Data Source: AWS CloudTrail ModifyDBInstance

Date: 2024-07-18

ID: bfa2912d-1a33-4b05-be46-543874d68241

Author: Patrick Bareiss, Splunk

Description

Data source object for AWS CloudTrail ModifyDBInstance

Details

Property	Value
Source	`aws_cloudtrail`
Sourcetype	`aws:cloudtrail`
Separator	eventName

Supported Apps

Splunk Add-on for AWS (version 7.7.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">awsRegion</span>
  
  <span class="pill kill-chain">aws_account_id</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">errorCode</span>
  
  <span class="pill kill-chain">eventCategory</span>
  
  <span class="pill kill-chain">eventID</span>
  
  <span class="pill kill-chain">eventName</span>
  
  <span class="pill kill-chain">eventSource</span>
  
  <span class="pill kill-chain">eventTime</span>
  
  <span class="pill kill-chain">eventType</span>
  
  <span class="pill kill-chain">eventVersion</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">managementEvent</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">readOnly</span>
  
  <span class="pill kill-chain">recipientAccountId</span>
  
  <span class="pill kill-chain">region</span>
  
  <span class="pill kill-chain">requestID</span>
  
  <span class="pill kill-chain">requestParameters.allowMajorVersionUpgrade</span>
  
  <span class="pill kill-chain">requestParameters.applyImmediately</span>
  
  <span class="pill kill-chain">requestParameters.dBInstanceIdentifier</span>
  
  <span class="pill kill-chain">requestParameters.deletionProtection</span>
  
  <span class="pill kill-chain">requestParameters.masterUserPassword</span>
  
  <span class="pill kill-chain">responseElements.allocatedStorage</span>
  
  <span class="pill kill-chain">responseElements.autoMinorVersionUpgrade</span>
  
  <span class="pill kill-chain">responseElements.availabilityZone</span>
  
  <span class="pill kill-chain">responseElements.backupRetentionPeriod</span>
  
  <span class="pill kill-chain">responseElements.backupTarget</span>
  
  <span class="pill kill-chain">responseElements.cACertificateIdentifier</span>
  
  <span class="pill kill-chain">responseElements.copyTagsToSnapshot</span>
  
  <span class="pill kill-chain">responseElements.customerOwnedIpEnabled</span>
  
  <span class="pill kill-chain">responseElements.dBInstanceArn</span>
  
  <span class="pill kill-chain">responseElements.dBInstanceClass</span>
  
  <span class="pill kill-chain">responseElements.dBInstanceIdentifier</span>
  
  <span class="pill kill-chain">responseElements.dBInstanceStatus</span>
  
  <span class="pill kill-chain">responseElements.dBParameterGroups{}.dBParameterGroupName</span>
  
  <span class="pill kill-chain">responseElements.dBParameterGroups{}.parameterApplyStatus</span>
  
  <span class="pill kill-chain">responseElements.dBSubnetGroup.dBSubnetGroupDescription</span>
  
  <span class="pill kill-chain">responseElements.dBSubnetGroup.dBSubnetGroupName</span>
  
  <span class="pill kill-chain">responseElements.dBSubnetGroup.subnetGroupStatus</span>
  
  <span class="pill kill-chain">responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name</span>
  
  <span class="pill kill-chain">responseElements.dBSubnetGroup.subnets{}.subnetIdentifier</span>
  
  <span class="pill kill-chain">responseElements.dBSubnetGroup.subnets{}.subnetStatus</span>
  
  <span class="pill kill-chain">responseElements.dBSubnetGroup.vpcId</span>
  
  <span class="pill kill-chain">responseElements.dbInstancePort</span>
  
  <span class="pill kill-chain">responseElements.dbiResourceId</span>
  
  <span class="pill kill-chain">responseElements.deletionProtection</span>
  
  <span class="pill kill-chain">responseElements.endpoint.address</span>
  
  <span class="pill kill-chain">responseElements.endpoint.hostedZoneId</span>
  
  <span class="pill kill-chain">responseElements.endpoint.port</span>
  
  <span class="pill kill-chain">responseElements.engine</span>
  
  <span class="pill kill-chain">responseElements.engineVersion</span>
  
  <span class="pill kill-chain">responseElements.enhancedMonitoringResourceArn</span>
  
  <span class="pill kill-chain">responseElements.httpEndpointEnabled</span>
  
  <span class="pill kill-chain">responseElements.iAMDatabaseAuthenticationEnabled</span>
  
  <span class="pill kill-chain">responseElements.instanceCreateTime</span>
  
  <span class="pill kill-chain">responseElements.kmsKeyId</span>
  
  <span class="pill kill-chain">responseElements.latestRestorableTime</span>
  
  <span class="pill kill-chain">responseElements.licenseModel</span>
  
  <span class="pill kill-chain">responseElements.masterUsername</span>
  
  <span class="pill kill-chain">responseElements.monitoringInterval</span>
  
  <span class="pill kill-chain">responseElements.monitoringRoleArn</span>
  
  <span class="pill kill-chain">responseElements.multiAZ</span>
  
  <span class="pill kill-chain">responseElements.networkType</span>
  
  <span class="pill kill-chain">responseElements.optionGroupMemberships{}.optionGroupName</span>
  
  <span class="pill kill-chain">responseElements.optionGroupMemberships{}.status</span>
  
  <span class="pill kill-chain">responseElements.pendingModifiedValues.masterUserPassword</span>
  
  <span class="pill kill-chain">responseElements.performanceInsightsEnabled</span>
  
  <span class="pill kill-chain">responseElements.performanceInsightsKMSKeyId</span>
  
  <span class="pill kill-chain">responseElements.performanceInsightsRetentionPeriod</span>
  
  <span class="pill kill-chain">responseElements.preferredBackupWindow</span>
  
  <span class="pill kill-chain">responseElements.preferredMaintenanceWindow</span>
  
  <span class="pill kill-chain">responseElements.publiclyAccessible</span>
  
  <span class="pill kill-chain">responseElements.storageEncrypted</span>
  
  <span class="pill kill-chain">responseElements.storageThroughput</span>
  
  <span class="pill kill-chain">responseElements.storageType</span>
  
  <span class="pill kill-chain">responseElements.vpcSecurityGroups{}.status</span>
  
  <span class="pill kill-chain">responseElements.vpcSecurityGroups{}.vpcSecurityGroupId</span>
  
  <span class="pill kill-chain">sessionCredentialFromConsole</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourceIPAddress</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">start_time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">userAgent</span>
  
  <span class="pill kill-chain">userIdentity.accessKeyId</span>
  
  <span class="pill kill-chain">userIdentity.accountId</span>
  
  <span class="pill kill-chain">userIdentity.arn</span>
  
  <span class="pill kill-chain">userIdentity.principalId</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.attributes.creationDate</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.attributes.mfaAuthenticated</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.accountId</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.arn</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.principalId</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.type</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.userName</span>
  
  <span class="pill kill-chain">userIdentity.type</span>
  
  <span class="pill kill-chain">userName</span>
  
  <span class="pill kill-chain">user_access_key</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_arn</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
</div>

Example Log

1{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLDF6WP4HD6:gowthamarajr@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/gowthamarajr@splunk.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAKJDBQGB", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f", "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"}, "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-05T08:47:55Z", "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-05T09:19:15Z", "eventSource": "rds.amazonaws.com", "eventName": "ModifyDBInstance", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": {"dBInstanceIdentifier": "database-1", "applyImmediately": true, "masterUserPassword": "****", "allowMajorVersionUpgrade": false, "deletionProtection": true}, "responseElements": {"dBInstanceIdentifier": "database-1", "dBInstanceClass": "db.m6g.large", "engine": "postgres", "dBInstanceStatus": "available", "masterUsername": "postgres", "endpoint": {"address": "database-1.ce6wk5bvtc0t.us-west-2.rds.amazonaws.com", "port": 5432, "hostedZoneId": "Z1PVIF0B656C1W"}, "allocatedStorage": 5, "instanceCreateTime": "Aug 5, 2022 9:02:51 AM", "preferredBackupWindow": "06:35-07:05", "backupRetentionPeriod": 7, "dBSecurityGroups": [], "vpcSecurityGroups": [{"vpcSecurityGroupId": "sg-46cfd020", "status": "active"}], "dBParameterGroups": [{"dBParameterGroupName": "default.postgres14", "parameterApplyStatus": "in-sync"}], "availabilityZone": "us-west-2a", "dBSubnetGroup": {"dBSubnetGroupName": "default", "dBSubnetGroupDescription": "default", "vpcId": "vpc-5f02343b", "subnetGroupStatus": "Complete", "subnets": [{"subnetIdentifier": "subnet-43225f35", "subnetAvailabilityZone": {"name": "us-west-2b"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-e55d7881", "subnetAvailabilityZone": {"name": "us-west-2a"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-0beddb972f034bdaa", "subnetAvailabilityZone": {"name": "us-west-2c"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-2d70cd75", "subnetAvailabilityZone": {"name": "us-west-2c"}, "subnetOutpost": {}, "subnetStatus": "Active"}]}, "preferredMaintenanceWindow": "sat:11:44-sat:12:14", "pendingModifiedValues": {"masterUserPassword": "****"}, "latestRestorableTime": "Aug 5, 2022 9:12:31 AM", "multiAZ": false, "engineVersion": "14.2", "autoMinorVersionUpgrade": true, "readReplicaDBInstanceIdentifiers": [], "licenseModel": "postgresql-license", "storageThroughput": 0, "optionGroupMemberships": [{"optionGroupName": "default:postgres-14", "status": "in-sync"}], "publiclyAccessible": false, "storageType": "standard", "dbInstancePort": 0, "storageEncrypted": true, "kmsKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623", "dbiResourceId": "db-IX2K4LYFLBVZDHBYNPEAVFHFQM", "cACertificateIdentifier": "rds-ca-2019", "domainMemberships": [], "copyTagsToSnapshot": true, "monitoringInterval": 60, "enhancedMonitoringResourceArn": "arn:aws:logs:us-west-2:111111111111:log-group:RDSOSMetrics:log-stream:db-IX2K4LYFLBVZDHBYNPEAVFHFQM", "monitoringRoleArn": "arn:aws:iam::111111111111:role/rds-monitoring-role", "dBInstanceArn": "arn:aws:rds:us-west-2:111111111111:db:database-1", "iAMDatabaseAuthenticationEnabled": false, "performanceInsightsEnabled": true, "performanceInsightsKMSKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623", "performanceInsightsRetentionPeriod": 7, "deletionProtection": true, "associatedRoles": [], "httpEndpointEnabled": false, "tagList": [], "customerOwnedIpEnabled": false, "networkType": "IPV4", "backupTarget": "region"}, "requestID": "59e6b621-2f12-415b-bde4-21fa2dc7c113", "eventID": "46351ca1-760e-4eef-b3ff-19723e13fbf8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}

Source: GitHub | Version: 1