Wrong classification of administrative events for AWS cloudtrail logs
Hi, I'm trying to understand for what reason the below -raw data presented- event is classified as "Administrative Activity". This is causing millions of internal AWS API calls to be classified as Administrative Activity and triggers alarms. Is the eventName field considered and possible values are groupedbased on the risk? When we filter in cloudtrailitself, we apply basic filtering of readOnly = false, then we get all changes by administrative activity. is there any way to filter out based on the readOnly field? "eventType": "AwsApiCall", "eventTime": "2019-03-20T09:10:57.0000000Z", "awsRegion": "eu-central-1", "eventName": "Decrypt", "readOnly": true,