Data Source: AWS CloudTrail DeleteRule

Description

Logs the deletion of an event rule in AWS EventBridge, including details about the rule name and its associated targets or schedules.

Details

Property Value
Source aws_cloudtrail
Sourcetype aws:cloudtrail
Separator eventName

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">apiVersion</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">awsRegion</span>
  
  <span class="pill kill-chain">aws_account_id</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">errorCode</span>
  
  <span class="pill kill-chain">eventCategory</span>
  
  <span class="pill kill-chain">eventID</span>
  
  <span class="pill kill-chain">eventName</span>
  
  <span class="pill kill-chain">eventSource</span>
  
  <span class="pill kill-chain">eventTime</span>
  
  <span class="pill kill-chain">eventType</span>
  
  <span class="pill kill-chain">eventVersion</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">managementEvent</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">readOnly</span>
  
  <span class="pill kill-chain">recipientAccountId</span>
  
  <span class="pill kill-chain">region</span>
  
  <span class="pill kill-chain">requestID</span>
  
  <span class="pill kill-chain">requestParameters.changeToken</span>
  
  <span class="pill kill-chain">requestParameters.ruleId</span>
  
  <span class="pill kill-chain">responseElements.changeToken</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourceIPAddress</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">start_time</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">tlsDetails.cipherSuite</span>
  
  <span class="pill kill-chain">tlsDetails.clientProvidedHostHeader</span>
  
  <span class="pill kill-chain">tlsDetails.tlsVersion</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">userAgent</span>
  
  <span class="pill kill-chain">userIdentity.accessKeyId</span>
  
  <span class="pill kill-chain">userIdentity.accountId</span>
  
  <span class="pill kill-chain">userIdentity.arn</span>
  
  <span class="pill kill-chain">userIdentity.principalId</span>
  
  <span class="pill kill-chain">userIdentity.type</span>
  
  <span class="pill kill-chain">userIdentity.userName</span>
  
  <span class="pill kill-chain">userName</span>
  
  <span class="pill kill-chain">user_access_key</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_arn</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
</div>

Example Log

1{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:40:42Z", "eventSource": "waf.amazonaws.com", "eventName": "DeleteRule", "awsRegion": "us-east-1", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/waf.delete-rule", "requestParameters": {"changeToken": "c5daf4cb-68e1-425f-b52d-49a32a7f187f", "ruleId": "5a9b1c4a-a999-4bb2-9f51-555f086ff34f"}, "responseElements": {"changeToken": "c5daf4cb-68e1-425f-b52d-49a32a7f187f"}, "requestID": "2089be3e-28ea-4349-b505-db72c81c272a", "eventID": "0f815483-f6bb-42d9-b870-0dcc64ddc9a4", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}

Source: GitHub | Version: 2