KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail Aws Disable Bucket Versioning

Query

AWSCloudTrail
| where EventName has "PutBucketVersioning"
| where tostring(todynamic(RequestParameters)["VersioningConfiguration"]["Status"]) == "Suspended"
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query retrieves information from the AWSCloudTrail logs where the event name is "PutBucketVersioning" and the versioning configuration status is "Suspended". It then invokes the AWSIdentityRole function and projects specific fields from the logs.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 13, 2024

Tables

AWSCloudTrail

Keywords

Devices,User

Operators

wherehastostring==invokeproject

Actions