Parsers and Generated Fields
Tag Fields Created by Parser aws-s3serveraccess
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-s3serveraccess
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor timestamp | @timestamp | Event timestamp | Parsed from timestamp field using format dd/MMM/yyyy:HH:mm:ss Z |
| Vendor.remote_ip | client.address | Client address | Lowercase of Vendor.remote_ip |
| Vendor.remote_ip | client.ip | Client IP address | Copied from Vendor.remote_ip |
| Vendor.requester | client.user.id | Client user identifier | Copied from Vendor.requester |
| Vendor.bucket | cloud.Storage.bucket_name | S3 bucket name | Copied from Vendor.bucket |
| None | cloud.provider | Cloud provider identifier | Static value: aws |
| Vendor.bucket | cloud.target.Resource.id[] | Cloud resource identifier | Array populated from Vendor.bucket |
| None | cloud.target.Resource.type[] | Cloud resource type | Array populated with static value "AWS::S3::Bucket" |
| None | ecs.version | ECS schema version | Static value: 8.17.0 |
| Vendor.error_code | error.code | Error code for failed requests | Copied from Vendor.error_code when present |
| Vendor.operation | event.action | S3 operation performed | Copied from Vendor.operation |
| None | event.category[] | Event categorization | Array populated with static value "web" |
| Vendor.total_time | event.duration | Request processing time | Copied from Vendor.total_time |
| Vendor.request_id | event.id | Unique event identifier | Copied from Vendor.request_id |
| None | event.kind | Event kind indicator | Static value: event |
| None | event.module | Module identifier | Static value: s3access |
| Vendor.error_code | event.outcome | Success or failure outcome | Conditional based on error_code presence |
| None | event.type[] | Event type classification | Array populated with static value "access" |
| Vendor.host_id | host.id | Host identifier | Copied from Vendor.host_id |
| Vendor.request_uri | http.request.method | HTTP method | Extracted from request_uri using regex |
| Vendor.referrer | http.request.referrer | HTTP referrer header | Copied from Vendor.referrer |
| Vendor.bytes_sent | http.response.body.bytes | Response body size | Copied from Vendor.bytes_sent |
| Vendor.http_status | http.response.status_code | HTTP response status | Copied from Vendor.http_status |
| Vendor.request_uri | http.version | HTTP version | Extracted from request_uri using regex |
| Vendor.cipher_suite | tls.cipher | TLS cipher suite | Copied from Vendor.cipher_suite |
| Vendor.tls_version | tls.version | TLS version | Extracted from tls_version using regex |
| Vendor.tls_version | tls.version_protocol | TLS protocol version | Extracted from tls_version using regex |
| Vendor.request_uri | url.original | Original request URL | Copied from Vendor.request_uri |
| Vendor.user_agent | user_agent.original | User agent string | Copied from Vendor.user_agent |