Query Details

AWS Cloud Trail Aws Concurrent Sessions From Different Ips

Query

let query_frequency = 5m;
let query_period = 10m;
let threshold = 1;
AWSCloudTrail
| where TimeGenerated > ago(query_period)
| where EventName has "DescribeEventAggregates" and not(SourceIpAddress has "health.amazonaws.com")
| invoke AWSIdentityRole()
| summarize arg_min(TimeGenerated, *) by Identity, SourceIpAddress
| as _Events
| join kind=leftsemi (
    _Events
    // query_period should be 2 * query_frequency
    | evaluate activity_counts_metrics(Type, TimeGenerated, ago(query_period), now(), query_frequency, Identity)
    | summarize
        arg_min(PreviousTimeGenerated = TimeGenerated, PreviousCount = ["count"]),
        arg_max(CurrentTimeGenerated = TimeGenerated, CurrentCount = ["count"])
        by Identity
    | where CurrentTimeGenerated > ago(query_period)
    | extend PreviousCount = iff(PreviousTimeGenerated == CurrentTimeGenerated, 0, PreviousCount)
    | where (not(PreviousCount > threshold) and CurrentCount > threshold)
        or ((CurrentCount - PreviousCount) > threshold)
    ) on Identity
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify unusual activity related to the "DescribeEventAggregates" event. Here's a simplified explanation of what the query does:

  1. Set Parameters:

    • query_frequency is set to 5 minutes.
    • query_period is set to 10 minutes.
    • threshold is set to 1.
  2. Filter Events:

    • The query looks at events generated in the last 10 minutes (query_period).
    • It specifically filters for events with the name "DescribeEventAggregates" and excludes those from the IP address "health.amazonaws.com".
  3. Identify Roles:

    • It uses the AWSIdentityRole() function to enrich the data with identity role information.
  4. Summarize Events:

    • It summarizes the earliest occurrence of each event by Identity and SourceIpAddress.
  5. Join with Activity Metrics:

    • It calculates activity metrics for each identity over the last 10 minutes, with data points every 5 minutes (query_frequency).
    • It checks for identities where there is a significant increase in event count (greater than the threshold) compared to the previous period.
  6. Filter for Anomalies:

    • It identifies identities where the current event count exceeds the threshold and is greater than the previous count, indicating a potential anomaly.
  7. Project Results:

    • Finally, it selects and displays various fields from the events that meet the criteria, such as time generated, identity details, source IP, event details, and any error messages.

In summary, this query is used to detect unusual spikes in the "DescribeEventAggregates" activity for specific identities within a short time frame, potentially indicating suspicious behavior or misconfigurations.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailEventNameSourceIpAddressIdentityUserIdentityTypeActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

letagohasnotinvokesummarizearg_minbyasjoinkind=leftsemievaluateactivity_counts_metricsnowextendiffproject

Actions

GitHub