Query Details
AWS Cloud Trail Aws Exfiltration Via Bucket Replication
Query
// let _ReplicationAWSAccounts = toscalar(
// _GetWatchlist("AccountId-AuditAWSAccounts")
// | where Notes has "[BucketReplication]"
// | summarize make_list(AccountId)
// );
AWSCloudTrail
| where EventName == "PutBucketReplication"
// | extend RequestParameters = todynamic(RequestParameters)
// | mv-expand Rule = iff(isempty(array_length(RequestParameters["ReplicationConfiguration"]["Rule"])), pack_array(RequestParameters["ReplicationConfiguration"]["Rule"]), RequestParameters["ReplicationConfiguration"]["Rule"])
// | extend
// DestinationBucket = tostring(Rule["Destination"]["Bucket"]),
// AccessControlTranslation = tostring(Rule["Destination"]["AccessControlTranslation"]),
// ReplicaOwner = tostring(Rule["Destination"]["Account"])
// | where not(DestionationBucket has_any (_ReplicationAWSAccounts))
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
// DestinationBucket,
// AccessControlTranslation,
// ReplicaOwner,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
The query is filtering events from the AWSCloudTrail table where the EventName is "PutBucketReplication". It then invokes the AWSIdentityRole function and projects specific columns from the result.
Details
Jose Sebastián Canós
Released: February 14, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrail,EventName,invoke,AWSIdentityRole,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId
Operators
where|has==extendtodynamicmv-expandiffisemptyarray_lengthpack_arraytostringnothas_anyinvokeproject