Query Details

AWS Cloud Trail Aws Network Access Control List Deleted

Query

AWSCloudTrail
| where EventName in ("DeleteNetworkAcl", "DeleteNetworkAclEntry")
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify and extract specific events related to the deletion of network access control lists (ACLs) in AWS. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by accessing the AWSCloudTrail data, which contains logs of AWS API calls.

  2. Filter Events: It filters the logs to only include events where the EventName is either "DeleteNetworkAcl" or "DeleteNetworkAclEntry". These events indicate actions related to deleting network ACLs or their entries.

  3. Invoke Function: The query uses the invoke AWSIdentityRole() function to enrich the data with additional identity-related information, likely providing more context about the roles involved in these events.

  4. Select Columns: It projects (selects) a variety of columns to include in the output, such as:

    • TimeGenerated: The timestamp of the event.
    • UserIdentityType, Identity, ActorRole: Information about the user or role that initiated the event.
    • UserIdentityAccountId, UserIdentityAccountName: Account details of the user.
    • RecipientAccountId, RecipientAccountName: Details of the account affected by the event.
    • AWSRegion: The AWS region where the event occurred.
    • SessionCreationDate: When the session was created.
    • UserIdentityPrincipalid, UserIdentityArn: Additional identifiers for the user.
    • SourceIpAddress: The IP address from which the request was made.
    • EventSource, EventTypeName, EventName: Details about the event type and source.
    • ManagementEvent, ReadOnly: Flags indicating if the event is a management event and if it was read-only.
    • ErrorCode, ErrorMessage: Information about any errors that occurred.
    • RequestParameters, ResponseElements: Details of the request and response.
    • Resources: Resources involved in the event.
    • SessionMfaAuthenticated: Indicates if multi-factor authentication was used.
    • UserAgent: The user agent string of the requester.
    • AwsEventId: A unique identifier for the event.

Overall, this query is used to monitor and audit the deletion of network ACLs in AWS, providing detailed information about each event for security and compliance purposes.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailEventNameEventSourceEventTypeNameTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

AWSCloudTrailwhereininvokeAWSIdentityRoleproject

Actions

GitHub