Query Details

AWS Cloud Trail Aws Password Policy Changes

Query

let _ExpectedEventNames = dynamic(["GetAccountPasswordPolicy"]);
let _ExpectedRoleIdentityRegex = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "AWSAssumedRoleIdentityEventName_Regex" and Auxiliar has_any (_ExpectedEventNames)
    | summarize RegEx = make_set(strcat(SourceResource, ActorPrincipalName))
    | extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
AWSCloudTrail
| where EventName in ("GetAccountPasswordPolicy", "UpdateAccountPasswordPolicy", "DeleteAccountPasswordPolicy")
| extend UserIdentityUserName = tostring(split(UserIdentityPrincipalid, ":")[1])
| where not(EventName in (_ExpectedEventNames) and strcat(SessionIssuerUserName, UserIdentityUserName) matches regex _ExpectedRoleIdentityRegex)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify potentially unauthorized or unexpected activities related to account password policies. Here's a simplified breakdown of what the query does:

  1. Define Expected Events: It starts by defining a list of expected event names, specifically focusing on "GetAccountPasswordPolicy".

  2. Fetch Expected Role Identity Patterns: It retrieves a set of expected role identity patterns from a watchlist named "Activity-ExpectedSignificantActivity". This is used to identify roles that are expected to perform certain activities.

  3. Filter CloudTrail Logs: The query then filters AWS CloudTrail logs to focus on events related to account password policies, specifically "GetAccountPasswordPolicy", "UpdateAccountPasswordPolicy", and "DeleteAccountPasswordPolicy".

  4. Exclude Expected Activities: It excludes events where the event name is in the list of expected events and the user identity matches the expected role identity patterns. This helps in focusing on unexpected activities.

  5. Invoke Additional Role Information: The query calls a function AWSIdentityRole() to enrich the data with additional role-related information.

  6. Project Relevant Fields: Finally, it selects and displays a set of relevant fields from the filtered logs, such as the time of the event, user identity details, account information, event details, and any error messages.

In summary, this query is used to identify and investigate unexpected or potentially unauthorized access to AWS account password policies by filtering out expected activities and focusing on anomalies.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail

Operators

letdynamictoscalar_GetWatchlistwherehas_anysummarizemake_setstrcatextendintostringsplitnotmatchesregexinvokeproject

Actions

GitHub