This is a style question as I've already gotten my results but I was curious to see others methodology. So following the information in this AWS post I did the following
Search for userIdentity.type=AssumedRole
Inner Join on userIdentity.accessKeyId with results with
search for eventName=AssumeRole , deduped responseElements.credentials.accessKeyId , renamed to userIdentity.accessKeyId
My final search looks like this
index="aws_cloudtrail" userIdentity.type=AssumedRole
| join type=inner userIdentity.accessKeyId
[| search index="aws_cloudtrail" eventName=AssumeRole | dedup responseElements.credentials.accessKeyId | spath "userIdentity.principalId" | rex field=userIdentity.principalId "\:(?<principalId>.*)" | rename requestParameters.roleArn as requestedRole, responseElements.credentials.accessKeyId as userIdentity.accessKeyId | fields requestedRole, principalId, userIdentity.accessKeyId]
| table _time, principalId, requestedRole, eventName, requestParameters.bucketName, errorCode
... View more