Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Wrong classification of administrative events for AWS cloudtrail logs

Occasional Contributor



I'm trying to understand for what reason the below -raw data presented- event is classified as "Administrative Activity". This is causing millions of internal AWS API calls to be classified as Administrative Activity and triggers alarms. Is the eventName field considered and possible values are grouped based on the risk? When we filter in cloudtrail itself, we apply basic filtering of readOnly = false, then we get all changes by administrative activity.

is there any way to filter out based on the readOnly field? 


"eventType": "AwsApiCall",
"eventTime": "2019-03-20T09:10:57.0000000Z",
"awsRegion": "eu-central-1",
"eventName": "Decrypt",
"readOnly": true,

1 Reply
Hi Mustafa,
Thank you for the feedback, we'll look into changing this.