Parsers and Generated Fields
Tag Fields Created by Parser aws-guardduty
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-guardduty
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.accountId | cloud.account.id | AWS account identifier |
| Vendor.resource.instanceDetails.instanceId | cloud.instance.id | EC2 instance ID |
| Vendor.resource.instanceDetails.instanceType | cloud.machine.type | EC2 instance type |
| Vendor.partition | cloud.provider | AWS partition |
| Vendor.region | cloud.region | AWS region |
| Vendor.service.serviceName | cloud.service.name | Service name |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | destination.address | Local IP address for outbound network connections |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4; | destination.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | destination.address | Remote IP address for outbound network connections |
| destination.address | destination.ip | |
| Vendor.service.action.dnsRequestAction.domain | dns.question.name | DNS domain being queried |
| Vendor.service.action.actionType | event.action | Action type from GuardDuty finding |
| Vendor.createdAt | event.created | Event creation timestamp |
| Vendor.service.eventLastSeen | event.end | Last occurrence of event |
| Vendor.id | event.id | Unique identifier |
| Vendor.service.action.awsApiCallAction.serviceName | event.provider | AWS service name |
| Vendor.title | event.reason | Title of the GuardDuty finding |
| Vendor.severity | event.severity | Mapped severity (90 for >9, 70 for >7, 50 for >4, 30 for >=1) |
| Vendor.service.eventFirstSeen | event.start | First occurrence of event |
| cloud.instance.id | host.id | |
| Vendor.resource.instanceDetails.platform | host.os.platform | Instance platform |
| cloud.machine.type | host.type | |
| Vendor.service.action.networkConnectionAction.connectionDirection | network.direction | Network connection direction (lowercased) |
| Vendor.service.action.dnsRequestAction.protocol | network.transport | DNS protocol used |
| Vendor.service.action.networkConnectionAction.protocol | network.transport | Network protocol used |
| Vendor.type | rule.name | GuardDuty finding type |
| Vendor.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 | source.address | Remote IP address for AWS API calls |
| Vendor.service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 | source.address | Remote IP address for Kubernetes API calls |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4 | source.address | Local IP address for inbound network connections |
| Vendor.service.action.networkConnectionAction.localIpDetails.ipAddressV4; | source.address | |
| Vendor.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 | source.address | Remote IP address for inbound network connections |
| Vendor.service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4 | source.address | Remote IP address for RDS login attempts |
| source.address | source.ip | |
| Vendor.service.action.networkConnectionAction.localPortDetails.port | source.port | Local port number |
| Vendor.resource.accessKeyDetails.principalId | user.id | Principal ID from access key details |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.uid | user.id | Kubernetes user ID |
| Vendor.resource.accessKeyDetails.userName | user.name | Username from access key details |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.username | user.name | Kubernetes username |
| Vendor.resource.rdsDbUserDetails.user | user.name | RDS database username |
| Vendor.resource.kubernetesDetails.kubernetesUserDetails.groups | user.roles | Kubernetes user groups |