Page Comparison

Table of Contents

maxLevel	2
type	flat

Introduction

The tags beginning with cloud.aws.guardduty identify events generated by AWS GuardDuty.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.guardduty. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
AWS GuardDuty	`cloud.aws.guardduty.events`	`cloud.aws.guardduty.events`
AWS GuardDuty	`cloud.aws.guardduty.findings`	`cloud.aws.guardduty.findings`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.guardduty.events
cloud.aws.guardduty.findings

Anchor
tag1
tag1
cloud.aws.guardduty.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

timestamp

timestamp

time

ACCID_TAG

str

ACCID

REGION_TAG

str

REGION

detail_type

str

detail_title

str

detail_findings_title

str

detail_findings_compliance_status

str

detail_findings_remediation_recommendation_url

str

version

str

id

str

source

str

account

str

region

str

resources_str

str

Code Block
join(resources, ',')

resources

detail_schemaVersion

str

detail_accountId

str

detail_region

str

detail_partition

str

detail_id

str

detail_arn

str

detail_severity

int4

detail_createdAt

timestamp

detail_updatedAt

timestamp

detail_description

str

detail_detail_type

str

detail_resource_resourceType

str

detail_resource_instanceDetails_instanceId

str

detail_resource_instanceDetails_instanceType

str

detail_resource_instanceDetails_launchTime

timestamp

detail_resource_instanceDetails_platform

str

productCodes_productCodeId_str

str

Code Block
join(productCodes_productCodeId, ',')

productCodes_productCodeId

productCodes_productCodeType_str

str

Code Block
join(productCodes_productCodeType, ',')

productCodes_productCodeType

detail_resource_instanceDetails_iamInstanceProfile_arn

str

detail_resource_instanceDetails_iamInstanceProfile_id

str

networkInterfaces_networkInterfaceId_str

str

Code Block
join(networkInterfaces_networkInterfaceId, ',')

networkInterfaces_networkInterfaceId

networkInterfaces_subnetId_str

str

Code Block
join(networkInterfaces_subnetId, ',')

networkInterfaces_subnetId

networkInterfaces_vpcId_str

str

Code Block
join(networkInterfaces_vpcId, ',')

networkInterfaces_vpcId

networkInterfaces_privateDnsName_str

str

Code Block
join(networkInterfaces_privateDnsName, ',')

networkInterfaces_privateDnsName

networkInterfaces_publicIp_str

str

Code Block
join(networkInterfaces_publicIp, ',')

networkInterfaces_publicIp

networkInterfaces_ipv6Addresses_str

str

Code Block
join(networkInterfaces_ipv6Addresses, ',')

networkInterfaces_ipv6Addresses

networkInterfaces_publicDnsName_str

str

Code Block
join(networkInterfaces_publicDnsName, ',')

networkInterfaces_publicDnsName

networkInterfaces_privateIpAddress_str

str

Code Block
join(networkInterfaces_privateIpAddress, ',')

networkInterfaces_privateIpAddress

networkInterfaces_securityGroups_str

str

Code Block
join(networkInterfaces_securityGroups, ',')

networkInterfaces_securityGroups

tags_value_str

str

Code Block
join(tags_value, ',')

tags_value

tags_key_str

str

Code Block
join(tags_key, ',')

tags_key

detail_resource_instanceDetails_instanceState

str

detail_resource_instanceDetails_availabilityZone

str

detail_resource_instanceDetails_imageId

str

detail_resource_instanceDetails_imageDescription

str

detail_service_serviceName

str

detail_service_detectorId

str

detail_service_action_actionType

str

detail_service_action_dnsRequestAction_domain

str

detail_service_action_dnsRequestAction_protocol

str

detail_service_action_dnsRequestAction_blocked

bool

detail_service_action_networkConnectionAction_connectionDirection

str

detail_service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

detail_service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

detail_service_action_networkConnectionAction_remoteIpDetails_organization_org

str

detail_service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

detail_service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

detail_service_action_networkConnectionAction_remotePortDetails_port

int8

detail_service_action_networkConnectionAction_remotePortDetails_portName

str

detail_service_action_networkConnectionAction_localPortDetails_port

int8

detail_service_action_networkConnectionAction_localPortDetails_portName

str

detail_service_action_networkConnectionAction_protocol

str

detail_service_action_networkConnectionAction_blocked

bool

detail_service_resourceRole

str

detail_service_additionalInfo_portsScannedSample

[int8]

detail_service_additionalInfo_portsScannedSample_str

str

Code Block
replace(replace(stringify(json(detail_service_additionalInfo_portsScannedSample)), "[", ""), "]", "")

detail_service_additionalInfo_portsScannedSample

detail_service_additionalInfo_threatListName

str

detail_service_additionalInfo_sample

bool

threatIntelligenceDetails_threatNames_str

str

Code Block
join(threatIntelligenceDetails_threatNames, ',')

threatIntelligenceDetails_threatNames

threatIntelligenceDetails_threatListName_str

str

Code Block
join(threatIntelligenceDetails_threatListName, ',')

threatIntelligenceDetails_threatListName

detail_service_eventFirstSeen

timestamp

detail_service_eventLastSeen

timestamp

detail_service_archived

bool

detail_service_count

int8

detail_findings_schemaVersion

str

detail_findings_id

str

detail_findings_productArn

str

detail_findings_generatorId

str

detail_findings_awsAccountId

str

detail_findings_types_str

str

Code Block
join(detail_findings_types, ',')

detail_findings_types

detail_findings_firstObservedAt

timestamp

detail_findings_lastObservedAt

timestamp

detail_findings_createdAt

timestamp

detail_findings_updatedAt

timestamp

detail_findings_severity_product

int4

detail_findings_severity_normalized

int4

detail_findings_description

str

detail_findings_remediation_recommendation_text

str

detail_findings_productFields_standardsGuideArn

str

detail_findings_productFields_standardsGuideSubscriptionArn

str

detail_findings_productFields_ruleId

str

detail_findings_productFields_recommendationUrl

str

detail_findings_productFields_relatedAWSResources_0_name

str

detail_findings_productFields_relatedAWSResources_0_type

str

detail_findings_productFields_recordState

str

detail_findings_productFields_aws_securityhub_findingId

str

detail_findings_productFields_aws_securityhub_severityLabel

str

detail_findings_productFields_aws_securityhub_productName

str

detail_findings_productFields_aws_securityhub_companyName

str

detail_findings_resources_type

str

detail_findings_resources_id

str

detail_findings_resources_partition

str

detail_findings_resources_region

str

detail_findings_resources_details_other_path

str

detail_findings_resources_details_other_userName

str

detail_findings_resources_details_other_userId

str

detail_findings_resources_details_other_arn

str

detail_findings_resources_details_other_createDate

timestamp

detail_findings_recordState

str

detail_findings_workflowState

str

detail_findings_approximateArrivalTimestamp

timestamp

Code Block
timestamp(int8(detail_findings_approximateArrivalTimestamp_float * 1000))

detail_findings_approximateArrivalTimestamp_float

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag2
tag2
cloud.aws.guardduty.findings

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

ACCID_TAG

str

ACCID

REGION_TAG

str

REGION

schemaVersion

str

accountId

str

region

str

partition

str

id

str

arn

str

type

str

resource_resourceType

str

resource_accessKeyDetails_accessKeyId

str

resource_accessKeyDetails_principalId

str

resource_accessKeyDetails_userType

str

resource_accessKeyDetails_userName

str

resource_instanceDetails_instanceId

str

resource_instanceDetails_instanceType

str

resource_instanceDetails_launchTime

timestamp

resource_instanceDetails_platform

str

resource_instanceDetails_productCodes

str

resource_instanceDetails_iamInstanceProfile_arn

str

resource_instanceDetails_iamInstanceProfile_id

str

resource_instanceDetails_networkInterfaces_networkInterfaceId_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_networkInterfaceId, ',')

resource_instanceDetails_networkInterfaces_networkInterfaceId

resource_instanceDetails_networkInterfaces_privateIpAddresses_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_privateIpAddresses, ',')

resource_instanceDetails_networkInterfaces_privateIpAddresses

resource_instanceDetails_networkInterfaces_subnetId_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_subnetId, ',')

resource_instanceDetails_networkInterfaces_subnetId

resource_instanceDetails_networkInterfaces_vpcId_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_vpcId, ',')

resource_instanceDetails_networkInterfaces_vpcId

resource_instanceDetails_networkInterfaces_privateDnsName_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_privateDnsName, ',')

resource_instanceDetails_networkInterfaces_privateDnsName

resource_instanceDetails_networkInterfaces_securityGroups_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_securityGroups, ',')

resource_instanceDetails_networkInterfaces_securityGroups

resource_instanceDetails_networkInterfaces_publicIp_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_publicIp, ',')

resource_instanceDetails_networkInterfaces_publicIp

resource_instanceDetails_networkInterfaces_ipv6Addresses_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_ipv6Addresses, ',')

resource_instanceDetails_networkInterfaces_ipv6Addresses

resource_instanceDetails_networkInterfaces_publicDnsName_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_publicDnsName, ',')

resource_instanceDetails_networkInterfaces_publicDnsName

resource_instanceDetails_networkInterfaces_privateIpAddress_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_privateIpAddress, ',')

resource_instanceDetails_networkInterfaces_privateIpAddress

resource_instanceDetails_tags_value_str

str

Code Block
join(resource_instanceDetails_tags_value, ',')

resource_instanceDetails_tags_value

resource_instanceDetails_tags_key_str

str

Code Block
join(resource_instanceDetails_tags_key, ',')

resource_instanceDetails_tags_key

resource_instanceDetails_instanceState

str

resource_instanceDetails_availabilityZone

str

resource_instanceDetails_imageId

str

resource_instanceDetails_imageDescription

str

resource_s3BucketDetails_str

str

Code Block
join(resource_s3BucketDetails, ',')

resource_s3BucketDetails

resource_instanceDetails_outpostArn

str

service_serviceName

str

service_detectorId

str

service_action_actionType

str

service_action_awsApiCallAction_api

str

service_action_awsApiCallAction_serviceName

str

service_action_awsApiCallAction_callerType

str

service_action_awsApiCallAction_remoteIpDetails_ipAddressV4

ip4

service_action_awsApiCallAction_remoteIpDetails_organization_asn

str

service_action_awsApiCallAction_remoteIpDetails_organization_asnOrg

str

service_action_awsApiCallAction_remoteIpDetails_organization_isp

str

service_action_awsApiCallAction_remoteIpDetails_organization_org

str

service_action_awsApiCallAction_remoteIpDetails_country_countryName

str

service_action_awsApiCallAction_remoteIpDetails_city_cityName

str

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lat

float8

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lon

float8

service_action_awsApiCallAction_affectedResources

str

service_action_dnsRequestAction_domain

str

service_action_dnsRequestAction_protocol

str

service_action_dnsRequestAction_blocked

bool

service_action_networkConnectionAction_blocked

bool

service_action_networkConnectionAction_connectionDirection

str

service_action_networkConnectionAction_localPortDetails_port

int8

service_action_networkConnectionAction_localPortDetails_portName

str

service_action_networkConnectionAction_protocol

str

service_action_networkConnectionAction_localIpDetails_ipAddressV4

ip4

service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

service_action_networkConnectionAction_remoteIpDetails_country_countryCode

str

service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

service_action_networkConnectionAction_remoteIpDetails_organization_org

str

service_action_networkConnectionAction_remotePortDetails_port

int8

service_action_networkConnectionAction_remotePortDetails_portName

str

service_action_portProbeAction_portProbeDetails_localPortDetails_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localPortDetails, ',')

service_action_portProbeAction_portProbeDetails_localPortDetails

service_action_portProbeAction_portProbeDetails_localPortDetails_port_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localPortDetails_port, ',')

service_action_portProbeAction_portProbeDetails_localPortDetails_port

service_action_portProbeAction_portProbeDetails_localPortDetails_portName_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localPortDetails_portName, ',')

service_action_portProbeAction_portProbeDetails_localPortDetails_portName

service_action_portProbeAction_portProbeDetails_remoteIpDetails_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_city, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_country, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat_str

str

Code Block
replace(replace(stringify(json(service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat)), '[', ''), ']', '')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon_str

str

Code Block
replace(replace(stringify(json(service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon)), '[', ''), ']', '')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org

service_action_portProbeAction_portProbeDetails_localIpDetails_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localIpDetails, ',')

service_action_portProbeAction_portProbeDetails_localIpDetails

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4, ',')

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6, ',')

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6

service_action_portProbeAction_blocked

bool

service_resourceRole

str

service_additionalInfo_recentApiCalls_api_str

str

Code Block
join(service_additionalInfo_recentApiCalls_api, ',')

service_additionalInfo_recentApiCalls_api

service_additionalInfo_recentApiCalls_count_str

str

Code Block
replace(replace(stringify(json(service_additionalInfo_recentApiCalls_count)), "[", ""), "]", "")

service_additionalInfo_recentApiCalls_count

service_additionalInfo_threatName

str

service_additionalInfo_threatListName

str

service_evidence_threatIntelligenceDetails_threatNames_str

str

Code Block
join(service_evidence_threatIntelligenceDetails_threatNames, ',')

service_evidence_threatIntelligenceDetails_threatNames

service_evidence_threatIntelligenceDetails_threatListName_str

str

Code Block
join(service_evidence_threatIntelligenceDetails_threatListName, ',')

service_evidence_threatIntelligenceDetails_threatListName

service_eventFirstSeen

timestamp

service_eventLastSeen

timestamp

service_archived

bool

service_count

int4

service_userFeedback

str

severity

int4

confidence

float8

createdAt

timestamp

updatedAt

timestamp

title

str

description

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Valid tags and data tables

Table structure

Anchor
tag1
tag1
cloud.aws.guardduty.events

Anchor
tag2
tag2
cloud.aws.guardduty.findings

Page Comparison

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Valid tags and data tables

Table structure

Anchortag1tag1cloud.aws.guardduty.events

Anchortag2tag2cloud.aws.guardduty.findings

Anchor
tag1
tag1
cloud.aws.guardduty.events

Anchor
tag2
tag2
cloud.aws.guardduty.findings