Menu
Amazon Macie
User Guide

Researching AWS CloudTrail Data

Analyzing CloudTrail Search Results

The following section describes the elements of the search results that get displayed when you use the Research tab to investigate your Macie-monitored CloudTrail data.

Complete the following steps in the Research tab:

  1. Select CloudTrail data in the first filter pull-down list.

  2. For this sample procedure, select Top 10 in the second filter pull-down list.

  3. For this sample procedure, select Past 90 days in the third filter pull-down list.

  4. Choose the button with the looking glass icon to start the search.

Your search produces the following elements:

  • The total number of results that matched your CloudTrail data search for the selected time range.

  • The graphical representation of CloudTrail data search results for the selected time range.

    Note

    If your data set is very large and you specify a very wide time range, you data might not render properly and this graph might not be displayed as one of the resulting elements of your search.

    Important

    You can use the graph to further narrow your search and generate and run a query that will produce a subset of the results generated by your original selections in the steps above. Double-click any of the graph's results and your selection is translated into a new query that's automatically displayed in the Query Parser, and the Research tab is refreshed with the results of this new query.

  • Search results summary - this is a list of the most significant fields from your search. The first line includes the top (or bottom) 3 values for each field. The second line includes the top (or bottom) 10 values for each field.

    Important

    You can use the fields in the search results summary to further narrow your search and generate and run a query that will produce a subset of the results generated by your original selections in the steps above. Choose the first or the second line of results for any field, and in the expanded results breakdown, choose the looking glass icon next to any of the results. Your choices are then translated into a new query that's automatically displayed in the Query Parser, and the Research tab is refreshed with the results of this new query.

  • A list of user sessions (5-minute aggregates of CloudTrail data) that match your search criteria. You can choose any user session to expand it and view its details.

CloudTrail Data Fields and Sample Queries

The following tables include the fields that can appear in the results of your CloudTrail data searches.

  • The first table includes the fields that Macie extracts from CloudTrail. These fields also include Amazon S3 data events. For example, accountId in Macie corresponds to userIdentity.accountId in Cloudtrail, or eventNameErrorCode.key in Macie corresponds to eventName in CloudTrail.

  • The second table includes the fields that are generated by Macie to provide further security intelligence and context based on the examined CloudTrail data. For example, isp.key describes the organization or the ISP from where the API request against your AWS resources is coming, or sourceIPAddress.ip_intel.type describes the IP address history, for example, whether it's a Tor exit node that is being used to initiate API requests against your AWS resources.

CloudTrail Data Fields Extracted by Macie

Note

For this data repository (CloudTrail), your search always returns a list of user sessions - 5-minute aggregates of raw Cloudtrail data. A user session is determined by the Macie unique ID - a format that is unique to Macie for specifying users. Macie unique ID is a combination of the IAM UserIdentity element and the recipientAccountId.

Macie field name

CloudTrail field name

Macie field type

Description

Example search query

accountId

userIdentity.accountId

string

The AWS account ID.

Search for user sessions with accesses related to a particular account:

  • accountId:"110912345678"

awsRegion.key

awsRegion

string

The AWS region to which the request is made.

Search for user sessions with any AWS API calls by region:

  • awsRegion.key:"us-west-2"

  • awsRegion.key:"us-east-1"

eventNameErrorCode.key

eventName

string

The event name that resulted in the returned (if any) error code.

  • Search for user sessions with any AWS ConsoleLogin:

    • eventNameErrorCode.key:ConsoleLogin

  • Search for user sessions with any AWS Delete call:

    • eventNameErrorCode.key:Delete*

eventNameErrorCode.secondary

errorCode

string

The error code returned after an unsuccessful API request.

Search for user sessions with any "AccessDenied" error across all CloudTrail API events:

  • eventNameErrorCode.secondary:"AccessDenied"

eventSource.key

eventSource

string

The service to which the request was made.

Search for user sessions with any API calls of a particular AWS service:

  • eventSource.key:"s3.amazonaws.com"

  • eventSource.key:"lambda.amazonaws.com"

eventType.key

eventType

string

The type of the event that generated the event record (for example, AwsApiCall, AwsServiceEvent, or AwsConsoleSignIn).

Search for user sessions with any AWS API calls of a particular eventType:

  • eventType.key:"AwsApiCall"

objectsDeleted.key

Resources[0].ARN

string

A list of S3 objects', S3 buckets', or prefixes ARNs that were part of a DeleteObject or a DeleteObjects API calls.

Note

When you delete an S3 bucket, both DeleteBucket and DeleteObjects APIs are called, and the aggregate record with the DeleteObjects call lists the deleted bucket or prefix, not all the individual objects that were deleted.

Note

Objects that are part of a failed DeleteObject or DeleteObjects API call are also added to the aggregate record of objectsDeleted.key.

Note

A user session returning the results of a search against objectsDeleted.key has a maximum limit of 250 records.

Example search queries:

  • Search for all objects deleted from a particular bucket or prefix:

    • objectsDeleted.key:/arn:aws:s3:::my_sensitive_bucket.*/

  • Search for all Delete requests of a particular object that were made anonymously or by any user or role.

    • objectsDeleted.key: "arn:aws:s3:::my-bucket-name/sshKeys"

  • Search for user sessions that contain both a DeleteObject:AccessDenied, and any attempt to delete a particular sensitive object, bucket, or prefix.

    • objectsDeleted.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND eventNameErrorCode.compound:"DeleteObject:AccessDenied"

  • Search for user sessions that contain both an attempt (or attempts) to delete S3 objects from outside of AWS and any attempt to delete a particular sensitive object, bucket, or prefix:

    • objectsDeleted.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND eventNameIsp.compound:/DeleteObject:~(Amazon.*)/

  • Search for anonymous delete requests of a known sensitive object:

    • objectsDeleted.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND accountId:"ANONYMOUS_PRINCIPAL"

objectsRead.key

Resources[0].ARN

string

A list of S3 objects' ARNs that were part of a GetObject API call.

Note

Objects that are part of a failed GetObject API call are also added to the aggregate record of objectsRead.key.

Note

A user session returning the results of a search against objectsRead.key has a maximum limit of 250 records.

Example search queries:

  • Search for user sessions with all objects read from a particular bucket or prefix:

    • objectsRead.key:/arn:aws:s3:::my_sensitive_bucket.*/

  • Search for all access attempts of a particular object made either anonymously or by any user or role.

    • objectsRead.key:"arn:aws:s3:::my-bucket-name/sshKeys"

  • Search for user sessions that contain both a GetObject:AccessDenied, and any attempt to read a particular sensitive object, bucket, or prefix.

    • objectsRead.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND eventNameErrorCode.compound:"GetObject:AccessDenied"

  • Search for user sessions that contain both an attempt (or attempts) to read S3 objects from outside of AWS and any attempt to read a particular sensitive object, bucket, or prefix:

    • objectsRead.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND eventNameIsp.compound:/GetObject:~(Amazon.*)/

  • Search for anonymous read accesses to a known sensitive object or bucket:

    • objectsRead.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND accountId:"ANONYMOUS_PRINCIPAL"

objectsWritten.key

Resources[0].ARN

string

A list of S3 objects' ARNs that were part of a PutObject, CopyObject, or CompleteMultipartUpload API calls.

Note

Objects that are part of a failed PutObject API call are also added to the aggregate record of objectsWritten.key.

Note

A user session returning the results of a search against objectsWritten.key has a maximum limit of 250 records.

Example search queries:

  • Search for user sessions with all objects written to a particular bucket:

    • objectsWritten.key:/arn:aws:s3:::my_bucket_name.*/

  • Search for user sessions with all write requests of a particular object made either anonymously or by any user or role:

    • objectsWritten.key: "arn:aws:s3:::my-bucket-name/sshKeys"

  • Search for user sessions that contain both a PutObject:AccessDenied, and any attempt to read a particular sensitive object, bucket, or prefix.

    • objectsWritten.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND eventNameErrorCode.compound:"PutObject:AccessDenied"

  • Search for user sessions that contain both an attempt (or attempts) to write S3 objects from outside of AWS and any attempt to write a particular sensitive object, bucket, or prefix:

    • objectsWritten.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND eventNameIsp.compound:/PutObject:~(Amazon.*)/

  • Search for anonymous write requests to a sensitive object or bucket:

    • objectsWritten.key:/arn:aws:s3:::my_sensitive_bucket.*/ AND accountId:"ANONYMOUS_PRINCIPAL"

principalId

userIdentity.principalId

string

The IAM principal ID.

Note

When a request is made by an assumed role, the session name is removed from the principal ID.

Search for user sessions wtih access requests from a particular principal ID:

  • principalId:"AIDAIMABCKFJSKEOAKWNE"

recipientAccountId

recipientAccountId

string

The AWS account ID that received the CloudTrail event.

  • Search for all activity in a particular AWS account:

    • recipientAccountId:"110912345678"

  • Search for anonymous access requests to a particular AWS account:

    • recipientAccountId:"110912345678" AND accountId: "ANONYMOUS_PRINCIPAL"

resourceOwnerAccountIds.key

Resources[1].accountId

string

List of AWS resource owners. For example, a list of AWS account IDs that own an S3 object or bucket.

Search for activity against resources owned by a particular AWS account:

  • resourceOwnerAccountIds.key: "110951234567"

resources.key

Resources[0].accountId

string

List of resources (S3 buckets only) associated with the CloudTrail events within the user session.

  • Search for access requests to a particular S3 bucket:

    • resources.key: "arn:aws:s3:::my-bucket-name"

  • Search for anonymous access requests to a known sensitive bucket:

    • resources.key: "arn:aws:s3:::my-super-sensitive-bucket" AND accountId:"ANONYMOUS_PRINCIPAL"

sessionName.key

userIdentity.principalId

string

The identifier for the assumed role session. When a request is made by an assumed role, the session name is removed from the principal ID and is assigned as a value to sessionName.key. When a request is made by an identity other than assumed role, sessionName.key is set to 'None'.

  • Search for assumed role access requests from session name 'examplesession-cli':

    • sessionName.key:"examplesession-cli"

  • Search for EC2 instance IDs within session names:

    • (sessionName.key:/i-[0-9a-f]{8}/ OR sessionName.key:/i-[0-9a-f]{17}/)

  • Search for assumed role access requests to a role from a sessionName other than 'examplesession-cli' using regex negation:

    • macieUniqueId: "123456789123:assumed-role:co-admin" AND sessionName.key:/~(examplesession-cli)/

sourceARN

userIdentity.arn

string

The ARN used to make the request.

Note

When a request is made by an assumed role, the session name is removed from the sourceARN.

Search for user sessions with access requests from a particular ARN:

  • sourceARN:"arn:aws:iam::123456789123:user/cluster-api"

sourceIPAddress.key

sourceIPAddress

string

The IP address from which the request was made.

Note

A user session returning the results of a search against sourceIPAddress.key has a maximum limit of 60000 records.

  • Search for user sessions with access requests from a particular source IP address:

    • sourceIPAddress.key:"194.68.22.22"

  • Search through user sessions with source IP addresses using wildcards:

    • sourceIPAddress.key:194.68.*.*

  • Search for user sessions with more than 10 RunInstances events and without any events requested by the autoscaling group:

    • eventNameErrorCode.RunInstances_count:>10 AND NOT (sourceIPAddress.key:"autoscaling.amazonaws.com")

userAgent.key

userAgent

string

A list of client user agent strings used to make the AWS API call.

Search for user sessions with API calls executed by AWS S3:

  • userAgent.key:"s3.amazonaws.com"

userIdentityType.key

userIdentity.type

string

A list of identity types in AWS.

Search for user sessions with access requests by the root identity in an AWS account:

  • userIdentityType.key:"Root"

Fields Generated by Macie

Note

For this data repository (CloudTrail), your search always returns a list of user sessions - 5-minute aggregates of raw Cloudtrail data. A user session is determined by the Macie unique ID - a format that is unique to Macie for specifying users. Macie unique ID is a combination of the IAM UserIdentity element and the recipientAccountId.

Macie field name

Macie field type

Description

Example search query

@timestamp

date

The start time of a user session.

  • Search for user sessions with access requests after a specific time:

    • @timestamp:>"2017-02-06T23:01:08Z"

    • @timestamp:>"2017-02-06"

  • Search for user sessions with access requests between two time intervals:

    • @timestamp:[2017-02-01 TO 2017-02-27]

countLongLifeAccessToken

integer

A count of GetSessionToken API calls with a lifespan longer than the default 43200 seconds.

Search for user sessions with a user or role creating a temporary access token with a longer than the default lifespan:

  • countLongLifeAccessToken:>0

dcObjectsDeleted

integer

A count of unique S3 objects deleted in a user session.

Note

A user session returning the results of a search against dcObjectsDeleted has a maximum limit of 250 entries.

Search for user sessions with more than 25 distinct objects deleted by an AWS user or a role:

  • dcObjectsDeleted:>25

  • dcObjectsDeleted:[25 TO 100]

dcObjectsRead

integer

A count of unique S3 objects read in a user session.

Note

A user session returning the results of a search against dcObjectsRead has a maximum limit of 250 entries.

  • Search for user sessions with more than 25 distinct objects read by an AWS user or a role:

    • dcObjectsRead:>25

    • dcObjectsRead:[25 TO 100]

  • Search for more than 25 distinct objects read by an anonymous principal during a user session:

    • dcObjectsRead:>25 AND accountId:"ANONYMOUS_PRINCIPAL"

dcObjectsWritten

integer

A count of unique S3 objects written in a user session.

Note

A user session returning the results of a search against dcObjectsWritten has a maximum limit of 250 entries.

Search for user sessions with more than 25 distinct objects written by an AWS user or a role:

  • dcObjectsWritten:>25

  • dcObjectsWritten:[25 TO 100]

distinctEventName

integer

A count of unique event names that take place in a user session.

Search for user sessions with more than 25 unique API calls being executed by a user or a role:

  • distinctEventName:>25

  • distinctEventName:[25 TO 100]

distinctSourceIPAddress

integer

A count of unique source IP addresses involved in activity that takes place in a user session. The maximum value of this count is 60,000.

Search for user sessions with more than 25 distinct source IP addresses observed for a user or a role:

  • distinctSourceIPAddress:>25

  • distinctSourceIPAddress:[25 TO 100]

distinctUserAgent

integer

A count of unique client user agents involved in activity that takes place in a user session. The maximum value of this count is 60,000.

Search for user sessions with more than 25 user agents observed for a user or a role:

  • distinctUserAgent:>25

  • distinctUserAgent:[25 TO 100]

eventNameErrorCode.compound

string

A compound aggregation that summarizes each CloudTrail event name along with any error codes that are associated with the API Call. The format is EventName:ErrorCode for the term value, which allows Macie to associate an API event name with the error code, if any, that is returned. If there is no error code for the event, then the value is set only to the API name with no colon, for example: "PutObject".

  • Search for user sessions with "AccessDenied" error while attempting a GetObject call:

    • eventNameErrorCode.compound:"GetObject:AccessDenied"

  • Search for user sessions with any errors associated with PutObject calls:

    • eventNameErrorCode.compound:/PutObject:.*/

eventNameIsp.compound

string

A compound aggregation that summarizes each CloudTrail event name along with the Internet Service Provider (ISP) from which the request originated. The format is EventName:ISP for the term value, which allows Macie to associate an API operation name with the ISP from which it originated.

Search for user sessions with ConsoleLogins from non-AWS IPs using a regular expression:

  • eventNameIsp.compound:/ConsoleLogin:~(Amazon.*)/

eventNameIsp.secondary

string

The ISP from which the AWS API call was made.

Search for user sessions with AWS API calls coming from outside of Amazon IP addresses:

  • eventNameIsp.secondary:/~(Amazon.*)/

macieUniqueId

string

A format that is unique to Macie for specifying users. Macie unique ID is a combination of the IAM UserIdentity element and the recipientAccountId. For more information, see MacieUniqueID.

Search for user sessions with accesses from a particular role, user, or root account:

  • macieUniqueId:"123456789123:assumed-role:co-admin"

  • macieUniqueId:"123456789123:root:root"

  • macieUniqueId:"123456789123:user:exampleuser"

sourceIPAddress.ip_intel.type

string

The IP intelligence category associated with a source IP address.

  • Search for user sessions with all accesses from a Tor network:

    • sourceIPAddress.ip_intel.type:"TOR"

  • Search for user sessions with all accesses from threat intelligence input feeds:

    • sourceIPAddress.ip_intel.type:*

windowStartTimeInMillis

integer

The epoch timestamp for the start of a user session.

Search for user sessions whose first event time is greater than a given epoch time:

  • windowStartTimeInMillis:>1424476529

windowEndTimeInMillis

integer

The epoch timestamp for the end of a user session.

Search for user sessions whose last event time is less than a given epoch time:

  • windowEndTimeInMillis:<1424476987

ipLocation.key

string

IP geolocation (city and country) accessed by a Macie-monitored identity.

  • Search for user sessions with any AWS API call events originating in Los Angeles:

    • ipLocation.key:"LosAngeles:UnitedStates"

  • Search for user session any AWS API call events originating from outside of the United States:

    • ipLocation.key:/~(.*UnitedStates)/

isp.key

string

The ISP from which the AWS API call originated.

Search for user sessions with AWS API calls coming from outside of Amazon IP addresses:

  • isp.key:/~(Amazon.*)/