Query Details
AWS Cloud Trail Aws Setdefaultpolicyversion
Query
AWSCloudTrail
| where EventName == "SetDefaultPolicyVersion"
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific information from the AWSCloudTrail logs. It filters for events with the name "SetDefaultPolicyVersion" and then retrieves various fields related to the event, such as the time it was generated, the user identity, the actor role, the source IP address, and more.
Details
Jose Sebastián Canós
Released: February 15, 2024
Tables
AWSCloudTrail
Keywords
Devices,Intune,User
Operators
where==invokeprojectTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId