Query Details

AWS Cloud Trail Aws Exfiltration Via Bucket Replication

Query

// let _ReplicationAWSAccounts = toscalar(
//     _GetWatchlist("AccountId-AuditAWSAccounts")
//     | where Notes has "[BucketReplication]"
//     | summarize make_list(AccountId)
// );
AWSCloudTrail
| where EventName == "PutBucketReplication"
// | extend RequestParameters = todynamic(RequestParameters)
// | mv-expand Rule = iff(isempty(array_length(RequestParameters["ReplicationConfiguration"]["Rule"])), pack_array(RequestParameters["ReplicationConfiguration"]["Rule"]), RequestParameters["ReplicationConfiguration"]["Rule"])
// | extend
//     DestinationBucket = tostring(Rule["Destination"]["Bucket"]),
//     AccessControlTranslation = tostring(Rule["Destination"]["AccessControlTranslation"]),
//     ReplicaOwner = tostring(Rule["Destination"]["Account"])
// | where not(DestionationBucket has_any (_ReplicationAWSAccounts))
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    // DestinationBucket,
    // AccessControlTranslation,
    // ReplicaOwner,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query is designed to analyze AWS CloudTrail logs specifically for events related to the "PutBucketReplication" action. Here's a simplified breakdown of what the query does:

  1. Watchlist Filtering (Commented Out):

    • The first part of the query (commented out) is intended to create a list of AWS account IDs from a watchlist named "AccountId-AuditAWSAccounts" that have notes containing "[BucketReplication]". This list is stored in a variable called _ReplicationAWSAccounts.
  2. Filter CloudTrail Logs:

    • The query filters the AWSCloudTrail logs to only include events where the EventName is "PutBucketReplication". This event indicates that a replication configuration has been set for an S3 bucket.
  3. Invoke AWS Identity Role:

    • The query uses the invoke AWSIdentityRole() function, which likely enriches the data with additional identity-related information.
  4. Project Relevant Fields:

    • The query selects (or projects) a specific set of fields from the filtered logs to be displayed. These fields include:
      • TimeGenerated: The time the event was logged.
      • UserIdentityType, Identity, ActorRole: Information about the user or role that initiated the event.
      • UserIdentityAccountId, UserIdentityAccountName: The account ID and name of the user.
      • RecipientAccountId, RecipientAccountName: The account ID and name of the recipient.
      • AWSRegion: The AWS region where the event occurred.
      • SessionCreationDate: The date the session was created.
      • UserIdentityPrincipalid, UserIdentityArn: Principal ID and ARN of the user.
      • SourceIpAddress: The IP address from which the request was made.
      • EventSource, EventTypeName, EventName: Details about the event source and type.
      • ManagementEvent, ReadOnly: Flags indicating if the event is a management event and if it is read-only.
      • ErrorCode, ErrorMessage: Any error codes or messages associated with the event.
      • RequestParameters, ResponseElements, Resources: Details about the request, response, and resources involved.
      • SessionMfaAuthenticated: Indicates if MFA was used.
      • UserAgent: The user agent string of the requester.
      • AwsEventId: The unique ID of the AWS event.
  5. Commented Out Logic:

    • There are additional commented-out sections that would further process the RequestParameters to extract details about the replication configuration, such as the destination bucket and replica owner. These sections are currently not active in the query.

Overall, this query is set up to monitor and analyze "PutBucketReplication" events in AWS CloudTrail, providing detailed information about each event and the identities involved.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailAWSIdentityRoleEventNameUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

lettoscalar_GetWatchlistwherehassummarizemake_list|==iffisemptyarray_lengthpack_arrayextendtostringnothas_anyinvokeproject

Actions

GitHub