Query Details

AWS Cloud Trail AWS Guard Duty Configuration Modified

Query

let event_list = dynamic([
    "CreateIPSet",
    "UpdateIPSet",
    "UpdatePublishingDestination",
    "DeletePublishingDestination",
    "UpdateThreatIntelSet",
    "DeleteThreatIntelSet",
    "UpdateDetector",
    "DeleteDetector",
    "UpdateFilter",
    "DeleteFilter",
    "StopMonitoringMembers",
    "UpdateMemberDetectors",
    "DisassociateMembers",
    "DeleteMembers",
    "UpdateOrganizationConfiguration",
    "DisableOrganizationAdminAccount",
    "UpdateMalwareScanSettings"
]);
AWSCloudTrail
| where EventName in (event_list)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    TargetRole,
    TargetRoleSessionName,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs for specific events related to AWS security and configuration management. Here's a simplified breakdown:

  1. Event List Definition: A list of specific AWS CloudTrail event names is defined. These events are related to creating, updating, or deleting security configurations and settings, such as IP sets, threat intelligence sets, detectors, filters, and organizational configurations.

  2. Data Source: The query pulls data from the AWSCloudTrail table, which contains logs of AWS API calls.

  3. Filtering: The query filters the logs to include only those events whose names match the ones specified in the event_list.

  4. Role Information: It uses the invoke AWSIdentityRole() function to retrieve additional information about the roles involved in these events.

  5. Projection: The query selects specific columns to display from the filtered data, including:

    • TimeGenerated: When the event occurred.
    • UserIdentityType, Identity, ActorRole, TargetRole, TargetRoleSessionName: Information about the user or role that initiated the event.
    • UserIdentityAccountId, UserIdentityAccountName, RecipientAccountId, RecipientAccountName: Account details related to the event.
    • AWSRegion: The AWS region where the event took place.
    • SessionCreationDate: When the session was created.
    • UserIdentityPrincipalid, UserIdentityArn: Identifiers for the user or role.
    • SourceIpAddress: The IP address from which the request was made.
    • EventSource, EventTypeName, EventName: Details about the event type and source.
    • ManagementEvent, ReadOnly: Flags indicating if the event was a management event or read-only.
    • ErrorCode, ErrorMessage: Any errors that occurred during the event.
    • RequestParameters, ResponseElements, Resources: Details about the request and response, and resources involved.
    • SessionMfaAuthenticated: Whether multi-factor authentication was used.
    • UserAgent: The user agent string of the client making the request.
    • AwsEventId: A unique identifier for the event.

Overall, this query helps in monitoring and auditing specific security-related changes and actions within an AWS environment by focusing on a predefined set of critical events.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailAWSIdentityRoleEventNameUserIdentityTypeIdentityActorRoleTargetRoleTargetRoleSessionNameUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

letdynamicininvokeprojectwhere

Actions

GitHub