Parsers and Generated Fields
Tag Fields Created by Parser aws-guardduty
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-guardduty
| Source Field | CPS Field |
|---|---|
| Vendor.accountId | cloud.account.id |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id |
| Vendor.resource.instanceDetails.instanceType | cloud.machine.type |
| Vendor.partition | cloud.provider |
| Vendor.region | cloud.region |
| Vendor.service.serviceName | cloud.service.name |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | destination.address |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | destination.address |
| destination.address | destination.ip |
| Vendor.service.action.dnsRequestAction.domain | dns.question.name |
| Vendor.service.action.actionType | event.action |
| Vendor.createdAt | event.created |
| Vendor.service.eventLastSeen | event.end |
| Vendor.id | event.id |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider |
| Vendor.severity | event.severity |
| Vendor.service.eventFirstSeen | event.start |
| cloud.instance.id | host.id |
| Vendor.resource.instanceDetails.platform | host.os.platform |
| cloud.machine.type | host.type |
| Vendor.service.action.dnsRequestAction.protocol | network.transport |
| Vendor.service.action.networkConnectionAction.protocol | network.transport |
| Vendor.type | rule.name |
| Vendor.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 | source.address |
| Vendor.service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 | source.address |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | source.address |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | source.address |
| Vendor.service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4 | source.address |
| source.address | source.ip |
| Vendor.service.action.networkConnectionAction.localPortDetails.port | source.port |
| Vendor.resource.accessKeyDetails.principalId | user.id |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid | user.id |
| Vendor.resource.accessKeyDetails.userName | user.name |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.username | user.name |
| Vendor.resource.rdsDbUserDetails.user | user.name |
Tag Fields Created by Parser guardduty-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser guardduty-json
| Source Field | CPS Field |
|---|---|
| Vendor.accountId | cloud.account.id |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id |
| resource.instanceDetails.instanceType | cloud.machine.type |
| Vendor.partition | cloud.provider |
| Vendor.region | cloud.region |
| Vendor.service.serviceName | cloud.service.name |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4; | destination.address |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | destination.address |
| destination.address | destination.ip |
| Vendor.service.action.dnsRequestAction.domain | dns.question.name |
| Vendor.service.action.actionType | event.action |
| Vendor.createdAt | event.created |
| Vendor.service.eventLastSeen | event.end |
| Vendor.id | event.id |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider |
| Vendor.severity | event.severity |
| Vendor.service.eventFirstSeen | event.start |
| cloud.instance.id | host.id |
| Vendor.resource.instanceDetails.platform | host.os.platform |
| cloud.machine.type | host.type |
| Vendor.service.action.dnsRequestAction.protocol | network.transport |
| Vendor.service.action.networkConnectionAction.protocol | network.transport |
| Vendor.type | rule.name |
| Vendor.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 | source.address |
| Vendor.service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 | source.address |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4; | source.address |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | source.address |
| Vendor.service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4 | source.address |
| source.address | source.ip |
| Vendor.service.action.networkConnectionAction.localPortDetails.port | source.port |
| Vendor.resource.accessKeyDetails.principalId | user.id |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid | user.id |
| Vendor.resource.accessKeyDetails.userName | user.name |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.username | user.name |
| Vendor.resource.rdsDbUserDetails.user | user.name |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.groups | user.roles |