I'd like to understand the reason for the increase in GuardDuty's CloudTrail management event analysis pricing

Introduction

Hello.
I'm Omori from Technical Support.
My daughter's latest obsession has returned to Anpanman again.

I'd like to summarize the causes and investigation methods for increased GuardDuty CloudTrail management event analysis costs.

Problem

The cost of CloudTrail management event analysis has increased in each region, but when checking the number of CloudTrail events, we only see an increase in the Northern Virginia region, making it difficult to identify the cause.
Please advise on how to investigate this issue.

Reason

In GuardDuty, CloudTrail events related to global services are replicated and analyzed in each region where GuardDuty is enabled. (Reference 1)
As a result, there may be a difference between the number of CloudTrail events recorded in each region and the number of CloudTrail events analyzed by GuardDuty.

Investigation Method

Create an Athena table from your CloudTrail trail and execute queries to investigate which APIs have increased in the Northern Virginia region. (References 2, 3)

Conclusion

This article explains a pattern where global service events increased, but Athena analysis is also useful when CloudTrail management event analysis costs increase in a single region.

I hope this blog post will be helpful to someone.

References

1.GuardDuty Core Data Sources - Amazon GuardDuty

When GuardDuty consumes CloudTrail Global Service Events (GSE) that have security value such as network configurations or user permissions, it replicates those events and processes them in each Region where GuardDuty is enabled.

2.How do I automatically create Amazon Athena tables to search AWS CloudTrail logs?

3.How to adjust the time period of log files when creating Athena tables from CloudTrail trails