AWS - User Investigation
This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user: - Failed login attempt - Suspicious activities - API access denied - Administrative user activities - Security rules and policies changes - Access keys and access token activities - Script-based user agent usage - User role changes activities - MFA device changes activities
AWS Enrichment and Remediation · 27 tasks · 2 inputs · 9 outputs
Inputs
Username— The username to investigate. Please enter the user's email.AwsTimeSearchFrom— The Search Time for the `GetTime` task used by the AWS Cloud Trail search query. This value represents the number of days to include in the search. Default value: 1. (1 Day)
Outputs
AwsMFAConfigCount— The number of MFA configurations performed by the user in the AWS environment.AwsUserRoleChangesCount— The number of user roles that were changed by the user in the AWS environment.AwsSuspiciousActivitiesCount— The number of suspicious activities performed by the user in the AWS environment.AwsScriptBasedUserAgentCount— The number of script-based user agent usages by the user in the AWS environment.AwsAccessKeyActivitiesCount— The number of access key activities performed by the user in the AWS environment.AwsSecurityChangesCount— The number of security rules that were changed by the user in the AWS environment.AwsAdminActivitiesCount— The number of administrative activities performed by the user in the AWS environment.AwsApiAccessDeniedCount— The number of API accesses denied by the user in the AWS environment.AwsFailedLogonCount— The number of failed logins by the user in the AWS environment.
Commands used
aws-cloudtrail-lookup-events