Parsers and Generated Fields
Tag Fields Created by Parser aws-guardduty
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-guardduty
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.updatedAt | @timestamp | Event timestamp | Parsed from timestamp field |
| Vendor.accountId | cloud.account.id | AWS account identifier | Copied from Vendor.accountId |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id | EC2 instance ID | Copied from Vendor.resource.instanceDetails.instanceId |
| Vendor.resource.instanceDetails.instanceType | cloud.machine.type | EC2 instance type | Copied from Vendor.resource.instanceDetails.instanceType |
| Vendor.partition | cloud.provider | AWS partition | Copied from Vendor.partition |
| Vendor.region | cloud.region | AWS region | Copied from Vendor.region |
| Vendor.service.serviceName | cloud.service.name | Service name | Copied from Vendor.service.serviceName |
| Vendor.service.action.networkConnectionAction.*.ipAddressV4, Vendor.resource.instanceDetails.networkInterfaces[0].privateIpAddress | destination.address | Destination IP address | Extracted from various action types and lowercased |
| destination.address | destination.ip | Destination IP address | Copied from destination.address |
| Vendor.service.action.networkConnectionAction.*.port | destination.port | Destination port number | Extracted based on connection direction |
| Vendor.service.action.dnsRequestAction.domain | dns.question.name | DNS domain being queried | Copied from Vendor.service.action.dnsRequestAction.domain |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.service.action.actionType | event.action | Action type from GuardDuty finding | Copied from Vendor.service.action.actionType |
| Vendor.service.action.actionType, source.address, destination.address | event.category[] | Event categorization | Array populated with threat, authentication (for RDS_LOGIN_ATTEMPT), api (for API_CALL actions), network (when source/destination present) |
| Vendor.createdAt | event.created | Event creation timestamp | Copied from Vendor.createdAt |
| Vendor.service.eventLastSeen | event.end | Last occurrence of event | Copied from Vendor.service.eventLastSeen |
| Vendor.id | event.id | Unique identifier | Copied from Vendor.id |
| Vendor.severity | event.kind | Event classification | Static value: event, conditionally set to alert based on severity |
| None | event.module | Event module identifier | Static value: guardduty |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider | AWS service name | Copied from Vendor.service.action.awsApiCallAction.serviceName |
| Vendor.title | event.reason | Title of the GuardDuty finding | Copied from Vendor.title |
| Vendor.severity | event.severity | Event severity level | Mapped from Vendor.severity (90 for >=9, 70 for >=7, 50 for >=4, 30 for >=1) |
| Vendor.service.eventFirstSeen | event.start | First occurrence of event | Copied from Vendor.service.eventFirstSeen |
| Vendor.service.action.*.blocked | event.type[] | Event type classification | Array populated with indicator, allowed/denied (based on blocked field), connection (when both source and destination exist) |
| cloud.instance.id | host.id | Host identifier | Copied from cloud.instance.id |
| Vendor.resource.instanceDetails.platform | host.os.platform | Instance platform | Copied from Vendor.resource.instanceDetails.platform |
| cloud.machine.type | host.type | Host type | Copied from cloud.machine.type |
| Vendor.service.action.networkConnectionAction.connectionDirection | network.direction | Network connection direction | Lowercased from Vendor.service.action.networkConnectionAction.connectionDirection |
| Vendor.service.action.networkConnectionAction.protocol, Vendor.service.action.dnsRequestAction.protocol | network.transport | Network protocol used | Lowercased from protocol fields |
| Vendor.type | rule.category | Rule category extracted from finding type | Extracted from rule.name using regex pattern |
| Vendor.type | rule.name | GuardDuty finding type | Copied from Vendor.type |
| Vendor.type | rule.ruleset | Rule ruleset extracted from finding type | Extracted from rule.name using regex pattern |
| Vendor.service.action.*.remoteIpDetails.ipAddressV4, Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | source.address | Source IP address | Extracted from various action types and lowercased |
| source.address | source.ip | Source IP address | Copied from source.address |
| Vendor.service.action.networkConnectionAction.*.port | source.port | Source port number | Extracted based on connection direction |
| Vendor.resource.accessKeyDetails.principalId, Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid | user.id | User identifier | Copied from various user detail fields |
| Vendor.resource.accessKeyDetails.userName, Vendor.resource.kubernetesDetails.kubernetesUserDetails.username, Vendor.resource.rdsDbUserDetails.user | user.name | Username | Copied from various user detail fields |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.groups | user.roles | User roles/groups | Array created from Kubernetes user groups |