🚀Launch Week 07, January 27th - 31st, 2025🚀

Plugins Docs Home

turbot/tailpipe-mod-aws-cloudtrail-log-detections

activity_dashboard_logs_by_account activity_dashboard_logs_by_actor activity_dashboard_logs_by_event activity_dashboard_logs_by_region activity_dashboard_logs_by_service activity_dashboard_logs_by_source_ip activity_dashboard_total_logs cloudfront_distribution_default_certificate_disabled cloudfront_distribution_logging_disabled cloudtrail_trail_global_service_logging_disabled cloudtrail_trail_kms_key_updated cloudtrail_trail_logging_stopped cloudtrail_trail_s3_logging_bucket_updated cloudwatch_log_group_created_with_encryption_disabled codebuild_project_environment_variable_updated codebuild_project_service_role_updated codebuild_project_source_repository_updated codebuild_project_visibility_set_public config_configuration_recorder_stopped config_rule_deleted ebs_encryption_by_default_disabled ebs_snapshot_created_with_encryption_disabled ebs_snapshot_shared_publicly ebs_snapshot_unlocked ebs_volume_detached ec2_ami_shared_publicly ec2_instance_launched_with_public_ip ec2_key_pair_deleted ec2_reserved_instance_purchased efs_file_system_backup_policy_disabled eventbridge_rule_deleted eventbridge_rule_disabled guardduty_detector_deleted iam_access_key_created iam_access_key_deleted iam_group_administrator_policy_attached iam_group_inline_policy_updated iam_identity_created_without_cloudformation iam_role_administrator_policy_attached iam_role_inline_policy_updated iam_role_managed_policy_attached iam_root_user_console_login iam_root_user_email_address_updated iam_user_administrator_policy_attached iam_user_created iam_user_inline_policy_updated iam_user_login_profile_created iam_user_login_profile_updated iam_user_managed_policy_attached iam_user_mfa_device_deactivated iam_user_password_changed kms_key_deletion_scheduled lambda_function_created_with_function_code_encryption_at_rest_disabled lambda_function_granted_public_access rds_db_cluster_deletion_protection_disabled rds_db_instance_assigned_public_ip_address rds_db_instance_deletion_protection_disabled rds_db_instance_iam_authentication_disabled rds_db_instance_master_password_updated rds_db_instance_restored_from_public_snapshot root_user_activity_report_aws_accounts_input root_user_activity_report_table root_user_activity_report_total_logs route_53_domain_transfer_lock_disabled route_53_domain_transferred route_53_hosted_zone_associated_with_vpc s3_bucket_block_public_access_disabled s3_bucket_deleted s3_bucket_policy_granted_public_access s3_bucket_policy_updated s3_large_file_downloaded ses_identity_feedback_forwarding_disabled sns_topic_granted_public_access sqs_queue_created_with_encryption_at_rest_disabled sqs_queue_dlq_disabled sqs_queue_granted_public_access ssm_document_shared_publicly vpc_classic_link_enabled vpc_created vpc_deleted vpc_flow_log_deleted vpc_internet_gateway_added_to_public_route_table vpc_internet_gateway_detached vpc_network_acl_entry_updated vpc_network_acl_entry_updated_with_allow_public_access vpc_peering_connection_deleted vpc_route_table_association_replaced vpc_route_table_deleted vpc_route_table_route_deleted vpc_route_table_route_disassociated vpc_security_group_deleted vpc_security_group_ingress_egress_rule_authorized_to_allow_all vpc_security_group_ingress_egress_rule_updated waf_web_acl_disassociated_from_cloudfront_distribution waf_web_acl_disassociated_from_elb_application_load_balancer waf_web_acl_logging_disabled

Query: Top 10 Source IPs (Non-AWS)

Usage

powerpipe query aws_cloudtrail_log_detections.query.activity_dashboard_logs_by_source_ip

Tailpipe Tables

aws_cloudtrail_log

Amazon Web Services plugin

SQL

select
  tp_source_ip as "Source IP",
  count(*) as "Logs"
from
  aws_cloudtrail_log
where
  tp_source_ip not like '%amazonaws.com'
  and tp_source_ip != 'AWS Internal'
group by
  tp_source_ip
order by
  count(*) desc
limit 10;

Dashboards

The query is used in the dashboards:

CloudTrail Log Activity Dashboard