cloud.aws.guardduty

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with cloud.aws.guardduty identify events generated by AWS GuardDuty.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.guardduty. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
AWS GuardDuty	`cloud.aws.guardduty.events`	`cloud.aws.guardduty.events`
AWS GuardDuty	`cloud.aws.guardduty.findings`	`cloud.aws.guardduty.findings`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.guardduty.events
cloud.aws.guardduty.findings

cloud.aws.guardduty.events

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
timestamp	`timestamp`		time
ACCID_TAG	`str`		ACCID
REGION_TAG	`str`		REGION
detail_type	`str`
detail_title	`str`
detail_findings_title	`str`
detail_findings_compliance_status	`str`
detail_findings_remediation_recommendation_url	`str`
version	`str`
id	`str`
source	`str`
account	`str`
region	`str`
resources_str	`str`	`join(resources, ',')`	resources
detail_schemaVersion	`str`
detail_accountId	`str`
detail_region	`str`
detail_partition	`str`
detail_id	`str`
detail_arn	`str`
detail_severity	`int4`
detail_createdAt	`timestamp`
detail_updatedAt	`timestamp`
detail_description	`str`
detail_detail_type	`str`
detail_resource_resourceType	`str`
detail_resource_instanceDetails_instanceId	`str`
detail_resource_instanceDetails_instanceType	`str`
detail_resource_instanceDetails_launchTime	`timestamp`
detail_resource_instanceDetails_platform	`str`
productCodes_productCodeId_str	`str`	`join(productCodes_productCodeId, ',')`	productCodes_productCodeId
productCodes_productCodeType_str	`str`	`join(productCodes_productCodeType, ',')`	productCodes_productCodeType
detail_resource_instanceDetails_iamInstanceProfile_arn	`str`
detail_resource_instanceDetails_iamInstanceProfile_id	`str`
networkInterfaces_networkInterfaceId_str	`str`		networkInterfaces_networkInterfaceId
networkInterfaces_subnetId_str	`str`		networkInterfaces_subnetId
networkInterfaces_vpcId_str	`str`		networkInterfaces_vpcId
networkInterfaces_privateDnsName_str	`str`		networkInterfaces_privateDnsName
networkInterfaces_publicIp_str	`str`		networkInterfaces_publicIp
networkInterfaces_ipv6Addresses_str	`str`		networkInterfaces_ipv6Addresses
networkInterfaces_publicDnsName_str	`str`		networkInterfaces_publicDnsName
networkInterfaces_privateIpAddress_str	`str`		networkInterfaces_privateIpAddress
networkInterfaces_securityGroups_str	`str`		networkInterfaces_securityGroups
tags_value_str	`str`		tags_value
tags_key_str	`str`		tags_key
detail_resource_instanceDetails_instanceState	`str`
detail_resource_instanceDetails_availabilityZone	`str`
detail_resource_instanceDetails_imageId	`str`
detail_resource_instanceDetails_imageDescription	`str`
detail_service_serviceName	`str`
detail_service_detectorId	`str`
detail_service_action_actionType	`str`
detail_service_action_dnsRequestAction_domain	`str`
detail_service_action_dnsRequestAction_protocol	`str`
detail_service_action_dnsRequestAction_blocked	`bool`
detail_service_action_networkConnectionAction_connectionDirection	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_ipAddressV4	`ip4`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_asn	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_isp	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_org	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_country_countryName	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_city_cityName	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat	`float8`
detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon	`float8`
detail_service_action_networkConnectionAction_remotePortDetails_port	`int8`
detail_service_action_networkConnectionAction_remotePortDetails_portName	`str`
detail_service_action_networkConnectionAction_localPortDetails_port	`int8`
detail_service_action_networkConnectionAction_localPortDetails_portName	`str`
detail_service_action_networkConnectionAction_protocol	`str`
detail_service_action_networkConnectionAction_blocked	`bool`
detail_service_resourceRole	`str`
detail_service_additionalInfo_portsScannedSample	`[int8]`
detail_service_additionalInfo_portsScannedSample_str	`str`		detail_service_additionalInfo_portsScannedSample
detail_service_additionalInfo_threatListName	`str`
detail_service_additionalInfo_sample	`bool`
threatIntelligenceDetails_threatNames_str	`str`		threatIntelligenceDetails_threatNames
threatIntelligenceDetails_threatListName_str	`str`		threatIntelligenceDetails_threatListName
detail_service_eventFirstSeen	`timestamp`
detail_service_eventLastSeen	`timestamp`
detail_service_archived	`bool`
detail_service_count	`int8`
detail_findings_schemaVersion	`str`
detail_findings_id	`str`
detail_findings_productArn	`str`
detail_findings_generatorId	`str`
detail_findings_awsAccountId	`str`
detail_findings_types_str	`str`		detail_findings_types
detail_findings_firstObservedAt	`timestamp`
detail_findings_lastObservedAt	`timestamp`
detail_findings_createdAt	`timestamp`
detail_findings_updatedAt	`timestamp`
detail_findings_severity_product	`int4`
detail_findings_severity_normalized	`int4`
detail_findings_description	`str`
detail_findings_remediation_recommendation_text	`str`
detail_findings_productFields_standardsGuideArn	`str`
detail_findings_productFields_standardsGuideSubscriptionArn	`str`
detail_findings_productFields_ruleId	`str`
detail_findings_productFields_recommendationUrl	`str`
detail_findings_productFields_relatedAWSResources_0_name	`str`
detail_findings_productFields_relatedAWSResources_0_type	`str`
detail_findings_productFields_recordState	`str`
detail_findings_productFields_aws_securityhub_findingId	`str`
detail_findings_productFields_aws_securityhub_severityLabel	`str`
detail_findings_productFields_aws_securityhub_productName	`str`
detail_findings_productFields_aws_securityhub_companyName	`str`
detail_findings_resources_type	`str`
detail_findings_resources_id	`str`
detail_findings_resources_partition	`str`
detail_findings_resources_region	`str`
detail_findings_resources_details_other_path	`str`
detail_findings_resources_details_other_userName	`str`
detail_findings_resources_details_other_userId	`str`
detail_findings_resources_details_other_arn	`str`
detail_findings_resources_details_other_createDate	`timestamp`
detail_findings_recordState	`str`
detail_findings_workflowState	`str`
detail_findings_approximateArrivalTimestamp	`timestamp`		detail_findings_approximateArrivalTimestamp_float
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`			✓

cloud.aws.guardduty.findings

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
ACCID_TAG	`str`	ACCID
REGION_TAG	`str`	REGION
schemaVersion	`str`
accountId	`str`
region	`str`
partition	`str`
id	`str`
arn	`str`
type	`str`
resource_resourceType	`str`
resource_accessKeyDetails_accessKeyId	`str`
resource_accessKeyDetails_principalId	`str`
resource_accessKeyDetails_userType	`str`
resource_accessKeyDetails_userName	`str`
resource_instanceDetails_instanceId	`str`
resource_instanceDetails_instanceType	`str`
resource_instanceDetails_launchTime	`timestamp`
resource_instanceDetails_platform	`str`
resource_instanceDetails_productCodes	`str`
resource_instanceDetails_iamInstanceProfile_arn	`str`
resource_instanceDetails_iamInstanceProfile_id	`str`
resource_instanceDetails_networkInterfaces_networkInterfaceId_str	`str`	resource_instanceDetails_networkInterfaces_networkInterfaceId
resource_instanceDetails_networkInterfaces_privateIpAddresses_str	`str`	resource_instanceDetails_networkInterfaces_privateIpAddresses
resource_instanceDetails_networkInterfaces_subnetId_str	`str`	resource_instanceDetails_networkInterfaces_subnetId
resource_instanceDetails_networkInterfaces_vpcId_str	`str`	resource_instanceDetails_networkInterfaces_vpcId
resource_instanceDetails_networkInterfaces_privateDnsName_str	`str`	resource_instanceDetails_networkInterfaces_privateDnsName
resource_instanceDetails_networkInterfaces_securityGroups_str	`str`	resource_instanceDetails_networkInterfaces_securityGroups
resource_instanceDetails_networkInterfaces_publicIp_str	`str`	resource_instanceDetails_networkInterfaces_publicIp
resource_instanceDetails_networkInterfaces_ipv6Addresses_str	`str`	resource_instanceDetails_networkInterfaces_ipv6Addresses
resource_instanceDetails_networkInterfaces_publicDnsName_str	`str`	resource_instanceDetails_networkInterfaces_publicDnsName
resource_instanceDetails_networkInterfaces_privateIpAddress_str	`str`	resource_instanceDetails_networkInterfaces_privateIpAddress
resource_instanceDetails_tags_value_str	`str`	resource_instanceDetails_tags_value
resource_instanceDetails_tags_key_str	`str`	resource_instanceDetails_tags_key
resource_instanceDetails_instanceState	`str`
resource_instanceDetails_availabilityZone	`str`
resource_instanceDetails_imageId	`str`
resource_instanceDetails_imageDescription	`str`
resource_s3BucketDetails_str	`str`	resource_s3BucketDetails
resource_instanceDetails_outpostArn	`str`
service_serviceName	`str`
service_detectorId	`str`
service_action_actionType	`str`
service_action_awsApiCallAction_api	`str`
service_action_awsApiCallAction_serviceName	`str`
service_action_awsApiCallAction_callerType	`str`
service_action_awsApiCallAction_remoteIpDetails_ipAddressV4	`ip4`
service_action_awsApiCallAction_remoteIpDetails_organization_asn	`str`
service_action_awsApiCallAction_remoteIpDetails_organization_asnOrg	`str`
service_action_awsApiCallAction_remoteIpDetails_organization_isp	`str`
service_action_awsApiCallAction_remoteIpDetails_organization_org	`str`
service_action_awsApiCallAction_remoteIpDetails_country_countryName	`str`
service_action_awsApiCallAction_remoteIpDetails_city_cityName	`str`
service_action_awsApiCallAction_remoteIpDetails_geoLocation_lat	`float8`
service_action_awsApiCallAction_remoteIpDetails_geoLocation_lon	`float8`
service_action_awsApiCallAction_affectedResources	`str`
service_action_dnsRequestAction_domain	`str`
service_action_dnsRequestAction_protocol	`str`
service_action_dnsRequestAction_blocked	`bool`
service_action_networkConnectionAction_blocked	`bool`
service_action_networkConnectionAction_connectionDirection	`str`
service_action_networkConnectionAction_localPortDetails_port	`int8`
service_action_networkConnectionAction_localPortDetails_portName	`str`
service_action_networkConnectionAction_protocol	`str`
service_action_networkConnectionAction_localIpDetails_ipAddressV4	`ip4`
service_action_networkConnectionAction_remoteIpDetails_city_cityName	`str`
service_action_networkConnectionAction_remoteIpDetails_country_countryCode	`str`
service_action_networkConnectionAction_remoteIpDetails_country_countryName	`str`
service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat	`float8`
service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon	`float8`
service_action_networkConnectionAction_remoteIpDetails_ipAddressV4	`ip4`
service_action_networkConnectionAction_remoteIpDetails_organization_asn	`str`
service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg	`str`
service_action_networkConnectionAction_remoteIpDetails_organization_isp	`str`
service_action_networkConnectionAction_remoteIpDetails_organization_org	`str`
service_action_networkConnectionAction_remotePortDetails_port	`int8`
service_action_networkConnectionAction_remotePortDetails_portName	`str`
service_action_portProbeAction_portProbeDetails_localPortDetails_str	`str`	service_action_portProbeAction_portProbeDetails_localPortDetails
service_action_portProbeAction_portProbeDetails_localPortDetails_port_str	`str`	service_action_portProbeAction_portProbeDetails_localPortDetails_port
service_action_portProbeAction_portProbeDetails_localPortDetails_portName_str	`str`	service_action_portProbeAction_portProbeDetails_localPortDetails_portName
service_action_portProbeAction_portProbeDetails_remoteIpDetails_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails
service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_city
service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName
service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_country
service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode
service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName
service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation
service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat
service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon
service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4
service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp
service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org_str	`str`	service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org
service_action_portProbeAction_portProbeDetails_localIpDetails_str	`str`	service_action_portProbeAction_portProbeDetails_localIpDetails
service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4_str	`str`	service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4
service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6_str	`str`	service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6
service_action_portProbeAction_blocked	`bool`
service_resourceRole	`str`
service_additionalInfo_recentApiCalls_api_str	`str`	service_additionalInfo_recentApiCalls_api
service_additionalInfo_recentApiCalls_count_str	`str`	service_additionalInfo_recentApiCalls_count
service_additionalInfo_threatName	`str`
service_additionalInfo_threatListName	`str`
service_evidence_threatIntelligenceDetails_threatNames_str	`str`	service_evidence_threatIntelligenceDetails_threatNames
service_evidence_threatIntelligenceDetails_threatListName_str	`str`	service_evidence_threatIntelligenceDetails_threatListName
service_eventFirstSeen	`timestamp`
service_eventLastSeen	`timestamp`
service_archived	`bool`
service_count	`int4`
service_userFeedback	`str`
severity	`int4`
confidence	`float8`
createdAt	`timestamp`
updatedAt	`timestamp`
title	`str`
description	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓