Parsers and Generated Fields
Tag Fields Created by Parser aws-cloudtrail
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-cloudtrail
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.digestStartTime | @timestamp | Fallback timestamp if eventTime not present |
| Vendor.eventTime | @timestamp | Event timestamp in UTC |
| Vendor.time | @timestamp | Alternative timestamp field |
| Vendor.digestS3Bucket | cloud.Storage.bucket_name | Alternative S3 bucket name source |
| Vendor.requestParameters.bucketName | cloud.Storage.bucket_name | S3 bucket name |
| Vendor.awsAccountId | cloud.account.id | Alternative account ID source |
| Vendor.recipientAccountId | cloud.account.id | Fallback account ID source |
| Vendor.userIdentity.accountId | cloud.account.id | AWS account ID |
| Vendor.requestParameters.instanceId | cloud.instance.id | EC2 instance ID |
| Vendor.awsRegion | cloud.region | AWS region |
| Vendor.errorCode | error.code | Error code |
| Vendor.errorMessage | error.message | Error details |
| Vendor.eventName | event.action | Event action name |
| Vendor.eventID | event.id | Event ID |
| Vendor.errorCode | event.outcome | Maps to "failure" if present |
| Vendor.responseElements.ConsoleLogin | event.outcome | Console login outcome (success/failure) |
| Vendor.eventSource | event.provider | Event source service |
| Vendor.errorMessage | event.reason | Error reason |
| Vendor.previousDigestHashValue | file.hash.sha256 | When hash algorithm is SHA-256 |
| Vendor.digestS3Object | file.path | S3 object path |
| Vendor.requestParameters.Host | host.name | Host name (lowercase) |
| Vendor.sourceIPAddress | source.address | Source address (lowercase) |
| Vendor.tlsDetails.cipherSuite | tls.cipher | TLS cipher suite |
| Vendor.tlsDetails.tlsVersion | tls.version_protocol, | Split into protocol and version |
| Vendor.userIdentity.onBehalfOf.userId | user.id | User ID for IdentityCenterUser type |
| Vendor.userIdentity.principalId | user.id | User ID |
| Vendor.additionalEventData.UserName | user.name | Fallback user name |
| Vendor.requestParameters.roleSessionName | user.name | User name for AWSAccount type |
| Vendor.userIdentity.invokedBy | user.name | User name for AWSService type |
| Vendor.userIdentity.sessionContext.sessionIssuer.userName | user.name | User name for AssumedRole type |
| Vendor.userIdentity.userName | user.name | User name for IAMUser type |
| Vendor.requestParameters.roleArn | user.roles[] | Role ARN for SAMLUser, Role types |
| Vendor.userIdentity.onBehalfOf.identityStoreArn | user.roles[] | Role ARN for IdentityCenterUser type |
| Vendor.userIdentity.sessionContext.sessionIssuer.arn | user.roles[] | Role ARN for AssumedRole type |
| Vendor.userAgent | user_agent.original | User agent string |