Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Search Archives Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser aws-cloudtrail

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser aws-cloudtrail

Source Field	CPS Field	Description	Mapping
Fallback user name	Vendor.additionalEventData.UserName		user.name
Alternative account ID source	Vendor.awsAccountId		cloud.account.id
AWS region	Vendor.awsRegion		cloud.region
Alternative S3 bucket name source	Vendor.digestS3Bucket		cloud.Storage.bucket_name
S3 object path	Vendor.digestS3Object		file.path
Fallback timestamp if eventTime not present	Vendor.digestStartTime		@timestamp
Error code	Vendor.errorCode		error.code
Error details	Vendor.errorMessage		error.message
Event ID	Vendor.eventID		event.id
Event action name	Vendor.eventName		event.action
Event source service	Vendor.eventSource		event.provider
Event timestamp in UTC	Vendor.eventTime		@timestamp
When hash algorithm is SHA-256	Vendor.previousDigestHashValue		file.hash.sha256
Fallback account ID source	Vendor.recipientAccountId		cloud.account.id
Host name (lowercase)	Vendor.requestParameters.Host		host.name
S3 bucket name	Vendor.requestParameters.bucketName		cloud.Storage.bucket_name
EC2 instance ID	Vendor.requestParameters.instanceId		cloud.instance.id
Role ARN for SAMLUser, Role types	Vendor.requestParameters.roleArn		user.roles[]
User name for AWSAccount type	Vendor.requestParameters.roleSessionName		user.name
Console login outcome (success/failure)	Vendor.responseElements.ConsoleLogin		event.outcome
Source address (lowercase)	Vendor.sourceIPAddress		source.address
Alternative timestamp field	Vendor.time		@timestamp
TLS cipher suite	Vendor.tlsDetails.cipherSuite		tls.cipher
Split into protocol and version	Vendor.tlsDetails.tlsVersion		tls.version_protocol, tls.version
User agent string	Vendor.userAgent		user_agent.original
AWS account ID	Vendor.userIdentity.accountId		cloud.account.id
User name for AWSService type	Vendor.userIdentity.invokedBy		user.name
Role ARN for IdentityCenterUser type	Vendor.userIdentity.onBehalfOf.identityStoreArn		user.roles[]
User ID for IdentityCenterUser type	Vendor.userIdentity.onBehalfOf.userId		user.id
User ID	Vendor.userIdentity.principalId		user.id
Role ARN for AssumedRole type	Vendor.userIdentity.sessionContext.sessionIssuer.arn		user.roles[]
User name for AssumedRole type	Vendor.userIdentity.sessionContext.sessionIssuer.userName		user.name
User name for IAMUser type	Vendor.userIdentity.userName		user.name

Enter search term