Query Details

AWS Cloud Trail Aws Setdefaultpolicyversion

Query

AWSCloudTrail
| where EventName == "SetDefaultPolicyVersion"
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events where the "SetDefaultPolicyVersion" action occurred. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by accessing the AWSCloudTrail data, which contains logs of actions taken within an AWS environment.

  2. Filter: It filters the logs to only include events where the EventName is "SetDefaultPolicyVersion". This event typically indicates a change in the default version of an AWS policy.

  3. Invoke Function: The query uses the invoke AWSIdentityRole() function, which likely enriches the data with additional identity-related information, although the specifics of this function depend on its implementation.

  4. Select Columns: It projects (selects) a set of specific columns to include in the output. These columns provide detailed information about each event, such as:

    • TimeGenerated: When the event was logged.
    • UserIdentityType, Identity, ActorRole: Details about the user or entity that initiated the event.
    • UserIdentityAccountId, UserIdentityAccountName: Account details of the user.
    • RecipientAccountId, RecipientAccountName: Account details of the recipient.
    • AWSRegion: The AWS region where the event occurred.
    • SessionCreationDate: When the session was created.
    • UserIdentityPrincipalid, UserIdentityArn: Principal ID and Amazon Resource Name (ARN) of the user.
    • SourceIpAddress: IP address from which the request was made.
    • EventSource, EventTypeName, EventName: Source and type of the event.
    • ManagementEvent, ReadOnly: Flags indicating if it's a management event and if it was read-only.
    • ErrorCode, ErrorMessage: Any error codes or messages associated with the event.
    • RequestParameters, ResponseElements: Details of the request and response.
    • Resources: Resources involved in the event.
    • SessionMfaAuthenticated: Indicates if multi-factor authentication was used.
    • UserAgent: Information about the client making the request.
    • AwsEventId: Unique identifier for the event.

Overall, this query is used to monitor and analyze changes to AWS policy versions, providing detailed context about each event for security and compliance purposes.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailAWSIdentityRoleEventNameTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

whereinvokeproject

Actions

GitHub