CloudTrail Log Activity DashboardCloudTrail Log DetectionsCloudTrail Log Root User Activity ReportMITRE ATT&CK v16.1
Dashboard: CloudTrail Log Root User Activity Report
This dashboard answers the following questions:
- How many root user actions have been recorded?
- What specific operations have been performed by the root user?
- Which AWS accounts have root user activity?
- What are the source IPs of root user actions?
- In which AWS regions has root user activity occurred?
- Should read-only events be included in the analysis?
- How many total logs exist for root user activity?
This dashboard contains 1 card, 2 inputs and 1 table.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detectionsStart the Powerpipe server:
powerpipe serverOpen http://localhost:9033 in your browser and select CloudTrail Log Root User Activity Report dashboard.
You could also snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe dashboard run aws_cloudtrail_log_detections.dashboard.root_user_activity_report --shareQueries
This dashboard uses the the following queries:
select epoch_ms(tp_timestamp) as timestamp, string_split(event_source, '.')[1] || ':' || event_name as operation, user_identity.arn as actor, tp_source_ip as source_ip, tp_index::varchar as account_id, aws_region as region, tp_id as source_id, *from aws_cloudtrail_logwhere ($1 = 'true' or ($1 = 'false' and read_only = false)) and recipient_account_id in $2 and user_identity.type = 'Root'order by timestamp desclimit 10000;