AWS Cloud Trail Aws Concurrent Sessions From Different Ips
Query
let query_frequency = 5m;
let query_period = 10m;
let threshold = 1;
AWSCloudTrail
| where TimeGenerated > ago(query_period)
| where EventName has "DescribeEventAggregates" and not(SourceIpAddress has "health.amazonaws.com")
| invoke AWSIdentityRole()
| summarize arg_min(TimeGenerated, *) by Identity, SourceIpAddress
| as _Events
| join kind=leftsemi (
_Events
// query_period should be 2 * query_frequency
| evaluate activity_counts_metrics(Type, TimeGenerated, ago(query_period), now(), query_frequency, Identity)
| summarize
arg_min(PreviousTimeGenerated = TimeGenerated, PreviousCount = ["count"]),
arg_max(CurrentTimeGenerated = TimeGenerated, CurrentCount = ["count"])
by Identity
| where CurrentTimeGenerated > ago(query_period)
| extend PreviousCount = iff(PreviousTimeGenerated == CurrentTimeGenerated, 0, PreviousCount)
| where (not(PreviousCount > threshold) and CurrentCount > threshold)
or ((CurrentCount - PreviousCount) > threshold)
) on Identity
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify unusual activity related to the "DescribeEventAggregates" event. Here's a simplified explanation of what the query does:
-
Set Parameters:
query_frequencyis set to 5 minutes.query_periodis set to 10 minutes.thresholdis set to 1.
-
Filter Events:
- The query looks at events generated in the last 10 minutes (
query_period). - It specifically filters for events with the name "DescribeEventAggregates" and excludes those from the IP address "health.amazonaws.com".
- The query looks at events generated in the last 10 minutes (
-
Identify Roles:
- It uses the
AWSIdentityRole()function to enrich the data with identity role information.
- It uses the
-
Summarize Events:
- It summarizes the earliest occurrence of each event by
IdentityandSourceIpAddress.
- It summarizes the earliest occurrence of each event by
-
Join with Activity Metrics:
- It calculates activity metrics for each identity over the last 10 minutes, with data points every 5 minutes (
query_frequency). - It checks for identities where there is a significant increase in event count (greater than the
threshold) compared to the previous period.
- It calculates activity metrics for each identity over the last 10 minutes, with data points every 5 minutes (
-
Filter for Anomalies:
- It identifies identities where the current event count exceeds the threshold and is greater than the previous count, indicating a potential anomaly.
-
Project Results:
- Finally, it selects and displays various fields from the events that meet the criteria, such as time generated, identity details, source IP, event details, and any error messages.
In summary, this query is used to detect unusual spikes in the "DescribeEventAggregates" activity for specific identities within a short time frame, potentially indicating suspicious behavior or misconfigurations.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrailEventNameSourceIpAddressIdentityUserIdentityTypeActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId
Operators
letagohasnotinvokesummarizearg_minbyasjoinkind=leftsemievaluateactivity_counts_metricsnowextendiffproject