Parsers and Generated Fields
Tag Fields Created by Parser aws-cloudtrail
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-cloudtrail
Vendor Field | CPS Field | Description |
---|---|---|
Vendor.digestStartTime | @timestamp | Fallback timestamp if eventTime not present |
Vendor.eventTime | @timestamp | Event timestamp in UTC |
Vendor.digestS3Bucket; | cloud.Storage.bucket_name | |
Vendor.requestParameters.bucketName; | cloud.Storage.bucket_name | |
Vendor.awsAccountId; | cloud.account.id | |
Vendor.recipientAccountId; | cloud.account.id | |
Vendor.userIdentity.accountId; | cloud.account.id | |
Vendor.requestParameters.instanceId | cloud.instance.id | EC2 instance ID |
Vendor.awsRegion | cloud.region | AWS region |
Vendor.errorCode | error.code | |
Vendor.errorMessage | error.message | |
Vendor.errorMessage | error.message, event.reason | Error details |
Vendor.eventName | event.action | Event action name |
Vendor.eventID | event.id | |
Vendor.errorCode | event.outcome | Maps to "failure" if present |
Vendor.responseElements.ConsoleLogin | event.outcome | Maps to "success" or "failure" based on value |
Vendor.eventSource | event.provider | Event source service |
Vendor.errorMessage; | event.reason | |
Vendor.digestS3Object | file.path | |
Vendor.sourceIPAddress | source.ip | Source IP address |
source.address; | source.ip | |
Vendor.tlsDetails.cipherSuite | tls.cipher | TLS cipher suite |
tls[1] | tls.version | |
tls[0] | tls.version_protocol | |
Vendor.tlsDetails.tlsVersion | tls.version_protocol, tls.version | Split into protocol and version |
Vendor.userIdentity.principalId | user.id | |
Vendor.additionalEventData.UserName | user.name | Fallback user name mapping |
Vendor.requestParameters.roleSessionName | user.name | For AWSAccount type |
Vendor.userIdentity.invokedBy | user.name | For AWSService type |
Vendor.userIdentity.sessionContext.sessionIssuer.userName | user.name | For AssumedRole type |
Vendor.userIdentity.type | user.name | Maps user name based on identity type |
Vendor.userIdentity.userName | user.name | Direct mapping for IAMUser type |
Vendor.userIdentity.userName; | user.name | |
Vendor.requestParameters.roleArn | user.roles[] | For SAMLUser, Role types |
Vendor.userIdentity.sessionContext.sessionIssuer.arn | user.roles[] | For AssumedRole type |
Vendor.userAgent | user_agent.original | User agent string |