diff --git a/docs/manage/event-extraction-rules.md b/docs/manage/event-extraction-rules.md index dee8183e74..d583dc612d 100644 --- a/docs/manage/event-extraction-rules.md +++ b/docs/manage/event-extraction-rules.md @@ -28,7 +28,7 @@ You need the `Manage Event Extraction Rules` [role capability](/docs/manage/user 1. [**New UI**](/docs/get-started/sumo-logic-ui). To access the Event Extraction Rules page, in the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Event Extraction Rules**. You can also click the **Go To...** menu at the top of the screen and select **Event Extraction Rules**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Event Extraction Rules**. 1. Click the **+ Add Event Extraction Rule** button on the top right of the table.
Event extraction rule -1. Enter the following options in the **Create New Event Extraction Rule** page:
Create event extraction rule +1. Enter the following options in the **Create New Event Extraction Rule** page:
Create event extraction rule 1. **Log Query**. Enter the log search query for the event to filter the logs. :::note - To optimize query performance, limit log volume, parse and extract only the necessary fields, and use the `fields` operator in [denylist mode](/docs/search/search-query-language/search-operators/fields/#denylist) to exclude unnecessary fields and return only what’s required for event correlation and visualization.". @@ -83,6 +83,104 @@ To delete the existing event extraction rule, follow the below steps: 1. On the left pane, click **Delete** button.
Delete event extraction rule 1. In the **Delete [rule name] item** pop-up, click on **Delete**.
Delete confirm event extraction rule +:::note +A status of **Internal Cache Cleanup in Progress** means your requested data has already been deleted successfully. The remaining cache cleanup is an internal background operation managed by Sumo Logic and may take additional time to complete before the request is marked as fully complete. +::: + +## Examples + +Cloud environments such as AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs produce massive volumes of audit logs, and the events that matter are easily buried among millions of routine API calls. Event Extraction Rules surface those high-value events so you can quickly answer questions such as: + +- Who deleted an IAM role? +- Who modified a security group? +- When was an S3 bucket policy changed? +- Who disabled logging? +- When was a production instance terminated? + +The following examples use AWS CloudTrail logs to show how a rule turns a raw audit log into a meaningful, queryable event. + +### Detect IAM role deletions + +Track every time an IAM role is removed so you can correlate permission changes with incidents and speed up security investigations. Given the following raw log: + +```json +{ + "eventName": "DeleteRole", + "eventSource": "iam.amazonaws.com", + "userIdentity": { + "userName": "john.doe" + }, + "awsRegion": "us-east-1", + "eventTime": "2026-05-01T12:30:00Z" +} +``` + +Configure the rule with the following log query: + +``` +_sourceCategory=aws/cloudtrail +| json "eventName" as eventName +| json "userIdentity.userName" as user +| json "awsRegion" as region +| where eventName = "DeleteRole" +``` + +The rule extracts an **IAM Role Deleted** event with the fields `user = john.doe`, `region = us-east-1`, `resource = IAM Role`, and `timestamp = 2026-05-01T12:30:00Z`. + +### Track S3 bucket policy changes + +Capture every change to an S3 bucket policy so you can correlate later S3 access failures with the policy change that caused them. Given the following raw log: + +```json +{ + "eventName": "PutBucketPolicy", + "eventSource": "s3.amazonaws.com", + "requestParameters": { + "bucketName": "customer-prod-data" + } +} +``` + +Configure the rule with the following log query: + +``` +_sourceCategory=aws/cloudtrail +| json "eventName" as eventName +| json "requestParameters.bucketName" as bucketName +| where eventName = "PutBucketPolicy" +``` + +The rule extracts an **S3 Bucket Policy Modified** event for the `customer-prod-data` bucket. + +### Monitor production instance terminations + +Flag when a production EC2 instance is terminated so you can connect infrastructure failures and alerts to the deployments or user actions behind them. Given the following raw log: + +```json +{ + "eventName": "TerminateInstances", + "eventSource": "ec2.amazonaws.com", + "requestParameters": { + "instancesSet": { + "items": [ + { "instanceId": "i-123456" } + ] + } + } +} +``` + +Configure the rule with the following log query: + +``` +_sourceCategory=aws/cloudtrail +| json "eventName" as eventName +| json "requestParameters.instancesSet.items[0].instanceId" as instanceId +| where eventName = "TerminateInstances" +``` + +The rule extracts a **Production Instance Terminated** event for instance `i-123456`. + ## Limitations - You can create a maximum of 50 event extraction rules. diff --git a/static/img/manage/event-extraction-rule/create-event-extraction-rule.png b/static/img/manage/event-extraction-rule/create-event-extraction-rule.png deleted file mode 100644 index 2ef220243a..0000000000 Binary files a/static/img/manage/event-extraction-rule/create-event-extraction-rule.png and /dev/null differ diff --git a/static/img/manage/event-extraction-rule/create-event-extraction-rules.png b/static/img/manage/event-extraction-rule/create-event-extraction-rules.png new file mode 100644 index 0000000000..3bfd7a1d02 Binary files /dev/null and b/static/img/manage/event-extraction-rule/create-event-extraction-rules.png differ diff --git a/static/img/manage/event-extraction-rule/delete-confirm-event-extraction-rule.png b/static/img/manage/event-extraction-rule/delete-confirm-event-extraction-rule.png index 04bd474339..d8c06985b6 100644 Binary files a/static/img/manage/event-extraction-rule/delete-confirm-event-extraction-rule.png and b/static/img/manage/event-extraction-rule/delete-confirm-event-extraction-rule.png differ diff --git a/static/img/manage/event-extraction-rule/delete-event-extraction-rules.png b/static/img/manage/event-extraction-rule/delete-event-extraction-rules.png index 8a52fab872..775cc4a183 100644 Binary files a/static/img/manage/event-extraction-rule/delete-event-extraction-rules.png and b/static/img/manage/event-extraction-rule/delete-event-extraction-rules.png differ diff --git a/static/img/manage/event-extraction-rule/duplicate-event-extraction-rules.png b/static/img/manage/event-extraction-rule/duplicate-event-extraction-rules.png index c12e959508..40a00c3c25 100644 Binary files a/static/img/manage/event-extraction-rule/duplicate-event-extraction-rules.png and b/static/img/manage/event-extraction-rule/duplicate-event-extraction-rules.png differ diff --git a/static/img/manage/event-extraction-rule/edit-event-extraction-rules.png b/static/img/manage/event-extraction-rule/edit-event-extraction-rules.png index 69476d7bd7..268ce0b2bf 100644 Binary files a/static/img/manage/event-extraction-rule/edit-event-extraction-rules.png and b/static/img/manage/event-extraction-rule/edit-event-extraction-rules.png differ diff --git a/static/img/manage/event-extraction-rule/event-extraction-rule.png b/static/img/manage/event-extraction-rule/event-extraction-rule.png index 07b964de4b..0be5343672 100644 Binary files a/static/img/manage/event-extraction-rule/event-extraction-rule.png and b/static/img/manage/event-extraction-rule/event-extraction-rule.png differ