cloud.aws.guardduty

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with cloud.aws.guardduty identify events generated by AWS GuardDuty.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.guardduty. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
AWS GuardDuty	`cloud.aws.guardduty.events`	`cloud.aws.guardduty.events`
AWS GuardDuty	`cloud.aws.guardduty.findings`	`cloud.aws.guardduty.findings`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.guardduty.events
cloud.aws.guardduty.findings

cloud.aws.guardduty.events

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name
eventdate	`timestamp`
timestamp	`timestamp`		time
ACCID_TAG	`str`		ACCID
REGION_TAG	`str`		REGION
detail_type	`str`
detail_title	`str`
detail_findings_title	`str`
detail_findings_compliance_status	`str`
detail_findings_remediation_recommendation_url	`str`
version	`str`
id	`str`
source	`str`
account	`str`
region	`str`
resources_str	`str`	`join(resources, ',')`	resources
detail_schemaVersion	`str`
detail_accountId	`str`
detail_region	`str`
detail_partition	`str`
detail_id	`str`
detail_arn	`str`
detail_severity	`int4`
detail_createdAt	`timestamp`
detail_updatedAt	`timestamp`
detail_description	`str`
detail_detail_type	`str`
detail_resource_resourceType	`str`
detail_resource_instanceDetails_instanceId	`str`
detail_resource_instanceDetails_instanceType	`str`
detail_resource_instanceDetails_launchTime	`timestamp`
detail_resource_instanceDetails_platform	`str`
productCodes_productCodeId_str	`str`	`join(productCodes_productCodeId, ',')`	productCodes_productCodeId
productCodes_productCodeType_str	`str`	`join(productCodes_productCodeType, ',')`	productCodes_productCodeType
detail_resource_instanceDetails_iamInstanceProfile_arn	`str`
detail_resource_instanceDetails_iamInstanceProfile_id	`str`
networkInterfaces_networkInterfaceId_str	`str`	`join(networkInterfaces_networkInterfaceId, ',')`	networkInterfaces_networkInterfaceId
networkInterfaces_subnetId_str	`str`	`join(networkInterfaces_subnetId, ',')`	networkInterfaces_subnetId
networkInterfaces_vpcId_str	`str`	`join(networkInterfaces_vpcId, ',')`	networkInterfaces_vpcId
networkInterfaces_privateDnsName_str	`str`	`join(networkInterfaces_privateDnsName, ',')`	networkInterfaces_privateDnsName
networkInterfaces_publicIp_str	`str`	`join(networkInterfaces_publicIp, ',')`	networkInterfaces_publicIp
networkInterfaces_ipv6Addresses_str	`str`	`join(networkInterfaces_ipv6Addresses, ',')`	networkInterfaces_ipv6Addresses
networkInterfaces_publicDnsName_str	`str`	`join(networkInterfaces_publicDnsName, ',')`	networkInterfaces_publicDnsName
networkInterfaces_privateIpAddress_str	`str`	`join(networkInterfaces_privateIpAddress, ',')`	networkInterfaces_privateIpAddress
networkInterfaces_securityGroups_str	`str`	`join(networkInterfaces_securityGroups, ',')`	networkInterfaces_securityGroups
tags_value_str	`str`	`join(tags_value, ',')`	tags_value
tags_key_str	`str`	`join(tags_key, ',')`	tags_key
detail_resource_instanceDetails_instanceState	`str`
detail_resource_instanceDetails_availabilityZone	`str`
detail_resource_instanceDetails_imageId	`str`
detail_resource_instanceDetails_imageDescription	`str`
detail_service_serviceName	`str`
detail_service_detectorId	`str`
detail_service_action_actionType	`str`
detail_service_action_dnsRequestAction_domain	`str`
detail_service_action_dnsRequestAction_protocol	`str`
detail_service_action_dnsRequestAction_blocked	`bool`
detail_service_action_networkConnectionAction_connectionDirection	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_ipAddressV4	`ip4`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_asn	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_isp	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_organization_org	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_country_countryName	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_city_cityName	`str`
detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat	`float8`
detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon	`float8`
detail_service_action_networkConnectionAction_remotePortDetails_port	`int8`
detail_service_action_networkConnectionAction_remotePortDetails_portName	`str`
detail_service_action_networkConnectionAction_localPortDetails_port	`int8`
detail_service_action_networkConnectionAction_localPortDetails_portName	`str`
detail_service_action_networkConnectionAction_protocol	`str`
detail_service_action_networkConnectionAction_blocked	`bool`
detail_service_resourceRole	`str`
detail_service_additionalInfo_portsScannedSample	`[int8]`
detail_service_additionalInfo_portsScannedSample_str	`str`	`replace(replace(stringify(json(detail_service_additionalInfo_portsScannedSample)), "[", ""), "]", "")`	detail_service_additionalInfo_portsScannedSample
detail_service_additionalInfo_threatListName	`str`
detail_service_additionalInfo_sample	`bool`
threatIntelligenceDetails_threatNames_str	`str`	`join(threatIntelligenceDetails_threatNames, ',')`	threatIntelligenceDetails_threatNames
threatIntelligenceDetails_threatListName_str	`str`	`join(threatIntelligenceDetails_threatListName, ',')`	threatIntelligenceDetails_threatListName
detail_service_eventFirstSeen	`timestamp`
detail_service_eventLastSeen	`timestamp`
detail_service_archived	`bool`
detail_service_count	`int8`
detail_findings_schemaVersion	`str`
detail_findings_id	`str`
detail_findings_productArn	`str`
detail_findings_generatorId	`str`