activity_dashboard_logs_by_accountactivity_dashboard_logs_by_actoractivity_dashboard_logs_by_eventactivity_dashboard_logs_by_regionactivity_dashboard_logs_by_serviceactivity_dashboard_logs_by_source_ipactivity_dashboard_total_logscloudfront_distribution_default_certificate_disabledcloudfront_distribution_logging_disabledcloudtrail_trail_global_service_logging_disabledcloudtrail_trail_kms_key_updatedcloudtrail_trail_logging_stoppedcloudtrail_trail_s3_logging_bucket_updatedcloudwatch_log_group_created_with_encryption_disabledcodebuild_project_environment_variable_updatedcodebuild_project_service_role_updatedcodebuild_project_source_repository_updatedcodebuild_project_visibility_set_publicconfig_configuration_recorder_stoppedconfig_rule_deletedebs_encryption_by_default_disabledebs_snapshot_created_with_encryption_disabledebs_snapshot_shared_publiclyebs_snapshot_unlockedebs_volume_detachedec2_ami_shared_publiclyec2_instance_launched_with_public_ipec2_key_pair_deletedec2_reserved_instance_purchasedefs_file_system_backup_policy_disabledeventbridge_rule_deletedeventbridge_rule_disabledguardduty_detector_deletediam_access_key_creatediam_access_key_deletediam_group_administrator_policy_attachediam_group_inline_policy_updatediam_identity_created_without_cloudformationiam_role_administrator_policy_attachediam_role_inline_policy_updatediam_role_managed_policy_attachediam_root_user_console_loginiam_root_user_email_address_updatediam_user_administrator_policy_attachediam_user_creatediam_user_inline_policy_updatediam_user_login_profile_creatediam_user_login_profile_updatediam_user_managed_policy_attachediam_user_mfa_device_deactivatediam_user_password_changedkms_key_deletion_scheduledlambda_function_created_with_function_code_encryption_at_rest_disabledlambda_function_granted_public_accessrds_db_cluster_deletion_protection_disabledrds_db_instance_assigned_public_ip_addressrds_db_instance_deletion_protection_disabledrds_db_instance_iam_authentication_disabledrds_db_instance_master_password_updatedrds_db_instance_restored_from_public_snapshotroot_user_activity_report_aws_accounts_inputroot_user_activity_report_tableroot_user_activity_report_total_logsroute_53_domain_transfer_lock_disabledroute_53_domain_transferredroute_53_hosted_zone_associated_with_vpcs3_bucket_block_public_access_disableds3_bucket_deleteds3_bucket_policy_granted_public_accesss3_bucket_policy_updateds3_large_file_downloadedses_identity_feedback_forwarding_disabledsns_topic_granted_public_accesssqs_queue_created_with_encryption_at_rest_disabledsqs_queue_dlq_disabledsqs_queue_granted_public_accessssm_document_shared_publiclyvpc_classic_link_enabledvpc_createdvpc_deletedvpc_flow_log_deletedvpc_internet_gateway_added_to_public_route_tablevpc_internet_gateway_detachedvpc_network_acl_entry_updatedvpc_network_acl_entry_updated_with_allow_public_accessvpc_peering_connection_deletedvpc_route_table_association_replacedvpc_route_table_deletedvpc_route_table_route_deletedvpc_route_table_route_disassociatedvpc_security_group_deletedvpc_security_group_ingress_egress_rule_authorized_to_allow_allvpc_security_group_ingress_egress_rule_updatedwaf_web_acl_disassociated_from_cloudfront_distributionwaf_web_acl_disassociated_from_elb_application_load_balancerwaf_web_acl_logging_disabled
Queries in AWS CloudTrail Log Detections
The AWS CloudTrail Log Detections mod includes 96 queries:
- activity_dashboard_logs_by_account
- activity_dashboard_logs_by_actor
- activity_dashboard_logs_by_event
- activity_dashboard_logs_by_region
- activity_dashboard_logs_by_service
- activity_dashboard_logs_by_source_ip
- activity_dashboard_total_logs
- cloudfront_distribution_default_certificate_disabled
- cloudfront_distribution_logging_disabled
- cloudtrail_trail_global_service_logging_disabled
- cloudtrail_trail_kms_key_updated
- cloudtrail_trail_logging_stopped
- cloudtrail_trail_s3_logging_bucket_updated
- cloudwatch_log_group_created_with_encryption_disabled
- codebuild_project_environment_variable_updated
- codebuild_project_service_role_updated
- codebuild_project_source_repository_updated
- codebuild_project_visibility_set_public
- config_configuration_recorder_stopped
- config_rule_deleted
- ebs_encryption_by_default_disabled
- ebs_snapshot_created_with_encryption_disabled
- ebs_snapshot_shared_publicly
- ebs_snapshot_unlocked
- ebs_volume_detached
- ec2_ami_shared_publicly
- ec2_instance_launched_with_public_ip
- ec2_key_pair_deleted
- ec2_reserved_instance_purchased
- efs_file_system_backup_policy_disabled
- eventbridge_rule_deleted
- eventbridge_rule_disabled
- guardduty_detector_deleted
- iam_access_key_created
- iam_access_key_deleted
- iam_group_administrator_policy_attached
- iam_group_inline_policy_updated
- iam_identity_created_without_cloudformation
- iam_role_administrator_policy_attached
- iam_role_inline_policy_updated
- iam_role_managed_policy_attached
- iam_root_user_console_login
- iam_root_user_email_address_updated
- iam_user_administrator_policy_attached
- iam_user_created
- iam_user_inline_policy_updated
- iam_user_login_profile_created
- iam_user_login_profile_updated
- iam_user_managed_policy_attached
- iam_user_mfa_device_deactivated
- iam_user_password_changed
- kms_key_deletion_scheduled
- lambda_function_created_with_function_code_encryption_at_rest_disabled
- lambda_function_granted_public_access
- rds_db_cluster_deletion_protection_disabled
- rds_db_instance_assigned_public_ip_address
- rds_db_instance_deletion_protection_disabled
- rds_db_instance_iam_authentication_disabled
- rds_db_instance_master_password_updated
- rds_db_instance_restored_from_public_snapshot
- root_user_activity_report_aws_accounts_input
- root_user_activity_report_table
- root_user_activity_report_total_logs
- route_53_domain_transfer_lock_disabled
- route_53_domain_transferred
- route_53_hosted_zone_associated_with_vpc
- s3_bucket_block_public_access_disabled
- s3_bucket_deleted
- s3_bucket_policy_granted_public_access
- s3_bucket_policy_updated
- s3_large_file_downloaded
- ses_identity_feedback_forwarding_disabled
- sns_topic_granted_public_access
- sqs_queue_created_with_encryption_at_rest_disabled
- sqs_queue_dlq_disabled
- sqs_queue_granted_public_access
- ssm_document_shared_publicly
- vpc_classic_link_enabled
- vpc_created
- vpc_deleted
- vpc_flow_log_deleted
- vpc_internet_gateway_added_to_public_route_table
- vpc_internet_gateway_detached
- vpc_network_acl_entry_updated
- vpc_network_acl_entry_updated_with_allow_public_access
- vpc_peering_connection_deleted
- vpc_route_table_association_replaced
- vpc_route_table_deleted
- vpc_route_table_route_deleted
- vpc_route_table_route_disassociated
- vpc_security_group_deleted
- vpc_security_group_ingress_egress_rule_authorized_to_allow_all
- vpc_security_group_ingress_egress_rule_updated
- waf_web_acl_disassociated_from_cloudfront_distribution
- waf_web_acl_disassociated_from_elb_application_load_balancer
- waf_web_acl_logging_disabled