Find all the sourceIPAddresses for console logins in CloudTrail and rank
This query is similar to the above query, with the IP addresses ranked for all console logins. This helps identify which IP addresses are signing into the console while ranking the relative activity. This can often highlight anomalous behaviors.
SELECT sourceipaddress,count(1) as total_rowsFROM panther_logs.public.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-01-02')AND eventtype ='AwsConsoleSignIn'GROUP BY sourceipaddressORDER BY total_rows DESCLIMIT100
SELECT sourceipaddress,count(1) as total_rowsFROM panther_logs.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-01-02')AND eventtype ='AwsConsoleSignIn'GROUP BY sourceipaddressORDER BY total_rows DESCLIMIT100
Show CloudTrail activity related to an AWS instance
During an investigation a particular instance may become the focus. For example, if it is compromised. This query uses the Panther field p_any_aws_instance_ids to easily search over all CloudTrail events for any related activity.
SELECT*FROM panther_logs.public.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-02-01')AND array_contains('i-0c4f541ef2f82481c'::variant, p_any_aws_instance_ids)ORDER BY p_event_time ASCLIMIT100
SELECT*FROM panther_logs.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-02-01')AND contains(p_any_aws_instance_ids, 'i-0c4f541ef2f82481c')ORDER BY p_event_time ASCLIMIT100
Show CloudTrail activity related to an AWS role
Similar to the above query, the Panther field p_any_aws_arns can be used to quickly and easily find all CloudTrail activity related to an ARN of interest (perhaps an ARN of role known to be compromised).
SELECT*FROM panther_logs.public.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-02-01')AND array_contains('arn:aws:iam::123456789012:role/SomeRole'::variant, p_any_aws_arns)ORDER BY p_event_time ASCLIMIT100
SELECT*FROM panther_logs.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-02-01')AND contains(p_any_aws_arns, 'arn:aws:iam::123456789012:role/SomeRole')ORDER BY p_event_time ASCLIMIT100
Show CloudTrail activity related to an AWS account id
This is another variation of using a Panther field to broadly query. In this case finding all CloudTrail data related to an account of interest using p_any_aws_account_ids (perhaps the account is compromised, where the concern is lateral movement).
SELECT*FROM panther_logs.public.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-02-01')AND array_contains('123456789012'::variant, p_any_aws_account_ids)ORDER BY p_event_time ASCLIMIT100
SELECT*FROM panther_logs.aws_cloudtrailWHERE p_occurs_between('2021-01-01', '2021-02-01')AND contains(p_any_aws_account_ids, '123456789012')ORDER BY p_event_time ASCLIMIT100
Show all instance launches in CloudTrail
Often when credentials have been breached, there is concern about an actor creating or modifying infrastructure. The below query finds all RunInstances commands. These should be reviewed for anomalous activity. For example, actors have been known to spin-up large numbers of GPU instances for bitcoin mining in compromised accounts.
