Parsers and Generated Fields
Tag Fields Created by Parser aws-guardduty
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-guardduty
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.accountId | cloud.account.id | AWS account identifier |
| Vendor.accountId | cloud.account.id | |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id | EC2 instance ID |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id | |
| Vendor.resource.instanceDetails.platform | cloud.instance.name | Instance platform |
| Vendor.resource.instanceDetails.instanceType | cloud.instance.type | EC2 instance type |
| Vendor.resource.instanceDetails.instanceType | cloud.machine.type | |
| Vendor.partition | cloud.partition | AWS partition |
| Vendor.partition | cloud.provider | |
| Vendor.region | cloud.region | AWS region |
| Vendor.region | cloud.region | |
| Vendor.service.serviceName | cloud.service.name | |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | destination.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | destination.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | destination.ip | Remote IP address |
| destination.address | destination.ip | |
| Vendor.service.action.dnsRequestAction.domain | dns.question.name | |
| Vendor.service.action.actionType | event.action | Action type from GuardDuty finding |
| Vendor.service.action.actionType | event.action | |
| Vendor.createdAt | event.created | Event creation timestamp |
| Vendor.createdAt | event.created | |
| Vendor.service.eventLastSeen | event.end | Last occurrence of event |
| Vendor.service.eventLastSeen | event.end | |
| Vendor.id | event.id | Unique identifier |
| Vendor.id | event.id | |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider | AWS service name |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider | |
| Vendor.severity | event.severity | Mapped severity (90 for >9, 70 for >7, 50 for >4, 30 for >=1) |
| Vendor.service.eventFirstSeen | event.start | First occurrence of event |
| Vendor.service.eventFirstSeen | event.start | |
| cloud.instance.id | host.id | |
| Vendor.resource.instanceDetails.platform | host.os.platform | |
| cloud.machine.type | host.type | |
| Vendor.service.action.networkConnectionAction.protocol | network.protocol | Network protocol used |
| Vendor.service.action.dnsRequestAction.protocol | network.transport | |
| Vendor.service.action.networkConnectionAction.protocol | network.transport | |
| Vendor.type | rule.name | |
| Vendor.service.serviceName | service.name | Service name |
| Vendor.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | source.ip | Local IP address |
| source.address | source.ip | |
| Vendor.service.action.networkConnectionAction.localPortDetails.port | source.port | Local port number |
| Vendor.service.action.networkConnectionAction.localPortDetails.port | source.port | |
| Vendor.resource.accessKeyDetails.principalId | user.id | Principal ID from access key |
| Vendor.resource.accessKeyDetails.principalId | user.id | |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid | user.id | |
| Vendor.resource.accessKeyDetails.userName | user.name | Username from access key details |
| Vendor.resource.accessKeyDetails.userName | user.name | |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.username | user.name | |
| Vendor.resource.rdsDbUserDetails.user | user.name |
Tag Fields Created by Parser guardduty-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser guardduty-json
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.accountId | cloud.account.id | |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id | |
| resource.instanceDetails.instanceType | cloud.machine.type | |
| Vendor.partition | cloud.provider | |
| Vendor.region | cloud.region | |
| Vendor.service.serviceName | cloud.service.name | |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4; | destination.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | destination.address | |
| destination.address | destination.ip | |
| Vendor.service.action.dnsRequestAction.domain | dns.question.name | |
| Vendor.service.action.actionType | event.action | |
| Vendor.createdAt | event.created | |
| Vendor.service.eventLastSeen | event.end | |
| Vendor.id | event.id | |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider | |
| Vendor.severity | event.severity | |
| Vendor.service.eventFirstSeen | event.start | |
| cloud.instance.id | host.id | |
| Vendor.resource.instanceDetails.platform | host.os.platform | |
| cloud.machine.type | host.type | |
| Vendor.service.action.dnsRequestAction.protocol | network.transport | |
| Vendor.service.action.networkConnectionAction.protocol | network.transport | |
| Vendor.type | rule.name | |
| Vendor.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4; | source.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | source.address | |
| Vendor.service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4 | source.address | |
| source.address | source.ip | |
| Vendor.service.action.networkConnectionAction.localPortDetails.port | source.port | |
| Vendor.resource.accessKeyDetails.principalId | user.id | |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid | user.id | |
| Vendor.resource.accessKeyDetails.userName | user.name | |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.username | user.name | |
| Vendor.resource.rdsDbUserDetails.user | user.name | |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.groups | user.roles |