Queries for the AWSCloudTrail table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

New users per region

Returns count of created users per region.

AWSCloudTrail
| where EventName == "CreateUser"
| summarize count() by AWSRegion

All AWS CloudTrail events

Lists all AWS cloud trail events.

AWSCloudTrail
| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements, SessionIssuerUserName

AWSCT for user

AWS activity for a user.

// Set v_sessionissuerusername and v_userpid with the details of the user of interest
let v_sessionissuerusername ="abc";let v_userpid ="AIDxXxXxXxXxXxX";
AWSCloudTrail
| where SessionIssuerUserName == v_sessionissuerusername or UserIdentityPrincipalid ==v_userpid
| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements, SessionIssuerUserName

AWS console sign in

Lists AWS signin events.

AWSCloudTrail
| where EventName =~ "ConsoleLogin"
| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)
| summarize Count=count() by UserIdentityAccountId, UserIdentityUserName, MFAUsed, LoginResult

Feedback

Was this page helpful?

Additional resources

Last updated on

URL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/queries/awscloudtrail