KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail Aws Exfiltration Via Datasync Task

Query

// let _TransferAWSAccounts = toscalar(
//     _GetWatchlist("AccountId-AuditAWSAccounts")
//     | where Notes has "[TransferTask]"
//     | summarize make_list(AccountId)
// );
AWSCloudTrail
| where EventName == "CreateTask"
| extend DestinationLocationArn = tostring(todynamic(RequestParameters)["DestinationLocationArn"])
// | where not(DestinationLocationArn has_any (_TransferAWSAccounts))
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    // DestinationLocationArn,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query retrieves data from the AWSCloudTrail table and filters for events with the EventName "CreateTask". It then extends the table with a new column called DestinationLocationArn, which is extracted from the RequestParameters field. The query then invokes the AWSIdentityRole function and projects a subset of columns from the table.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 14, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail,CreateTask,DestinationLocationArn,AWSIdentityRole,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

whereextendinvokeprojectTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Actions