AWS Cloud Trail AWS Guard Duty Configuration Modified
Query
let event_list = dynamic([
"CreateIPSet",
"UpdateIPSet",
"UpdatePublishingDestination",
"DeletePublishingDestination",
"UpdateThreatIntelSet",
"DeleteThreatIntelSet",
"UpdateDetector",
"DeleteDetector",
"UpdateFilter",
"DeleteFilter",
"StopMonitoringMembers",
"UpdateMemberDetectors",
"DisassociateMembers",
"DeleteMembers",
"UpdateOrganizationConfiguration",
"DisableOrganizationAdminAccount",
"UpdateMalwareScanSettings"
]);
AWSCloudTrail
| where EventName in (event_list)
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
TargetRole,
TargetRoleSessionName,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs for specific events related to AWS security and configuration management. Here's a simplified breakdown:
-
Event List Definition: A list of specific AWS CloudTrail event names is defined. These events are related to creating, updating, or deleting security configurations and settings, such as IP sets, threat intelligence sets, detectors, filters, and organizational configurations.
-
Data Source: The query pulls data from the
AWSCloudTrailtable, which contains logs of AWS API calls. -
Filtering: The query filters the logs to include only those events whose names match the ones specified in the
event_list. -
Role Information: It uses the
invoke AWSIdentityRole()function to retrieve additional information about the roles involved in these events. -
Projection: The query selects specific columns to display from the filtered data, including:
- TimeGenerated: When the event occurred.
- UserIdentityType, Identity, ActorRole, TargetRole, TargetRoleSessionName: Information about the user or role that initiated the event.
- UserIdentityAccountId, UserIdentityAccountName, RecipientAccountId, RecipientAccountName: Account details related to the event.
- AWSRegion: The AWS region where the event took place.
- SessionCreationDate: When the session was created.
- UserIdentityPrincipalid, UserIdentityArn: Identifiers for the user or role.
- SourceIpAddress: The IP address from which the request was made.
- EventSource, EventTypeName, EventName: Details about the event type and source.
- ManagementEvent, ReadOnly: Flags indicating if the event was a management event or read-only.
- ErrorCode, ErrorMessage: Any errors that occurred during the event.
- RequestParameters, ResponseElements, Resources: Details about the request and response, and resources involved.
- SessionMfaAuthenticated: Whether multi-factor authentication was used.
- UserAgent: The user agent string of the client making the request.
- AwsEventId: A unique identifier for the event.
Overall, this query helps in monitoring and auditing specific security-related changes and actions within an AWS environment by focusing on a predefined set of critical events.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators