AWS Cloud Trail Aws Network Access Control List Deleted
Query
AWSCloudTrail
| where EventName in ("DeleteNetworkAcl", "DeleteNetworkAclEntry")
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify and extract specific events related to the deletion of network access control lists (ACLs) in AWS. Here's a simple breakdown of what the query does:
-
Data Source: It starts by accessing the
AWSCloudTraildata, which contains logs of AWS API calls. -
Filter Events: It filters the logs to only include events where the
EventNameis either "DeleteNetworkAcl" or "DeleteNetworkAclEntry". These events indicate actions related to deleting network ACLs or their entries. -
Invoke Function: The query uses the
invoke AWSIdentityRole()function to enrich the data with additional identity-related information, likely providing more context about the roles involved in these events. -
Select Columns: It projects (selects) a variety of columns to include in the output, such as:
TimeGenerated: The timestamp of the event.UserIdentityType,Identity,ActorRole: Information about the user or role that initiated the event.UserIdentityAccountId,UserIdentityAccountName: Account details of the user.RecipientAccountId,RecipientAccountName: Details of the account affected by the event.AWSRegion: The AWS region where the event occurred.SessionCreationDate: When the session was created.UserIdentityPrincipalid,UserIdentityArn: Additional identifiers for the user.SourceIpAddress: The IP address from which the request was made.EventSource,EventTypeName,EventName: Details about the event type and source.ManagementEvent,ReadOnly: Flags indicating if the event is a management event and if it was read-only.ErrorCode,ErrorMessage: Information about any errors that occurred.RequestParameters,ResponseElements: Details of the request and response.Resources: Resources involved in the event.SessionMfaAuthenticated: Indicates if multi-factor authentication was used.UserAgent: The user agent string of the requester.AwsEventId: A unique identifier for the event.
Overall, this query is used to monitor and audit the deletion of network ACLs in AWS, providing detailed information about each event for security and compliance purposes.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators