Example: GuardDuty log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following example shows a CloudTrail log entry that demonstrates the data plane event.
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "111122223333:aws:ec2-instance:i-123412341234example", "arn": "arn:aws-cn:sts::111122223333:assumed-role/aws:ec2-instance/i-123412341234example", "accountId": "111122223333", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "111122223333:aws:ec2-instance", "arn": "arn:aws-cn:iam::111122223333:role/aws:ec2-instance", "accountId": "111122223333", "userName": "aws:ec2-instance" }, "attributes": { "creationDate": "2023-03-05T04:00:21Z", "mfaAuthenticated": "false" }, "ec2RoleDelivery": "2.0" } }, "eventTime": "2023-03-05T06:03:49Z", "eventSource": "guardduty.amazonaws.com", "eventName": "SendSecurityTelemetry", "awsRegion": "us-east-1", "sourceIPAddress": "54.240.230.177", "userAgent": "aws-sdk-rust/0.54.1 os/linux lang/rust/1.66.0", "requestParameters": null, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::GuardDuty::Detector", "ARN": "arn:aws-cn:guardduty:us-west-2:111122223333:detector/12abc34d567e8fa901bc2d34e56789f0" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "guardduty-data.us-east-1.amazonaws.com" } }
The following example shows a CloudTrail log entry that demonstrates the
CreateIPThreatIntelSet action (control plane event).
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws-cn:iam::444455556666:user/Alice", "accountId": "444455556666", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-06-14T22:54:20Z" }, "sessionIssuer": { "type": "Role", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws-cn:iam::444455556666:user/Alice", "accountId": "444455556666", "userName": "Alice" } } }, "eventTime": "2018-06-14T22:57:56Z", "eventSource": "guardduty.amazonaws.com", "eventName": "CreateThreatIntelSet", "awsRegion": "us-west-2", "sourceIPAddress": "54.240.230.177", "userAgent": "console.amazonaws.com", "requestParameters": { "detectorId": "12abc34d567e8fa901bc2d34e56789f0", "name": "Example", "format": "TXT", "activate": false, "location": "https://s3.amazonaws.com/bucket.name/file.txt" }, "responseElements": { "threatIntelSetId": "1ab200428351c99d859bf61992460d24" }, "requestID": "5f6bf981-7026-11e8-a9fc-5b37d2684c5c", "eventID": "81337b11-e5c8-4f91-b141-deb405625bc9", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "444455556666" }
From this event information, you can determine that the request was made to create a
threat list Example in GuardDuty. You can also see that the request was made by
a user named Alice on June 14, 2018.