This is a style question as I've already gotten my results but I was curious to see others methodology. So following the information in this AWS post I did the following
userIdentity.type=AssumedRole
userIdentity.accessKeyId
with results witheventName=AssumeRole
, deduped responseElements.credentials.accessKeyId
, renamed to userIdentity.accessKeyId
My final search looks like this
index="aws_cloudtrail" userIdentity.type=AssumedRole
| join type=inner userIdentity.accessKeyId
[| search index="aws_cloudtrail" eventName=AssumeRole | dedup responseElements.credentials.accessKeyId | spath "userIdentity.principalId" | rex field=userIdentity.principalId "\:(?<principalId>.*)" | rename requestParameters.roleArn as requestedRole, responseElements.credentials.accessKeyId as userIdentity.accessKeyId | fields requestedRole, principalId, userIdentity.accessKeyId]
| table _time, principalId, requestedRole, eventName, requestParameters.bucketName, errorCode