Data Source: AWS CloudTrail DeleteRule

Date: 2025-01-23

ID: b5760623-f3ca-492d-a372-d5c2b3567dfc

Author: Patrick Bareiss, Splunk

Description

Logs the deletion of an event rule in AWS EventBridge, including details about the rule name and its associated targets or schedules.

Details

Property	Value
Source	`aws_cloudtrail`
Sourcetype	`aws:cloudtrail`
Separator	eventName

Supported Apps

Splunk Add-on for AWS (version 7.9.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">apiVersion</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">awsRegion</span>
  
  <span class="pill kill-chain">aws_account_id</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">errorCode</span>
  
  <span class="pill kill-chain">eventCategory</span>
  
  <span class="pill kill-chain">eventID</span>
  
  <span class="pill kill-chain">eventName</span>
  
  <span class="pill kill-chain">eventSource</span>
  
  <span class="pill kill-chain">eventTime</span>
  
  <span class="pill kill-chain">eventType</span>
  
  <span class="pill kill-chain">eventVersion</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">managementEvent</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">readOnly</span>
  
  <span class="pill kill-chain">recipientAccountId</span>
  
  <span class="pill kill-chain">region</span>
  
  <span class="pill kill-chain">requestID</span>
  
  <span class="pill kill-chain">requestParameters.changeToken</span>
  
  <span class="pill kill-chain">requestParameters.ruleId</span>
  
  <span class="pill kill-chain">responseElements.changeToken</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourceIPAddress</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">start_time</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">tlsDetails.cipherSuite</span>
  
  <span class="pill kill-chain">tlsDetails.clientProvidedHostHeader</span>
  
  <span class="pill kill-chain">tlsDetails.tlsVersion</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">userAgent</span>
  
  <span class="pill kill-chain">userIdentity.accessKeyId</span>
  
  <span class="pill kill-chain">userIdentity.accountId</span>
  
  <span class="pill kill-chain">userIdentity.arn</span>
  
  <span class="pill kill-chain">userIdentity.principalId</span>
  
  <span class="pill kill-chain">userIdentity.type</span>
  
  <span class="pill kill-chain">userIdentity.userName</span>
  
  <span class="pill kill-chain">userName</span>
  
  <span class="pill kill-chain">user_access_key</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_arn</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
</div>

Example Log

1{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:40:42Z", "eventSource": "waf.amazonaws.com", "eventName": "DeleteRule", "awsRegion": "us-east-1", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/waf.delete-rule", "requestParameters": {"changeToken": "c5daf4cb-68e1-425f-b52d-49a32a7f187f", "ruleId": "5a9b1c4a-a999-4bb2-9f51-555f086ff34f"}, "responseElements": {"changeToken": "c5daf4cb-68e1-425f-b52d-49a32a7f187f"}, "requestID": "2089be3e-28ea-4349-b505-db72c81c272a", "eventID": "0f815483-f6bb-42d9-b870-0dcc64ddc9a4", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}

Source: GitHub | Version: 2