forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws_cloudtrail_modifydbinstance.yml
193 lines (193 loc) · 8.4 KB
/
aws_cloudtrail_modifydbinstance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
name: AWS CloudTrail ModifyDBInstance
id: bfa2912d-1a33-4b05-be46-543874d68241
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail ModifyDBInstance
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
version: 7.7.1
fields:
- _time
- app
- awsRegion
- aws_account_id
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.allowMajorVersionUpgrade
- requestParameters.applyImmediately
- requestParameters.dBInstanceIdentifier
- requestParameters.deletionProtection
- requestParameters.masterUserPassword
- responseElements.allocatedStorage
- responseElements.autoMinorVersionUpgrade
- responseElements.availabilityZone
- responseElements.backupRetentionPeriod
- responseElements.backupTarget
- responseElements.cACertificateIdentifier
- responseElements.copyTagsToSnapshot
- responseElements.customerOwnedIpEnabled
- responseElements.dBInstanceArn
- responseElements.dBInstanceClass
- responseElements.dBInstanceIdentifier
- responseElements.dBInstanceStatus
- responseElements.dBParameterGroups{}.dBParameterGroupName
- responseElements.dBParameterGroups{}.parameterApplyStatus
- responseElements.dBSubnetGroup.dBSubnetGroupDescription
- responseElements.dBSubnetGroup.dBSubnetGroupName
- responseElements.dBSubnetGroup.subnetGroupStatus
- responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name
- responseElements.dBSubnetGroup.subnets{}.subnetIdentifier
- responseElements.dBSubnetGroup.subnets{}.subnetStatus
- responseElements.dBSubnetGroup.vpcId
- responseElements.dbInstancePort
- responseElements.dbiResourceId
- responseElements.deletionProtection
- responseElements.endpoint.address
- responseElements.endpoint.hostedZoneId
- responseElements.endpoint.port
- responseElements.engine
- responseElements.engineVersion
- responseElements.enhancedMonitoringResourceArn
- responseElements.httpEndpointEnabled
- responseElements.iAMDatabaseAuthenticationEnabled
- responseElements.instanceCreateTime
- responseElements.kmsKeyId
- responseElements.latestRestorableTime
- responseElements.licenseModel
- responseElements.masterUsername
- responseElements.monitoringInterval
- responseElements.monitoringRoleArn
- responseElements.multiAZ
- responseElements.networkType
- responseElements.optionGroupMemberships{}.optionGroupName
- responseElements.optionGroupMemberships{}.status
- responseElements.pendingModifiedValues.masterUserPassword
- responseElements.performanceInsightsEnabled
- responseElements.performanceInsightsKMSKeyId
- responseElements.performanceInsightsRetentionPeriod
- responseElements.preferredBackupWindow
- responseElements.preferredMaintenanceWindow
- responseElements.publiclyAccessible
- responseElements.storageEncrypted
- responseElements.storageThroughput
- responseElements.storageType
- responseElements.vpcSecurityGroups{}.status
- responseElements.vpcSecurityGroups{}.vpcSecurityGroupId
- sessionCredentialFromConsole
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.sessionContext.attributes.creationDate
- userIdentity.sessionContext.attributes.mfaAuthenticated
- userIdentity.sessionContext.sessionIssuer.accountId
- userIdentity.sessionContext.sessionIssuer.arn
- userIdentity.sessionContext.sessionIssuer.principalId
- userIdentity.sessionContext.sessionIssuer.type
- userIdentity.sessionContext.sessionIssuer.userName
- userIdentity.type
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4HD6:[email protected]", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/[email protected]",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAKJDBQGB", "sessionContext":
{"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn":
"arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f",
"accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"},
"webIdFederationData": {}, "attributes": {"creationDate": "2022-08-05T08:47:55Z",
"mfaAuthenticated": "false"}}}, "eventTime": "2022-08-05T09:19:15Z", "eventSource":
"rds.amazonaws.com", "eventName": "ModifyDBInstance", "awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters":
{"dBInstanceIdentifier": "database-1", "applyImmediately": true, "masterUserPassword":
"****", "allowMajorVersionUpgrade": false, "deletionProtection": true}, "responseElements":
{"dBInstanceIdentifier": "database-1", "dBInstanceClass": "db.m6g.large", "engine":
"postgres", "dBInstanceStatus": "available", "masterUsername": "postgres", "endpoint":
{"address": "database-1.ce6wk5bvtc0t.us-west-2.rds.amazonaws.com", "port": 5432,
"hostedZoneId": "Z1PVIF0B656C1W"}, "allocatedStorage": 5, "instanceCreateTime":
"Aug 5, 2022 9:02:51 AM", "preferredBackupWindow": "06:35-07:05", "backupRetentionPeriod":
7, "dBSecurityGroups": [], "vpcSecurityGroups": [{"vpcSecurityGroupId": "sg-46cfd020",
"status": "active"}], "dBParameterGroups": [{"dBParameterGroupName": "default.postgres14",
"parameterApplyStatus": "in-sync"}], "availabilityZone": "us-west-2a", "dBSubnetGroup":
{"dBSubnetGroupName": "default", "dBSubnetGroupDescription": "default", "vpcId":
"vpc-5f02343b", "subnetGroupStatus": "Complete", "subnets": [{"subnetIdentifier":
"subnet-43225f35", "subnetAvailabilityZone": {"name": "us-west-2b"}, "subnetOutpost":
{}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-e55d7881", "subnetAvailabilityZone":
{"name": "us-west-2a"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier":
"subnet-0beddb972f034bdaa", "subnetAvailabilityZone": {"name": "us-west-2c"}, "subnetOutpost":
{}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-2d70cd75", "subnetAvailabilityZone":
{"name": "us-west-2c"}, "subnetOutpost": {}, "subnetStatus": "Active"}]}, "preferredMaintenanceWindow":
"sat:11:44-sat:12:14", "pendingModifiedValues": {"masterUserPassword": "****"},
"latestRestorableTime": "Aug 5, 2022 9:12:31 AM", "multiAZ": false, "engineVersion":
"14.2", "autoMinorVersionUpgrade": true, "readReplicaDBInstanceIdentifiers": [],
"licenseModel": "postgresql-license", "storageThroughput": 0, "optionGroupMemberships":
[{"optionGroupName": "default:postgres-14", "status": "in-sync"}], "publiclyAccessible":
false, "storageType": "standard", "dbInstancePort": 0, "storageEncrypted": true,
"kmsKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623",
"dbiResourceId": "db-IX2K4LYFLBVZDHBYNPEAVFHFQM", "cACertificateIdentifier": "rds-ca-2019",
"domainMemberships": [], "copyTagsToSnapshot": true, "monitoringInterval": 60, "enhancedMonitoringResourceArn":
"arn:aws:logs:us-west-2:111111111111:log-group:RDSOSMetrics:log-stream:db-IX2K4LYFLBVZDHBYNPEAVFHFQM",
"monitoringRoleArn": "arn:aws:iam::111111111111:role/rds-monitoring-role", "dBInstanceArn":
"arn:aws:rds:us-west-2:111111111111:db:database-1", "iAMDatabaseAuthenticationEnabled":
false, "performanceInsightsEnabled": true, "performanceInsightsKMSKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623",
"performanceInsightsRetentionPeriod": 7, "deletionProtection": true, "associatedRoles":
[], "httpEndpointEnabled": false, "tagList": [], "customerOwnedIpEnabled": false,
"networkType": "IPV4", "backupTarget": "region"}, "requestID": "59e6b621-2f12-415b-bde4-21fa2dc7c113",
"eventID": "46351ca1-760e-4eef-b3ff-19723e13fbf8", "readOnly": false, "eventType":
"AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
"Management", "sessionCredentialFromConsole": "true"}'