along with other relevant details.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators