Parsers and Generated Fields

Tag Fields Created by Parser aws-cloudtrail
  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser aws-cloudtrail
Vendor FieldCPS FieldDescription
Vendor.digestStartTime@timestampFallback timestamp if eventTime not present
Vendor.eventTime@timestampEvent timestamp in UTC
Vendor.digestS3Bucket;cloud.Storage.bucket_name 
Vendor.requestParameters.bucketName;cloud.Storage.bucket_name 
Vendor.awsAccountId;cloud.account.id 
Vendor.recipientAccountId;cloud.account.id 
Vendor.userIdentity.accountId;cloud.account.id 
Vendor.requestParameters.instanceIdcloud.instance.idEC2 instance ID
Vendor.awsRegioncloud.regionAWS region
Vendor.errorCodeerror.code 
Vendor.errorMessageerror.message 
Vendor.errorMessageerror.message, event.reasonError details
Vendor.eventNameevent.actionEvent action name
Vendor.eventIDevent.id 
Vendor.errorCodeevent.outcomeMaps to "failure" if present
Vendor.responseElements.ConsoleLoginevent.outcomeMaps to "success" or "failure" based on value
Vendor.eventSourceevent.providerEvent source service
Vendor.errorMessage;event.reason 
Vendor.digestS3Objectfile.path 
Vendor.sourceIPAddresssource.ipSource IP address
source.address;source.ip 
Vendor.tlsDetails.cipherSuitetls.cipherTLS cipher suite
tls[1]tls.version  
tls[0]tls.version_protocol  
Vendor.tlsDetails.tlsVersiontls.version_protocol, tls.versionSplit into protocol and version
Vendor.userIdentity.principalIduser.id 
Vendor.additionalEventData.UserNameuser.nameFallback user name mapping
Vendor.requestParameters.roleSessionNameuser.nameFor AWSAccount type
Vendor.userIdentity.invokedByuser.nameFor AWSService type
Vendor.userIdentity.sessionContext.sessionIssuer.userNameuser.nameFor AssumedRole type
Vendor.userIdentity.typeuser.nameMaps user name based on identity type
Vendor.userIdentity.userNameuser.nameDirect mapping for IAMUser type
Vendor.userIdentity.userName;user.name 
Vendor.requestParameters.roleArnuser.roles[]For SAMLUser, Role types
Vendor.userIdentity.sessionContext.sessionIssuer.arnuser.roles[]For AssumedRole type
Vendor.userAgentuser_agent.originalUser agent string