Page Comparison

...

Introduction

The tags beginning with cloud.aws.guardduty identify events generated by AWS GuardDuty.

Valid tags and data tables

The full tag must have 4 levels. The first two 3 are fixed as cloud.aws.guardduty. The third level identifies the type of events sent, and the fourth level indicates the event subtype

...

Technology

...

Brand

...

Type

...

Subtype

...

cloud

...

aws

...

guardduty

...

events

...

.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Product / Service	Tags	Data

table

tables
AWS GuardDuty	`cloud.aws.guardduty.events`	`cloud.aws.guardduty.events`
AWS GuardDuty	`cloud.aws.guardduty.findings`	`cloud.aws.guardduty.findings`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.guardduty.events
cloud.aws.guardduty.findings

Anchor
tag1
tag1
cloud.aws.guardduty.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

timestamp

timestamp

time

ACCID_TAG

str

ACCID

REGION_TAG

str

REGION

detail_type

str

detail_title

str

detail_findings_title

str

detail_findings_compliance_status

str

detail_findings_remediation_recommendation_url

str

version

str

id

str

source

str

account

str

region

str

resources_str

str

Code Block
join(resources, ',')

resources

detail_schemaVersion

str

detail_accountId

str

detail_region

str

detail_partition

str

detail_id

str

detail_arn

str

detail_severity

int4

detail_createdAt

timestamp

detail_updatedAt

timestamp

detail_description

str

detail_detail_type

str

detail_resource_resourceType

str

detail_resource_instanceDetails_instanceId

str

detail_resource_instanceDetails_instanceType

str

detail_resource_instanceDetails_launchTime

timestamp

detail_resource_instanceDetails_platform

str

productCodes_productCodeId_str

str

Code Block
join(productCodes_productCodeId, ',')

productCodes_productCodeId

productCodes_productCodeType_str

str

Code Block
join(productCodes_productCodeType, ',')

productCodes_productCodeType

detail_resource_instanceDetails_iamInstanceProfile_arn

str

detail_resource_instanceDetails_iamInstanceProfile_id

str

networkInterfaces_networkInterfaceId_str

str

Code Block
join(networkInterfaces_networkInterfaceId, ',')

networkInterfaces_networkInterfaceId

networkInterfaces_subnetId_str

str

Code Block
join(networkInterfaces_subnetId, ',')

networkInterfaces_subnetId

networkInterfaces_vpcId_str

str

Code Block
join(networkInterfaces_vpcId, ',')

networkInterfaces_vpcId

networkInterfaces_privateDnsName_str

str

Code Block
join(networkInterfaces_privateDnsName, ',')

networkInterfaces_privateDnsName

networkInterfaces_publicIp_str

str

Code Block
join(networkInterfaces_publicIp, ',')

networkInterfaces_publicIp

networkInterfaces_ipv6Addresses_str

str

Code Block
join(networkInterfaces_ipv6Addresses, ',')

networkInterfaces_ipv6Addresses

networkInterfaces_publicDnsName_str

str

Code Block
join(networkInterfaces_publicDnsName, ',')

networkInterfaces_publicDnsName

networkInterfaces_privateIpAddress_str

str

Code Block
join(networkInterfaces_privateIpAddress, ',')

networkInterfaces_privateIpAddress

networkInterfaces_securityGroups_str

str

Code Block
join(networkInterfaces_securityGroups, ',')

networkInterfaces_securityGroups

tags_value_str

str

Code Block
join(tags_value, ',')

tags_value

tags_key_str

str

Code Block
join(tags_key, ',')

tags_key

detail_resource_instanceDetails_instanceState

str

detail_resource_instanceDetails_availabilityZone

str

detail_resource_instanceDetails_imageId

str

detail_resource_instanceDetails_imageDescription

str

detail_service_serviceName

str

detail_service_detectorId

str

detail_service_action_actionType

str

detail_service_action_dnsRequestAction_domain

str

detail_service_action_dnsRequestAction_protocol

str

detail_service_action_dnsRequestAction_blocked

bool

detail_service_action_networkConnectionAction_connectionDirection

str

detail_service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

detail_service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

detail_service_action_networkConnectionAction_remoteIpDetails_organization_org

str

detail_service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

detail_service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

detail_service_action_networkConnectionAction_remotePortDetails_port

int8

detail_service_action_networkConnectionAction_remotePortDetails_portName

str

detail_service_action_networkConnectionAction_localPortDetails_port

int8

detail_service_action_networkConnectionAction_localPortDetails_portName

str

detail_service_action_networkConnectionAction_protocol

str

detail_service_action_networkConnectionAction_blocked

bool

detail_service_resourceRole

str

detail_service_additionalInfo_portsScannedSample

[int8]

detail_service_additionalInfo_portsScannedSample_str

str

Code Block
replace(replace(stringify(json(detail_service_additionalInfo_portsScannedSample)), "[", ""), "]", "")

detail_service_additionalInfo_portsScannedSample

detail_service_additionalInfo_threatListName

str

detail_service_additionalInfo_sample

bool

threatIntelligenceDetails_threatNames_str

str

Code Block
join(threatIntelligenceDetails_threatNames, ',')

threatIntelligenceDetails_threatNames

threatIntelligenceDetails_threatListName_str

str

Code Block
join(threatIntelligenceDetails_threatListName, ',')

threatIntelligenceDetails_threatListName

detail_service_eventFirstSeen

timestamp

detail_service_eventLastSeen

timestamp

detail_service_archived

bool

detail_service_count

int8

detail_findings_schemaVersion

str

detail_findings_id

str

detail_findings_productArn

str

detail_findings_generatorId

str

detail_findings_awsAccountId

str

detail_findings_types_str

str

Code Block
join(detail_findings_types, ',')

detail_findings_types

detail_findings_firstObservedAt

timestamp

detail_findings_lastObservedAt

timestamp

detail_findings_createdAt

timestamp

detail_findings_updatedAt

timestamp

detail_findings_severity_product

int4

detail_findings_severity_normalized

int4

detail_findings_description

str

detail_findings_remediation_recommendation_text

str

detail_findings_productFields_standardsGuideArn

str

detail_findings_productFields_standardsGuideSubscriptionArn

str

detail_findings_productFields_ruleId

str

detail_findings_productFields_recommendationUrl

str

detail_findings_productFields_relatedAWSResources_0_name

str

detail_findings_productFields_relatedAWSResources_0_type

str

detail_findings_productFields_recordState

str

detail_findings_productFields_aws_securityhub_findingId

str

detail_findings_productFields_aws_securityhub_severityLabel

str

detail_findings_productFields_aws_securityhub_productName

str

detail_findings_productFields_aws_securityhub_companyName

str

detail_findings_resources_type

str

detail_findings_resources_id

str

detail_findings_resources_partition

str

detail_findings_resources_region

str

detail_findings_resources_details_other_path

str

detail_findings_resources_details_other_userName

str

detail_findings_resources_details_other_userId

str

detail_findings_resources_details_other_arn

str

detail_findings_resources_details_other_createDate

timestamp

detail_findings_recordState

str

detail_findings_workflowState

str

detail_findings_approximateArrivalTimestamp

timestamp

Code Block
timestamp(int8(detail_findings_approximateArrivalTimestamp_float * 1000))

detail_findings_approximateArrivalTimestamp_float

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag2
tag2
cloud.aws.guardduty.findings

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

ACCID_TAG

str

ACCID

REGION_TAG

str

REGION

schemaVersion

str

accountId

str

region

str

partition

str

id

str

arn

str

type

str

resource_resourceType

str

resource_accessKeyDetails_accessKeyId

str

resource_accessKeyDetails_principalId

str

resource_accessKeyDetails_userType

str

resource_accessKeyDetails_userName

str

resource_instanceDetails_instanceId

str

resource_instanceDetails_instanceType

str

resource_instanceDetails_launchTime

timestamp

resource_instanceDetails_platform

str

resource_instanceDetails_productCodes

str

resource_instanceDetails_iamInstanceProfile_arn

str

resource_instanceDetails_iamInstanceProfile_id

str

resource_instanceDetails_networkInterfaces_networkInterfaceId_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_networkInterfaceId, ',')

resource_instanceDetails_networkInterfaces_networkInterfaceId

resource_instanceDetails_networkInterfaces_privateIpAddresses_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_privateIpAddresses, ',')

resource_instanceDetails_networkInterfaces_privateIpAddresses

resource_instanceDetails_networkInterfaces_subnetId_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_subnetId, ',')

resource_instanceDetails_networkInterfaces_subnetId

resource_instanceDetails_networkInterfaces_vpcId_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_vpcId, ',')

resource_instanceDetails_networkInterfaces_vpcId

resource_instanceDetails_networkInterfaces_privateDnsName_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_privateDnsName, ',')

resource_instanceDetails_networkInterfaces_privateDnsName

resource_instanceDetails_networkInterfaces_securityGroups_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_securityGroups, ',')

resource_instanceDetails_networkInterfaces_securityGroups

resource_instanceDetails_networkInterfaces_publicIp_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_publicIp, ',')

resource_instanceDetails_networkInterfaces_publicIp

resource_instanceDetails_networkInterfaces_ipv6Addresses_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_ipv6Addresses, ',')

resource_instanceDetails_networkInterfaces_ipv6Addresses

resource_instanceDetails_networkInterfaces_publicDnsName_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_publicDnsName, ',')

resource_instanceDetails_networkInterfaces_publicDnsName

resource_instanceDetails_networkInterfaces_privateIpAddress_str

str

Code Block
join(resource_instanceDetails_networkInterfaces_privateIpAddress, ',')

resource_instanceDetails_networkInterfaces_privateIpAddress

resource_instanceDetails_tags_value_str

str

Code Block
join(resource_instanceDetails_tags_value, ',')

resource_instanceDetails_tags_value

resource_instanceDetails_tags_key_str

str

Code Block
join(resource_instanceDetails_tags_key, ',')

resource_instanceDetails_tags_key

resource_instanceDetails_instanceState

str

resource_instanceDetails_availabilityZone

str

resource_instanceDetails_imageId

str

resource_instanceDetails_imageDescription

str

resource_s3BucketDetails_str

str

Code Block
join(resource_s3BucketDetails, ',')

resource_s3BucketDetails

resource_instanceDetails_outpostArn

str

service_serviceName

str

service_detectorId

str

service_action_actionType

str

service_action_awsApiCallAction_api

str

service_action_awsApiCallAction_serviceName

str

service_action_awsApiCallAction_callerType

str

service_action_awsApiCallAction_remoteIpDetails_ipAddressV4

ip4

service_action_awsApiCallAction_remoteIpDetails_organization_asn

str

service_action_awsApiCallAction_remoteIpDetails_organization_asnOrg

str

service_action_awsApiCallAction_remoteIpDetails_organization_isp

str

service_action_awsApiCallAction_remoteIpDetails_organization_org

str

service_action_awsApiCallAction_remoteIpDetails_country_countryName

str

service_action_awsApiCallAction_remoteIpDetails_city_cityName

str

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lat

float8

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lon

float8

service_action_awsApiCallAction_affectedResources

str

service_action_dnsRequestAction_domain

str

service_action_dnsRequestAction_protocol

str

service_action_dnsRequestAction_blocked

bool

service_action_networkConnectionAction_blocked

bool

service_action_networkConnectionAction_connectionDirection

str

service_action_networkConnectionAction_localPortDetails_port

int8

service_action_networkConnectionAction_localPortDetails_portName

str

service_action_networkConnectionAction_protocol

str

service_action_networkConnectionAction_localIpDetails_ipAddressV4

ip4

service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

service_action_networkConnectionAction_remoteIpDetails_country_countryCode

str

service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

service_action_networkConnectionAction_remoteIpDetails_organization_org

str

service_action_networkConnectionAction_remotePortDetails_port

int8

service_action_networkConnectionAction_remotePortDetails_portName

str

service_action_portProbeAction_portProbeDetails_localPortDetails_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localPortDetails, ',')

service_action_portProbeAction_portProbeDetails_localPortDetails

service_action_portProbeAction_portProbeDetails_localPortDetails_port_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localPortDetails_port, ',')

service_action_portProbeAction_portProbeDetails_localPortDetails_port

service_action_portProbeAction_portProbeDetails_localPortDetails_portName_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localPortDetails_portName, ',')

service_action_portProbeAction_portProbeDetails_localPortDetails_portName

service_action_portProbeAction_portProbeDetails_remoteIpDetails_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_city, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_country, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat_str

str

Code Block
replace(replace(stringify(json(service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat)), '[', ''), ']', '')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon_str

str

Code Block
replace(replace(stringify(json(service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon)), '[', ''), ']', '')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org

service_action_portProbeAction_portProbeDetails_localIpDetails_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localIpDetails, ',')

service_action_portProbeAction_portProbeDetails_localIpDetails

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4, ',')

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6_str

str

Code Block
join(service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6, ',')

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6

service_action_portProbeAction_blocked

bool

service_resourceRole

str

service_additionalInfo_recentApiCalls_api_str

str

Code Block
join(service_additionalInfo_recentApiCalls_api, ',')

service_additionalInfo_recentApiCalls_api

service_additionalInfo_recentApiCalls_count_str

str

Code Block
replace(replace(stringify(json(service_additionalInfo_recentApiCalls_count)), "[", ""), "]", "")

service_additionalInfo_recentApiCalls_count

service_additionalInfo_threatName

str

service_additionalInfo_threatListName

str

service_evidence_threatIntelligenceDetails_threatNames_str

str

Code Block
join(service_evidence_threatIntelligenceDetails_threatNames, ',')

service_evidence_threatIntelligenceDetails_threatNames

service_evidence_threatIntelligenceDetails_threatListName_str

str

Code Block
join(service_evidence_threatIntelligenceDetails_threatListName, ',')

service_evidence_threatIntelligenceDetails_threatListName

service_eventFirstSeen

timestamp

service_eventLastSeen

timestamp

service_archived

bool

service_count

int4

service_userFeedback

str

severity

int4

confidence

float8

createdAt

timestamp

updatedAt

timestamp

title

str

description

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Versions Compared

Old Version 4

New Version Current

Key

Introduction

Valid tags and data tables

Table structure

Anchor
tag1
tag1
cloud.aws.guardduty.events

Anchor
tag2
tag2
cloud.aws.guardduty.findings

Page Comparison

Versions Compared

Old Version 4

New Version Current

Key

Introduction

Valid tags and data tables

Table structure

Anchortag1tag1cloud.aws.guardduty.events

Anchortag2tag2cloud.aws.guardduty.findings

Anchor
tag1
tag1
cloud.aws.guardduty.events

Anchor
tag2
tag2
cloud.aws.guardduty.findings