security_content/data_sources/aws_cloudtrail_deleteknowledgebase.yml at develop · splunk/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: AWS CloudTrail DeleteKnowledgeBase
id: a8c47f25-5693-4d1a-9f8b-6e94d15ac2d9
version: 1
date: '2023-10-15'
author: Bhavin Patel, Splunk
description: Logs an event when a knowledge base is deleted within the AWS CloudTrail.
mitre_components:
- Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteKnowledgeBase
supported_TA:
- name: Splunk Add-on for AWS
  url: https://splunkbase.splunk.com/app/1876
  version: 8.1.0
fields:
- _time
- action
- app
- awsRegion
- aws_account_id
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- direction
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- protocol
- protocol_code
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.knowledgeBaseId
- responseElements.requestId
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- src_ip_range
- start_time
- status
- tag
- tag::eventtype
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.sessionContext.attributes.creationDate
- userIdentity.sessionContext.attributes.mfaAuthenticated
- userIdentity.sessionContext.sessionIssuer.accountId
- userIdentity.sessionContext.sessionIssuer.arn
- userIdentity.sessionContext.sessionIssuer.principalId
- userIdentity.sessionContext.sessionIssuer.type
- userIdentity.sessionContext.sessionIssuer.userName
- userIdentity.type
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", "principalId":
  "AROA:bpatel@splunk.com", "arn": "arn:aws:sts::111111111:assumed-role/daftpunk/bpatel@splunk.com",
  "accountId": "111111111", "accessKeyId": "ASIAYTOGP2RLLIVGGYLX", "sessionContext":
  {"sessionIssuer": {"type": "Role", "principalId": "AROA", "arn": "arn:aws:iam::111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/daftpunk",
  "accountId": "111111111", "userName": "daftpunk"}, "attributes": {"creationDate":
  "2025-04-03T21:50:08Z", "mfaAuthenticated": "false"}}}, "eventTime": "2025-04-03T23:49:06Z",
  "eventSource": "bedrock.amazonaws.com", "eventName": "DeleteKnowledgeBase", "awsRegion":
  "us-west-2", "sourceIPAddress": "23.93.242.200", "userAgent": "Mozilla/5.0 (Macintosh;
  Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0
  Safari/537.36", "requestParameters": {"knowledgeBaseId": "T9PFUXGAPO"}, "responseElements":
  {"Access-Control-Expose-Headers": "x-amzn-Apigw-id,x-amzn-ErrorMessage,x-amzn-RequestId,x-amzn-ErrorType,x-amzn-Trace-id,refreshtoken,Date",
  "knowledgeBaseId": "T9PFUXGAPO", "status": "DELETING"}, "requestID": "9dfbaf92-e781-4837-ad53-d72e20be1ac2",
  "eventID": "bff5a344-3908-41f0-bb57-d57a01014ff3", "readOnly": false, "eventType":
  "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111", "eventCategory":
  "Management"}'
output_fields:
- dest
- user
- user_agent
- src
- vendor_account
- vendor_region
- vendor_product