Parsers and Generated Fields
Tag Fields Created by Parser aws-guardduty
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-guardduty
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.service.action.actionType, source.address, destination.address |
| `event.type[]` | Array | Vendor.service.action.*.blocked |
| `user.roles` | Array | Vendor.resource.kubernetesDetails.kubernetesUserDetails.groups |
| `cloud.account.id` | Copied | Vendor.accountId |
| `cloud.instance.id` | Copied | Vendor.resource.instanceDetails.instanceId |
| `cloud.machine.type` | Copied | Vendor.resource.instanceDetails.instanceType |
| `cloud.provider` | Copied | Vendor.partition |
| `cloud.region` | Copied | Vendor.region |
| `cloud.service.name` | Copied | Vendor.service.serviceName |
| `destination.ip` | Copied | destination.address |
| `dns.question.name` | Copied | Vendor.service.action.dnsRequestAction.domain |
| `event.action` | Copied | Vendor.service.action.actionType |
| `event.created` | Copied | Vendor.createdAt |
| `event.end` | Copied | Vendor.service.eventLastSeen |
| `event.id` | Copied | Vendor.id |
| `event.provider` | Copied | Vendor.service.action.awsApiCallAction.serviceName |
| `event.reason` | Copied | Vendor.title |
| `event.start` | Copied | Vendor.service.eventFirstSeen |
| `host.id` | Copied | cloud.instance.id |
| `host.os.platform` | Copied | Vendor.resource.instanceDetails.platform |
| `host.type` | Copied | cloud.machine.type |
| `rule.name` | Copied | Vendor.type |
| `source.ip` | Copied | source.address |
| `user.id` | Copied | Vendor.resource.accessKeyDetails.principalId, Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid |
| `user.name` | Copied | Vendor.resource.accessKeyDetails.userName, Vendor.resource.kubernetesDetails.kubernetesUserDetails.username, Vendor.resource.rdsDbUserDetails.user |
| `destination.address` | Extracted | Vendor.service.action.networkConnectionAction.*.ipAddressV4, Vendor.resource.instanceDetails.networkInterfaces[0].privateIpAddress |
| `destination.port` | Extracted | Vendor.service.action.networkConnectionAction.*.port |
| `rule.category` | Extracted | Vendor.type |
| `rule.ruleset` | Extracted | Vendor.type |
| `source.address` | Extracted | Vendor.service.action.*.remoteIpDetails.ipAddressV4, Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 |
| `source.port` | Extracted | Vendor.service.action.networkConnectionAction.*.port |
| `network.direction` | Lowercased | Vendor.service.action.networkConnectionAction.connectionDirection |
| `network.transport` | Lowercased | Vendor.service.action.networkConnectionAction.protocol, Vendor.service.action.dnsRequestAction.protocol |
| `event.severity` | Mapped | Vendor.severity |
| `@timestamp` | Parsed | Vendor.updatedAt |
| `ecs.version` | Static | None |
| `event.kind` | Static | Vendor.severity |
| `event.module` | Static | None |
| Vendor.accountId | cloud.account.id | |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id | |
| Vendor.resource.instanceDetails.instanceType | cloud.machine.type | |
| Vendor.partition | cloud.provider | |
| Vendor.region | cloud.region | |
| Vendor.service.serviceName | cloud.service.name | |
| Vendor.resource.instanceDetails.networkInterfaces[0].privateIpAddress | destination.address | |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | destination.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | destination.address | |
| destination.address | destination.ip | |
| Vendor.service.action.dnsRequestAction.domain | dns.question.name | |
| Vendor.service.action.actionType | event.action | |
| Vendor.createdAt | event.created | |
| Vendor.service.eventLastSeen | event.end | |
| Vendor.id | event.id | |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider | |
| Vendor.title | event.reason | |
| Vendor.service.eventFirstSeen | event.start | |
| cloud.instance.id | host.id | |
| Vendor.resource.instanceDetails.platform | host.os.platform | |
| cloud.machine.type | host.type | |
| Vendor.service.action.dnsRequestAction.protocol | network.transport | |
| Vendor.service.action.networkConnectionAction.protocol | network.transport | |
| Vendor.type | rule.name | |
| Vendor.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.portProbeAction.portProbeDetails[0].remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4 | source.address | |
| source.address | source.ip | |
| Vendor.resource.accessKeyDetails.principalId | user.id | |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid | user.id | |
| Vendor.resource.accessKeyDetails.userName | user.name | |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.username | user.name | |
| Vendor.resource.rdsDbUserDetails.user | user.name |