CloudTrail Delete Trail Event
Management API call to delete a CloudTrail trail
AWS CloudTrail DeleteTrail API call event in OCSF format
aws
cloudtrail
management
delete
audit
compliance
JSON Format
10 Fields
Low Frequency
Generator
Overview
Records when an AWS CloudTrail trail is deleted via the DeleteTrail API operation. This is a critical management event that should be monitored for compliance and security purposes.
When Generated:
- When a user or service deletes a CloudTrail trail via AWS Console
- When DeleteTrail API is called programmatically
- During automated cleanup processes
- When trails are removed due to cost optimization
Security Relevance:
HighCompliance:
SOC 2
PCI DSS
HIPAA
SOX
FedRAMP
Frequency Notes:
Low frequency event - trail deletions are typically infrequent administrative actions
Resources
Documentation
- AWS CloudTrail API Reference official
- CloudTrail DeleteTrail Documentation official
- OCSF Schema Documentation reference
Tools
-
AWS CloudTrail Console
Web interface for managing CloudTrail trails and viewing events
-
AWS CLI
Command-line interface for AWS services including CloudTrail
Generation Configuration
Base Frequency: 5 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 2.0x
Night Hours Multiplier: 0.3x
Weekend Multiplier: 0.1x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
metadata.uid
Source: random_guid()
|
String | Required |
UUID
|
Unique identifier for this event record |
123e4567-e89b-12d3-a456-426614174000
|
— |
|
time
Source: current_timestamp()
|
Integer | Required |
Unix timestamp
|
Event timestamp in Unix epoch format |
1703123456
|
— |
|
cloud.region
Source: Random selection from common AWS regions
|
String | Required | — | AWS region where the API call was made |
us-east-1
|
us-east-1
— US East (N. Virginia)
us-west-2
— US West (Oregon)
eu-west-1
— Europe (Ireland)
|
|
api.operation
Source: Static value
|
String | Required | — | The CloudTrail API operation being performed |
DeleteTrail
|
— |
|
actor.user.uid
Source: Constructed from random account ID and role
|
String | Required | — | ARN of the IAM user or role performing the action |
arn:aws:sts::123456789012:assumed-role/AdminRole/user@example.com
|
— |
|
actor.user.account.uid
Source: random_int(100000000000, 999999999999)
|
String | Required | — | AWS account ID where the action was performed |
123456789012
|
— |
|
src_endpoint.ip
Source: random_public_ip()
|
String | Required | — | Source IP address of the API caller |
203.0.113.42
|
— |
|
api.request.data
Source: Constructed trail ARN with random account and trail name
|
String | Required | — | JSON string containing the API request parameters |
{"name":"arn:aws:cloudtrail:us-east-1:123456789012:trail/test"}
|
— |
|
status
Source: Random selection weighted toward Success
|
String | Required | — | Success or failure status of the API call |
Success
|
Success
— API call completed successfully
Failure
— API call failed due to permissions or other error
|
|
actor.session.is_mfa
Source: Random boolean value
|
Boolean | Optional | — | Whether multi-factor authentication was used for this session |
true
|
— |
Details
10
Fields
Low
Frequency
6
Tags
delete_trail
Event Type
Tags:
aws
cloudtrail
management
delete
audit
compliance
Feedback
No ratings yet