Wrong classification of administrative events for AWS cloudtrail logs

mustafak1 · ‎Mar 20 2019

Hi,

I'm trying to understand for what reason the below -raw data presented- event is classified as "Administrative Activity". This is causing millions of internal AWS API calls to be classified as Administrative Activity and triggers alarms. Is the eventName field considered and possible values are grouped based on the risk? When we filter in cloudtrail itself, we apply basic filtering of readOnly = false, then we get all changes by administrative activity.

is there any way to filter out based on the readOnly field?

"eventType": "AwsApiCall",
"eventTime": "2019-03-20T09:10:57.0000000Z",
"awsRegion": "eu-central-1",
"eventName": "Decrypt",
"readOnly": true,

Dima Donhin · ‎Mar 20 2019

Hi Mustafa,
Thank you for the feedback, we'll look into changing this.

Regards,
Dima.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Wrong classification of administrative events for AWS cloudtrail logs

Wrong classification of administrative events for AWS cloudtrail logs

Re: Wrong classification of administrative events for AWS cloudtrail logs