Query Details
AWS Cloud Trail Aws Network Access Control List Deleted
Query
AWSCloudTrail
| where EventName in ("DeleteNetworkAcl", "DeleteNetworkAclEntry")
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves information from the AWSCloudTrail table. It filters the results to only include events with the event names "DeleteNetworkAcl" or "DeleteNetworkAclEntry". It then invokes the AWSIdentityRole function and projects specific columns from the result, including time generated, user identity type, identity, actor role, account ID and name, session creation date, principal ID, ARN, source IP address, event source, event type name, management event, read-only status, error code and message, request parameters, response elements, resources, session MFA authentication status, user agent, and AWS event ID.
Details
Jose Sebastián Canós
Released: February 15, 2024
Tables
AWSCloudTrail
Keywords
Devices,User
Operators
AWSCloudTrailwhereininvokeprojectTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId