Mar 20 2019 02:38 AM
Hi,
I'm trying to understand for what reason the below -raw data presented- event is classified as "Administrative Activity". This is causing millions of internal AWS API calls to be classified as Administrative Activity and triggers alarms. Is the eventName field considered and possible values are grouped based on the risk? When we filter in cloudtrail itself, we apply basic filtering of readOnly = false, then we get all changes by administrative activity.
is there any way to filter out based on the readOnly field?
"eventType": "AwsApiCall",
"eventTime": "2019-03-20T09:10:57.0000000Z",
"awsRegion": "eu-central-1",
"eventName": "Decrypt",
"readOnly": true,
Mar 20 2019 09:06 AM