Query Details
AWS Cloud Trail Aws Multi Factor Authentication Disabled
Query
AWSCloudTrail
| where EventName in ("DeleteVirtualMFADevice", "DeactivateMFADevice")
| extend
UserName = tostring(todynamic(RequestParameters)["userName"]),
Device = tostring(todynamic(RequestParameters)["serialNumber"])
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
UserName,
Device,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific events from the AWSCloudTrail logs related to deleting or deactivating virtual MFA devices. It then extends the query to include additional information such as the username and device associated with the event. The query also invokes the AWSIdentityRole function and projects various fields from the logs including the time generated, user identity details, event source, event type, management event, error code, error message, and more.
Details
Jose Sebastián Canós
Released: February 13, 2024
Tables
AWSCloudTrail
Keywords
Devices,User
Operators
whereinextendtostringinvokeproject