...
Introduction
The tags beginning with mailcloud.aws.
mimecastguardduty
identify events generated by Mimecast AWS GuardDuty.
Valid tags and data tables
The full tag must have 4 levels. The first two 3 are fixed as mailcloud.aws.
mimecastguardduty
. The third level identifies the type of events sent, and the fourth level indicates the event subtype
...
Technology
...
Brand
...
Type
...
Subtype
...
cloud
...
aws
...
guardduty
...
events
findings
.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service |
---|
Tags | Data |
---|
tables | ||
---|---|---|
AWS GuardDuty |
|
|
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
timestamp |
|
| time | |||
ACCID_TAG |
|
| ACCID | |||
REGION_TAG |
|
| REGION | |||
detail_type |
|
|
| |||
detail_title |
|
|
| |||
detail_findings_title |
|
|
| |||
detail_findings_compliance_status |
|
|
| |||
detail_findings_remediation_recommendation_url |
|
|
| |||
version |
|
|
| |||
id |
|
|
| |||
source |
|
|
| |||
account |
|
|
| |||
region |
|
|
| |||
resources_str |
|
| resources | |||
detail_schemaVersion |
|
|
| |||
detail_accountId |
|
|
| |||
detail_region |
|
|
| |||
detail_partition |
|
|
| |||
detail_id |
|
|
| |||
detail_arn |
|
|
| |||
detail_severity |
|
|
| |||
detail_createdAt |
|
|
| |||
detail_updatedAt |
|
|
| |||
detail_description |
|
|
| |||
detail_detail_type |
|
|
| |||
detail_resource_resourceType |
|
|
| |||
detail_resource_instanceDetails_instanceId |
|
|
| |||
detail_resource_instanceDetails_instanceType |
|
|
| |||
detail_resource_instanceDetails_launchTime |
|
|
| |||
detail_resource_instanceDetails_platform |
|
|
| |||
productCodes_productCodeId_str |
|
| productCodes_productCodeId | |||
productCodes_productCodeType_str |
|
| productCodes_productCodeType | |||
detail_resource_instanceDetails_iamInstanceProfile_arn |
|
|
| |||
detail_resource_instanceDetails_iamInstanceProfile_id |
|
|
| |||
networkInterfaces_networkInterfaceId_str |
|
| networkInterfaces_networkInterfaceId | |||
networkInterfaces_subnetId_str |
|
| networkInterfaces_subnetId | |||
networkInterfaces_vpcId_str |
|
| networkInterfaces_vpcId | |||
networkInterfaces_privateDnsName_str |
|
| networkInterfaces_privateDnsName | |||
networkInterfaces_publicIp_str |
|
| networkInterfaces_publicIp | |||
networkInterfaces_ipv6Addresses_str |
|
| networkInterfaces_ipv6Addresses | |||
networkInterfaces_publicDnsName_str |
|
| networkInterfaces_publicDnsName | |||
networkInterfaces_privateIpAddress_str |
|
| networkInterfaces_privateIpAddress | |||
networkInterfaces_securityGroups_str |
|
| networkInterfaces_securityGroups | |||
tags_value_str |
|
| tags_value | |||
tags_key_str |
|
| tags_key | |||
detail_resource_instanceDetails_instanceState |
|
|
| |||
detail_resource_instanceDetails_availabilityZone |
|
|
| |||
detail_resource_instanceDetails_imageId |
|
|
| |||
detail_resource_instanceDetails_imageDescription |
|
|
| |||
detail_service_serviceName |
|
|
| |||
detail_service_detectorId |
|
|
| |||
detail_service_action_actionType |
|
|
| |||
detail_service_action_dnsRequestAction_domain |
|
|
| |||
detail_service_action_dnsRequestAction_protocol |
|
|
| |||
detail_service_action_dnsRequestAction_blocked |
|
|
| |||
detail_service_action_networkConnectionAction_connectionDirection |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_ipAddressV4 |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_organization_asn |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_organization_isp |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_organization_org |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_country_countryName |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_city_cityName |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat |
|
|
| |||
detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon |
|
|
| |||
detail_service_action_networkConnectionAction_remotePortDetails_port |
|
|
| |||
detail_service_action_networkConnectionAction_remotePortDetails_portName |
|
|
| |||
detail_service_action_networkConnectionAction_localPortDetails_port |
|
|
| |||
detail_service_action_networkConnectionAction_localPortDetails_portName |
|
|
| |||
detail_service_action_networkConnectionAction_protocol |
|
|
| |||
detail_service_action_networkConnectionAction_blocked |
|
|
| |||
detail_service_resourceRole |
|
|
| |||
detail_service_additionalInfo_portsScannedSample |
|
|
| |||
detail_service_additionalInfo_portsScannedSample_str |
|
| detail_service_additionalInfo_portsScannedSample | |||
detail_service_additionalInfo_threatListName |
|
|
| |||
detail_service_additionalInfo_sample |
|
|
| |||
threatIntelligenceDetails_threatNames_str |
|
| threatIntelligenceDetails_threatNames | |||
threatIntelligenceDetails_threatListName_str |
|
| threatIntelligenceDetails_threatListName | |||
detail_service_eventFirstSeen |
|
|
| |||
detail_service_eventLastSeen |
|
|
| |||
detail_service_archived |
|
|
| |||
detail_service_count |
|
|
| |||
detail_findings_schemaVersion |
|
|
| |||
detail_findings_id |
|
|
| |||
detail_findings_productArn |
|
|
| |||
detail_findings_generatorId |
|
|
| |||
detail_findings_awsAccountId |
|
|
| |||
detail_findings_types_str |
|
| detail_findings_types | |||
detail_findings_firstObservedAt |
|
|
| |||
detail_findings_lastObservedAt |
|
|
| |||
detail_findings_createdAt |
|
|
| |||
detail_findings_updatedAt |
|
|
| |||
detail_findings_severity_product |
|
|
| |||
detail_findings_severity_normalized |
|
|
| |||
detail_findings_description |
|
|
| |||
detail_findings_remediation_recommendation_text |
|
|
| |||
detail_findings_productFields_standardsGuideArn |
|
|
| |||
detail_findings_productFields_standardsGuideSubscriptionArn |
|
|
| |||
detail_findings_productFields_ruleId |
|
|
| |||
detail_findings_productFields_recommendationUrl |
|
|
| |||
detail_findings_productFields_relatedAWSResources_0_name |
|
|
| |||
detail_findings_productFields_relatedAWSResources_0_type |
|
|
| |||
detail_findings_productFields_recordState |
|
|
| |||
detail_findings_productFields_aws_securityhub_findingId |
|
|
| |||
detail_findings_productFields_aws_securityhub_severityLabel |
|
|
| |||
detail_findings_productFields_aws_securityhub_productName |
|
|
| |||
detail_findings_productFields_aws_securityhub_companyName |
|
|
| |||
detail_findings_resources_type |
|
|
| |||
detail_findings_resources_id |
|
|
| |||
detail_findings_resources_partition |
|
|
| |||
detail_findings_resources_region |
|
|
| |||
detail_findings_resources_details_other_path |
|
|
| |||
detail_findings_resources_details_other_userName |
|
|
| |||
detail_findings_resources_details_other_userId |
|
|
| |||
detail_findings_resources_details_other_arn |
|
|
| |||
detail_findings_resources_details_other_createDate |
|
|
| |||
detail_findings_recordState |
|
|
| |||
detail_findings_workflowState |
|
|
| |||
detail_findings_approximateArrivalTimestamp |
|
| detail_findings_approximateArrivalTimestamp_float | |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
ACCID_TAG |
|
| ACCID | |||
REGION_TAG |
|
| REGION | |||
schemaVersion |
|
|
| |||
accountId |
|
|
| |||
region |
|
|
| |||
partition |
|
|
| |||
id |
|
|
| |||
arn |
|
|
| |||
type |
|
|
| |||
resource_resourceType |
|
|
| |||
resource_accessKeyDetails_accessKeyId |
|
|
| |||
resource_accessKeyDetails_principalId |
|
|
| |||
resource_accessKeyDetails_userType |
|
|
| |||
resource_accessKeyDetails_userName |
|
|
| |||
resource_instanceDetails_instanceId |
|
|
| |||
resource_instanceDetails_instanceType |
|
|
| |||
resource_instanceDetails_launchTime |
|
|
| |||
resource_instanceDetails_platform |
|
|
| |||
resource_instanceDetails_productCodes |
|
|
| |||
resource_instanceDetails_iamInstanceProfile_arn |
|
|
| |||
resource_instanceDetails_iamInstanceProfile_id |
|
|
| |||
resource_instanceDetails_networkInterfaces_networkInterfaceId_str |
|
| resource_instanceDetails_networkInterfaces_networkInterfaceId | |||
resource_instanceDetails_networkInterfaces_privateIpAddresses_str |
|
| resource_instanceDetails_networkInterfaces_privateIpAddresses | |||
resource_instanceDetails_networkInterfaces_subnetId_str |
|
| resource_instanceDetails_networkInterfaces_subnetId | |||
resource_instanceDetails_networkInterfaces_vpcId_str |
|
| resource_instanceDetails_networkInterfaces_vpcId | |||
resource_instanceDetails_networkInterfaces_privateDnsName_str |
|
| resource_instanceDetails_networkInterfaces_privateDnsName | |||
resource_instanceDetails_networkInterfaces_securityGroups_str |
|
| resource_instanceDetails_networkInterfaces_securityGroups | |||
resource_instanceDetails_networkInterfaces_publicIp_str |
|
| resource_instanceDetails_networkInterfaces_publicIp | |||
resource_instanceDetails_networkInterfaces_ipv6Addresses_str |
|
| resource_instanceDetails_networkInterfaces_ipv6Addresses | |||
resource_instanceDetails_networkInterfaces_publicDnsName_str |
|
| resource_instanceDetails_networkInterfaces_publicDnsName | |||
resource_instanceDetails_networkInterfaces_privateIpAddress_str |
|
| resource_instanceDetails_networkInterfaces_privateIpAddress | |||
resource_instanceDetails_tags_value_str |
|
| resource_instanceDetails_tags_value | |||
resource_instanceDetails_tags_key_str |
|
| resource_instanceDetails_tags_key | |||
resource_instanceDetails_instanceState |
|
|
| |||
resource_instanceDetails_availabilityZone |
|
|
| |||
resource_instanceDetails_imageId |
|
|
| |||
resource_instanceDetails_imageDescription |
|
|
| |||
resource_s3BucketDetails_str |
|
| resource_s3BucketDetails | |||
resource_instanceDetails_outpostArn |
|
|
| |||
service_serviceName |
|
|
| |||
service_detectorId |
|
|
| |||
service_action_actionType |
|
|
| |||
service_action_awsApiCallAction_api |
|
|
| |||
service_action_awsApiCallAction_serviceName |
|
|
| |||
service_action_awsApiCallAction_callerType |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_ipAddressV4 |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_organization_asn |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_organization_asnOrg |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_organization_isp |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_organization_org |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_country_countryName |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_city_cityName |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_geoLocation_lat |
|
|
| |||
service_action_awsApiCallAction_remoteIpDetails_geoLocation_lon |
|
|
| |||
service_action_awsApiCallAction_affectedResources |
|
|
| |||
service_action_dnsRequestAction_domain |
|
|
| |||
service_action_dnsRequestAction_protocol |
|
|
| |||
service_action_dnsRequestAction_blocked |
|
|
| |||
service_action_networkConnectionAction_blocked |
|
|
| |||
service_action_networkConnectionAction_connectionDirection |
|
|
| |||
service_action_networkConnectionAction_localPortDetails_port |
|
|
| |||
service_action_networkConnectionAction_localPortDetails_portName |
|
|
| |||
service_action_networkConnectionAction_protocol |
|
|
| |||
service_action_networkConnectionAction_localIpDetails_ipAddressV4 |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_city_cityName |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_country_countryCode |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_country_countryName |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_ipAddressV4 |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_organization_asn |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_organization_isp |
|
|
| |||
service_action_networkConnectionAction_remoteIpDetails_organization_org |
|
|
| |||
service_action_networkConnectionAction_remotePortDetails_port |
|
|
| |||
service_action_networkConnectionAction_remotePortDetails_portName |
|
|
| |||
service_action_portProbeAction_portProbeDetails_localPortDetails_str |
|
| service_action_portProbeAction_portProbeDetails_localPortDetails | |||
service_action_portProbeAction_portProbeDetails_localPortDetails_port_str |
|
| service_action_portProbeAction_portProbeDetails_localPortDetails_port | |||
service_action_portProbeAction_portProbeDetails_localPortDetails_portName_str |
|
| service_action_portProbeAction_portProbeDetails_localPortDetails_portName | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_city | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_country | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4 | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6 | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp | |||
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org_str |
|
| service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org | |||
service_action_portProbeAction_portProbeDetails_localIpDetails_str |
|
| service_action_portProbeAction_portProbeDetails_localIpDetails | |||
service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4_str |
|
| service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4 | |||
service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6_str |
|
| service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6 | |||
service_action_portProbeAction_blocked |
|
|
| |||
service_resourceRole |
|
|
| |||
service_additionalInfo_recentApiCalls_api_str |
|
| service_additionalInfo_recentApiCalls_api | |||
service_additionalInfo_recentApiCalls_count_str |
|
| service_additionalInfo_recentApiCalls_count | |||
service_additionalInfo_threatName |
|
|
| |||
service_additionalInfo_threatListName |
|
|
| |||
service_evidence_threatIntelligenceDetails_threatNames_str |
|
| service_evidence_threatIntelligenceDetails_threatNames | |||
service_evidence_threatIntelligenceDetails_threatListName_str |
|
| service_evidence_threatIntelligenceDetails_threatListName | |||
service_eventFirstSeen |
|
|
| |||
service_eventLastSeen |
|
|
| |||
service_archived |
|
|
| |||
service_count |
|
|
| |||
service_userFeedback |
|
|
| |||
severity |
|
|
| |||
confidence |
|
|
| |||
createdAt |
|
|
| |||
updatedAt |
|
|
| |||
title |
|
|
| |||
description |
|
|
| |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
|
| ✓ |