Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Current »

Introduction

The tags beginning with cloud.aws.guardduty identify events generated by AWS GuardDuty.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.guardduty. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

AWS GuardDuty

cloud.aws.guardduty.events

cloud.aws.guardduty.events

cloud.aws.guardduty.findings

cloud.aws.guardduty.findings

For more information, read more  About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.guardduty.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

timestamp

timestamp

 

time

ACCID_TAG

str

 

ACCID

REGION_TAG

str

 

REGION

detail_type

str

 

 

detail_title

str

 

 

detail_findings_title

str

 

 

detail_findings_compliance_status

str

 

 

detail_findings_remediation_recommendation_url

str

 

 

version

str

 

 

id

str

 

 

source

str

 

 

account

str

 

 

region

str

 

 

resources_str

str

join(resources, ',')

resources

detail_schemaVersion

str

 

 

detail_accountId

str

 

 

detail_region

str

 

 

detail_partition

str

 

 

detail_id

str

 

 

detail_arn

str

 

 

detail_severity

int4

 

 

detail_createdAt

timestamp

 

 

detail_updatedAt

timestamp

 

 

detail_description

str

 

 

detail_detail_type

str

 

 

detail_resource_resourceType

str

 

 

detail_resource_instanceDetails_instanceId

str

 

 

detail_resource_instanceDetails_instanceType

str

 

 

detail_resource_instanceDetails_launchTime

timestamp

 

 

detail_resource_instanceDetails_platform

str

 

 

productCodes_productCodeId_str

str

join(productCodes_productCodeId, ',')

productCodes_productCodeId

productCodes_productCodeType_str

str

join(productCodes_productCodeType, ',')

productCodes_productCodeType

detail_resource_instanceDetails_iamInstanceProfile_arn

str

 

 

detail_resource_instanceDetails_iamInstanceProfile_id

str

 

 

networkInterfaces_networkInterfaceId_str

str

join(networkInterfaces_networkInterfaceId, ',')

networkInterfaces_networkInterfaceId

networkInterfaces_subnetId_str

str

join(networkInterfaces_subnetId, ',')

networkInterfaces_subnetId

networkInterfaces_vpcId_str

str

join(networkInterfaces_vpcId, ',')

networkInterfaces_vpcId

networkInterfaces_privateDnsName_str

str

join(networkInterfaces_privateDnsName, ',')

networkInterfaces_privateDnsName

networkInterfaces_publicIp_str

str

join(networkInterfaces_publicIp, ',')

networkInterfaces_publicIp

networkInterfaces_ipv6Addresses_str

str

join(networkInterfaces_ipv6Addresses, ',')

networkInterfaces_ipv6Addresses

networkInterfaces_publicDnsName_str

str

join(networkInterfaces_publicDnsName, ',')

networkInterfaces_publicDnsName

networkInterfaces_privateIpAddress_str

str

join(networkInterfaces_privateIpAddress, ',')

networkInterfaces_privateIpAddress

networkInterfaces_securityGroups_str

str

join(networkInterfaces_securityGroups, ',')

networkInterfaces_securityGroups

tags_value_str

str

join(tags_value, ',')

tags_value

tags_key_str

str

join(tags_key, ',')

tags_key

detail_resource_instanceDetails_instanceState

str

 

 

detail_resource_instanceDetails_availabilityZone

str

 

 

detail_resource_instanceDetails_imageId

str

 

 

detail_resource_instanceDetails_imageDescription

str

 

 

detail_service_serviceName

str

 

 

detail_service_detectorId

str

 

 

detail_service_action_actionType

str

 

 

detail_service_action_dnsRequestAction_domain

str

 

 

detail_service_action_dnsRequestAction_protocol

str

 

 

detail_service_action_dnsRequestAction_blocked

bool

 

 

detail_service_action_networkConnectionAction_connectionDirection

str

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_org

str

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

 

 

detail_service_action_networkConnectionAction_remotePortDetails_port

int8

 

 

detail_service_action_networkConnectionAction_remotePortDetails_portName

str

 

 

detail_service_action_networkConnectionAction_localPortDetails_port

int8

 

 

detail_service_action_networkConnectionAction_localPortDetails_portName

str

 

 

detail_service_action_networkConnectionAction_protocol

str

 

 

detail_service_action_networkConnectionAction_blocked

bool

 

 

detail_service_resourceRole

str

 

 

detail_service_additionalInfo_portsScannedSample

[int8]

 

 

detail_service_additionalInfo_portsScannedSample_str

str

replace(replace(stringify(json(detail_service_additionalInfo_portsScannedSample)), "[", ""), "]", "")

detail_service_additionalInfo_portsScannedSample

detail_service_additionalInfo_threatListName

str

 

 

detail_service_additionalInfo_sample

bool

 

 

threatIntelligenceDetails_threatNames_str

str

join(threatIntelligenceDetails_threatNames, ',')

threatIntelligenceDetails_threatNames

threatIntelligenceDetails_threatListName_str

str

join(threatIntelligenceDetails_threatListName, ',')

threatIntelligenceDetails_threatListName

detail_service_eventFirstSeen

timestamp

 

 

detail_service_eventLastSeen

timestamp

 

 

detail_service_archived

bool

 

 

detail_service_count

int8

 

 

detail_findings_schemaVersion

str

 

 

detail_findings_id

str

 

 

detail_findings_productArn

str

 

 

detail_findings_generatorId

str

 

 

detail_findings_awsAccountId

str

 

 

detail_findings_types_str

str

join(detail_findings_types, ',')

detail_findings_types

detail_findings_firstObservedAt

timestamp

 

 

detail_findings_lastObservedAt

timestamp

 

 

detail_findings_createdAt

timestamp

 

 

detail_findings_updatedAt

timestamp

 

 

detail_findings_severity_product

int4

 

 

detail_findings_severity_normalized

int4

 

 

detail_findings_description

str

 

 

detail_findings_remediation_recommendation_text

str

 

 

detail_findings_productFields_standardsGuideArn

str

 

 

detail_findings_productFields_standardsGuideSubscriptionArn

str

 

 

detail_findings_productFields_ruleId

str

 

 

detail_findings_productFields_recommendationUrl

str

 

 

detail_findings_productFields_relatedAWSResources_0_name

str

 

 

detail_findings_productFields_relatedAWSResources_0_type

str

 

 

detail_findings_productFields_recordState

str

 

 

detail_findings_productFields_aws_securityhub_findingId

str

 

 

detail_findings_productFields_aws_securityhub_severityLabel

str

 

 

detail_findings_productFields_aws_securityhub_productName

str

 

 

detail_findings_productFields_aws_securityhub_companyName

str

 

 

detail_findings_resources_type

str

 

 

detail_findings_resources_id

str

 

 

detail_findings_resources_partition

str

 

 

detail_findings_resources_region

str

 

 

detail_findings_resources_details_other_path

str

 

 

detail_findings_resources_details_other_userName

str

 

 

detail_findings_resources_details_other_userId

str

 

 

detail_findings_resources_details_other_arn

str

 

 

detail_findings_resources_details_other_createDate

timestamp

 

 

detail_findings_recordState

str

 

 

detail_findings_workflowState

str

 

 

detail_findings_approximateArrivalTimestamp

timestamp

timestamp(int8(detail_findings_approximateArrivalTimestamp_float * 1000))

detail_findings_approximateArrivalTimestamp_float

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

cloud.aws.guardduty.findings

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

ACCID_TAG

str

 

ACCID

REGION_TAG

str

 

REGION

schemaVersion

str

 

 

accountId

str

 

 

region

str

 

 

partition

str

 

 

id

str

 

 

arn

str

 

 

type

str

 

 

resource_resourceType

str

 

 

resource_accessKeyDetails_accessKeyId

str

 

 

resource_accessKeyDetails_principalId

str

 

 

resource_accessKeyDetails_userType

str

 

 

resource_accessKeyDetails_userName

str

 

 

resource_instanceDetails_instanceId

str

 

 

resource_instanceDetails_instanceType

str

 

 

resource_instanceDetails_launchTime

timestamp

 

 

resource_instanceDetails_platform

str

 

 

resource_instanceDetails_productCodes

str

 

 

resource_instanceDetails_iamInstanceProfile_arn

str

 

 

resource_instanceDetails_iamInstanceProfile_id

str

 

 

resource_instanceDetails_networkInterfaces_networkInterfaceId_str

str

join(resource_instanceDetails_networkInterfaces_networkInterfaceId, ',')

resource_instanceDetails_networkInterfaces_networkInterfaceId

resource_instanceDetails_networkInterfaces_privateIpAddresses_str

str

join(resource_instanceDetails_networkInterfaces_privateIpAddresses, ',')

resource_instanceDetails_networkInterfaces_privateIpAddresses

resource_instanceDetails_networkInterfaces_subnetId_str

str

join(resource_instanceDetails_networkInterfaces_subnetId, ',')

resource_instanceDetails_networkInterfaces_subnetId

resource_instanceDetails_networkInterfaces_vpcId_str

str

join(resource_instanceDetails_networkInterfaces_vpcId, ',')

resource_instanceDetails_networkInterfaces_vpcId

resource_instanceDetails_networkInterfaces_privateDnsName_str

str

join(resource_instanceDetails_networkInterfaces_privateDnsName, ',')

resource_instanceDetails_networkInterfaces_privateDnsName

resource_instanceDetails_networkInterfaces_securityGroups_str

str

join(resource_instanceDetails_networkInterfaces_securityGroups, ',')

resource_instanceDetails_networkInterfaces_securityGroups

resource_instanceDetails_networkInterfaces_publicIp_str

str

join(resource_instanceDetails_networkInterfaces_publicIp, ',')

resource_instanceDetails_networkInterfaces_publicIp

resource_instanceDetails_networkInterfaces_ipv6Addresses_str

str

join(resource_instanceDetails_networkInterfaces_ipv6Addresses, ',')

resource_instanceDetails_networkInterfaces_ipv6Addresses

resource_instanceDetails_networkInterfaces_publicDnsName_str

str

join(resource_instanceDetails_networkInterfaces_publicDnsName, ',')

resource_instanceDetails_networkInterfaces_publicDnsName

resource_instanceDetails_networkInterfaces_privateIpAddress_str

str

join(resource_instanceDetails_networkInterfaces_privateIpAddress, ',')

resource_instanceDetails_networkInterfaces_privateIpAddress

resource_instanceDetails_tags_value_str

str

join(resource_instanceDetails_tags_value, ',')

resource_instanceDetails_tags_value

resource_instanceDetails_tags_key_str

str

join(resource_instanceDetails_tags_key, ',')

resource_instanceDetails_tags_key

resource_instanceDetails_instanceState

str

 

 

resource_instanceDetails_availabilityZone

str

 

 

resource_instanceDetails_imageId

str

 

 

resource_instanceDetails_imageDescription

str

 

 

resource_s3BucketDetails_str

str

join(resource_s3BucketDetails, ',')

resource_s3BucketDetails

resource_instanceDetails_outpostArn

str

 

 

service_serviceName

str

 

 

service_detectorId

str

 

 

service_action_actionType

str

 

 

service_action_awsApiCallAction_api

str

 

 

service_action_awsApiCallAction_serviceName

str

 

 

service_action_awsApiCallAction_callerType

str

 

 

service_action_awsApiCallAction_remoteIpDetails_ipAddressV4

ip4

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_asn

str

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_asnOrg

str

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_isp

str

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_org

str

 

 

service_action_awsApiCallAction_remoteIpDetails_country_countryName

str

 

 

service_action_awsApiCallAction_remoteIpDetails_city_cityName

str

 

 

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lat

float8

 

 

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lon

float8

 

 

service_action_awsApiCallAction_affectedResources

str

 

 

service_action_dnsRequestAction_domain

str

 

 

service_action_dnsRequestAction_protocol

str

 

 

service_action_dnsRequestAction_blocked

bool

 

 

service_action_networkConnectionAction_blocked

bool

 

 

service_action_networkConnectionAction_connectionDirection

str

 

 

service_action_networkConnectionAction_localPortDetails_port

int8

 

 

service_action_networkConnectionAction_localPortDetails_portName

str

 

 

service_action_networkConnectionAction_protocol

str

 

 

service_action_networkConnectionAction_localIpDetails_ipAddressV4

ip4

 

 

service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

 

 

service_action_networkConnectionAction_remoteIpDetails_country_countryCode

str

 

 

service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

 

 

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

 

 

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

 

 

service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_org

str

 

 

service_action_networkConnectionAction_remotePortDetails_port

int8

 

 

service_action_networkConnectionAction_remotePortDetails_portName

str

 

 

service_action_portProbeAction_portProbeDetails_localPortDetails_str

str

join(service_action_portProbeAction_portProbeDetails_localPortDetails, ',')

service_action_portProbeAction_portProbeDetails_localPortDetails

service_action_portProbeAction_portProbeDetails_remoteIpDetails_str

str

join(service_action_portProbeAction_portProbeDetails_remoteIpDetails, ',')

service_action_portProbeAction_portProbeDetails_remoteIpDetails

service_action_portProbeAction_blocked

bool

 

 

service_resourceRole

str

 

 

service_additionalInfo_recentApiCalls_api_str

str

join(service_additionalInfo_recentApiCalls_api, ',')

service_additionalInfo_recentApiCalls_api

service_additionalInfo_recentApiCalls_count_str

str

replace(replace(stringify(json(service_additionalInfo_recentApiCalls_count)), "[", ""), "]", "")

service_additionalInfo_recentApiCalls_count

service_additionalInfo_threatName

str

 

 

service_additionalInfo_threatListName

str

 

 

service_evidence_threatIntelligenceDetails_threatNames_str

str

join(service_evidence_threatIntelligenceDetails_threatNames, ',')

service_evidence_threatIntelligenceDetails_threatNames

service_evidence_threatIntelligenceDetails_threatListName_str

str

join(service_evidence_threatIntelligenceDetails_threatListName, ',')

service_evidence_threatIntelligenceDetails_threatListName

service_eventFirstSeen

timestamp

 

 

service_eventLastSeen

timestamp

 

 

service_archived

bool

 

 

service_count

int4

 

 

service_userFeedback

str

 

 

severity

int4

 

 

confidence

float8

 

 

createdAt

timestamp

 

 

updatedAt

timestamp

 

 

title

str

 

 

description

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

  • No labels