DOCS-1663 - Add examples and refresh screenshots for event extraction rules#6851
DOCS-1663 - Add examples and refresh screenshots for event extraction rules#6851JV0812 wants to merge 1 commit into
Conversation
… rules Add an Examples section with AWS CloudTrail use cases (IAM role deletions, S3 bucket policy changes, production instance terminations), document the Internal Cache Cleanup in Progress status, and update screenshots. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
| ```json | ||
| { | ||
| "eventName": "PutBucketPolicy", | ||
| "bucketName": "customer-prod-data" |
There was a problem hiding this comment.
In real CloudTrail logs, bucketName is not a top-level field — it lives at requestParameters.bucketName. A parse expression like | json "bucketName" written against this example would return null on real logs. Please either correct the sample to the actual nested structure (e.g. "requestParameters": { "bucketName": "customer-prod-data" }) or add a note that the JSON is simplified for illustration.
| ```json | ||
| { | ||
| "eventName": "TerminateInstances", | ||
| "instanceId": "i-123456" |
There was a problem hiding this comment.
In real CloudTrail TerminateInstances events, the instance ID is not a top-level field — it lives at requestParameters.instancesSet.items[0].instanceId (an array, since the API accepts multiple instances in one call). A parse expression based on this example would miss on real logs. Please correct to the actual nested structure or note the JSON is simplified.
|
|
||
| The following examples use AWS CloudTrail logs to show how a rule turns a raw audit log into a meaningful, queryable event. | ||
|
|
||
| ### Detect IAM role deletions |
There was a problem hiding this comment.
The examples show the raw log input and the extracted event output, but omit the Log Query — the one thing users need to actually configure the rule. Without a parse/json/where expression, these can't be used as working references. Even a minimal example like | json "eventName" as eventName | where eventName = "DeleteRole" for the IAM case would make each example end-to-end actionable.
| "eventName": "DeleteRole", | ||
| "eventSource": "iam.amazonaws.com", | ||
| "userIdentity": { | ||
| "userName": "***.***" |
There was a problem hiding this comment.
"userName": "***.***" reads like a redacted real value rather than a documentation placeholder, and the extracted event repeats it literally as user = ***.***. Readers may think this is a format or mask the system applies. A generic illustrative value like alice or john.doe would be clearer.
2 participants
Purpose of this pull request
This pull request adds an Examples section to the Event Extraction Rules doc with three AWS CloudTrail use cases (IAM role deletions, S3 bucket policy changes, and production instance terminations), documents the Internal Cache Cleanup in Progress delete status, and refreshes the page screenshots.
Select the type of change
Ticket (if applicable)
https://sumologic.atlassian.net/browse/DOCS-1663
🤖 Generated with Claude Code