Query Details

AWS Cloud Trail Aws Exfiltration Via Datasync Task

Query

// let _TransferAWSAccounts = toscalar(
//     _GetWatchlist("AccountId-AuditAWSAccounts")
//     | where Notes has "[TransferTask]"
//     | summarize make_list(AccountId)
// );
AWSCloudTrail
| where EventName == "CreateTask"
| extend DestinationLocationArn = tostring(todynamic(RequestParameters)["DestinationLocationArn"])
// | where not(DestinationLocationArn has_any (_TransferAWSAccounts))
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    // DestinationLocationArn,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL query is designed to analyze AWS CloudTrail logs, specifically focusing on events where a "CreateTask" action occurred. Here's a simplified breakdown of what the query does:

  1. Watchlist Retrieval (Commented Out):

    • The query initially defines a variable _TransferAWSAccounts to retrieve a list of AWS account IDs from a watchlist named "AccountId-AuditAWSAccounts" where the notes contain "[TransferTask]". However, this part is commented out, so it doesn't currently affect the query.
  2. Filter Events:

    • It filters the AWSCloudTrail logs to only include events where the EventName is "CreateTask".
  3. Extract Destination Location:

    • It extracts the DestinationLocationArn from the RequestParameters field and converts it to a string.
  4. Role Information:

    • It invokes a function AWSIdentityRole() to presumably enrich the data with identity role information.
  5. Select and Display Columns:

    • The query selects and displays a variety of columns related to the event, including:
      • TimeGenerated: When the event was logged.
      • UserIdentityType, Identity, ActorRole: Information about the user or entity that initiated the event.
      • UserIdentityAccountId, UserIdentityAccountName: Account details of the user.
      • RecipientAccountId, RecipientAccountName: Details of the recipient account.
      • AWSRegion: The AWS region where the event occurred.
      • SessionCreationDate: When the session was created.
      • UserIdentityPrincipalid, UserIdentityArn: Additional identity details.
      • SourceIpAddress: IP address from which the request was made.
      • EventSource, EventTypeName, EventName: Details about the event type and source.
      • ManagementEvent, ReadOnly: Flags indicating the nature of the event.
      • ErrorCode, ErrorMessage: Any errors associated with the event.
      • RequestParameters, ResponseElements, Resources: Details of the request and response.
      • SessionMfaAuthenticated: Whether multi-factor authentication was used.
      • UserAgent: The user agent string of the requester.
      • AwsEventId: Unique identifier for the event.

Overall, the query is set up to analyze and display detailed information about "CreateTask" events in AWS CloudTrail logs, with the potential to filter out certain accounts based on a watchlist (though this filtering is currently disabled).

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailAWSIdentityRoleEventNameUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

lettoscalar_GetWatchlisthassummarizemake_listwhereextendtostringtodynamicinvokeproject

Actions

GitHub