KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail Aws Password Policy Changes

Query

let _ExcludedEventNames = dynamic(["GetAccountPasswordPolicy"]);
let _ExcludedRoleIdentityRegex = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "AWSAssumedRoleIdentityEventName_Regex" and Auxiliar has_any (_ExcludedEventNames)
    | summarize RegEx = make_set(strcat(SourceResource, ActorPrincipalName))
    | extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
AWSCloudTrail
| where EventName in ("GetAccountPasswordPolicy", "UpdateAccountPasswordPolicy", "DeleteAccountPasswordPolicy")
| extend UserIdentityUserName = tostring(split(UserIdentityPrincipalid, ":")[1])
| where not(EventName in (_ExcludedEventNames) and strcat(SessionIssuerUserName, UserIdentityUserName) matches regex _ExcludedRoleIdentityRegex)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

The query filters AWS CloudTrail events based on certain conditions and returns specific fields from the events. It excludes events with certain names and role identities that match a regular expression. The selected fields include information about the event, user identity, actor role, account details, session details, event source, error details, and other relevant information.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 13, 2024

Tables

AWSCloudTrail

Keywords

Devices,Intune,User

Operators

|,let,_ExcludedEventNames,dynamic,=,[],"GetAccountPasswordPolicy",let,_ExcludedRoleIdentityRegex,toscalar,_GetWatchlist("Activity-ExpectedSignificantActivity"),|,where,Activity,==,"AWSAssumedRoleIdentityEventName_Regex",and,Auxiliar,has_any,(_ExcludedEventNames),|,summarize,RegEx,=,make_set,strcat(SourceResourceActorPrincipalName),|,extend,RegEx,=,strcat(@"^(",strcat_array(RegEx"|"),@")$"),AWSCloudTrail,|,where,EventName,in,("GetAccountPasswordPolicy","UpdateAccountPasswordPolicy","DeleteAccountPasswordPolicy"),|,extend,UserIdentityUserName,tostring,split(UserIdentityPrincipalid":")[1],|,where,not(EventName,in,(_ExcludedEventNames),and,strcat(SessionIssuerUserNameUserIdentityUserName),matches,regex,_ExcludedRoleIdentityRegex),|,invoke,AWSIdentityRole(),|,project,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId.

Actions