Document toolboxDocument toolbox

cloud.aws.security_lake

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Jun 01, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with cloud.aws.security_lake identify events generated by Amazon Security Lake.

Valid tags and data tables 

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.security_lake. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Amazon Security Lake

cloud.aws.security_lake.event

cloud.aws.security_lake.event

For more information, read more About Devo tags.

How is the data sent to Devo?

To send logs to these tables, you can use the Amazon Security Lake collector to send the required events to your Devo domain. Learn more about this in this article. 

Table structure

These are the fields displayed in this table:

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

ACCID

str

 

 

 

REGION

str

 

 

 

metadata__product__version

str

 

 

 

metadata__product__name

str

 

 

 

metadata__product__feature__name

str

 

 

 

metadata__product__vendor_name

str

 

 

 

metadata__profiles

str

 

 

 

metadata__version

str

 

 

 

time

timestamp

 

 

 

cloud__region

str

 

 

 

cloud__provider

str

 

 

 

api__response__error

str

 

 

 

api__response__message

str

 

 

 

api__operation

str

 

 

 

api__request__uid

str

 

 

 

api__version

str

 

 

 

api__service__name

str

 

 

 

ref_event_uid

str

 

 

 

src_endpoint__uid

str

 

 

 

src_endpoint__ip4

ip4

ip4(src_endpoint__ip)

src_endpoint__ip

 

src_endpoint__ip6

ip6

ip6(src_endpoint__ip)

src_endpoint__ip

 

src_endpoint__domain

str

 

 

 

resources

str

 

 

 

identity__user__type

str

 

 

 

identity__user__name

str

 

 

 

identity__user__uid

str

 

 

 

identity__user__uuid

str

 

 

 

identity__user__account_uid

str

 

 

 

identity__user__credential_uid

str

 

 

 

identity__session__created_time

str

 

 

 

identity__session__mfa

str

 

 

 

identity__session__issuer

str

 

 

 

identity__invoked_by

str

 

 

 

identity__idp__name

str

 

 

 

http_request__user_agent

str

 

 

 

class_name

str

 

 

 

class_uid

str

 

 

 

category_name

str

 

 

 

category_uid

str

 

 

 

severity_id

str

 

 

 

severity

str

 

 

 

activity_name

str

 

 

 

activity_id

str

 

 

 

type_uid

str

 

 

 

type_name

str

 

 

 

unmapped

str

 

 

 

at_devo_pulling_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓