Document toolboxDocument toolbox

cloud.aws.guardduty

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Aug 23, 2024
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with cloud.aws.guardduty identify events generated by AWS GuardDuty.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.guardduty. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

AWS GuardDuty

cloud.aws.guardduty.events

cloud.aws.guardduty.events

cloud.aws.guardduty.findings

cloud.aws.guardduty.findings

For more information, read more  About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.guardduty.events

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

timestamp

timestamp

 

time

 

ACCID_TAG

str

 

ACCID

 

REGION_TAG

str

 

REGION

 

detail_type

str

 

 

 

detail_title

str

 

 

 

detail_findings_title

str

 

 

 

detail_findings_compliance_status

str

 

 

 

detail_findings_remediation_recommendation_url

str

 

 

 

version

str

 

 

 

id

str

 

 

 

source

str

 

 

 

account

str

 

 

 

region

str

 

 

 

resources_str

str

join(resources, ',')

resources

 

detail_schemaVersion

str

 

 

 

detail_accountId

str

 

 

 

detail_region

str

 

 

 

detail_partition

str

 

 

 

detail_id

str

 

 

 

detail_arn

str

 

 

 

detail_severity

int4

 

 

 

detail_createdAt

timestamp

 

 

 

detail_updatedAt

timestamp

 

 

 

detail_description

str

 

 

 

detail_detail_type

str

 

 

 

detail_resource_resourceType

str

 

 

 

detail_resource_instanceDetails_instanceId

str

 

 

 

detail_resource_instanceDetails_instanceType

str

 

 

 

detail_resource_instanceDetails_launchTime

timestamp

 

 

 

detail_resource_instanceDetails_platform

str

 

 

 

productCodes_productCodeId_str

str

join(productCodes_productCodeId, ',')

productCodes_productCodeId

 

productCodes_productCodeType_str

str

join(productCodes_productCodeType, ',')

productCodes_productCodeType

 

detail_resource_instanceDetails_iamInstanceProfile_arn

str

 

 

 

detail_resource_instanceDetails_iamInstanceProfile_id

str

 

 

 

networkInterfaces_networkInterfaceId_str

str

networkInterfaces_networkInterfaceId

 

networkInterfaces_subnetId_str

str

networkInterfaces_subnetId

 

networkInterfaces_vpcId_str

str

networkInterfaces_vpcId

 

networkInterfaces_privateDnsName_str

str

networkInterfaces_privateDnsName

 

networkInterfaces_publicIp_str

str

networkInterfaces_publicIp

 

networkInterfaces_ipv6Addresses_str

str

networkInterfaces_ipv6Addresses

 

networkInterfaces_publicDnsName_str

str

networkInterfaces_publicDnsName

 

networkInterfaces_privateIpAddress_str

str

networkInterfaces_privateIpAddress

 

networkInterfaces_securityGroups_str

str

networkInterfaces_securityGroups

 

tags_value_str

str

tags_value

 

tags_key_str

str

tags_key

 

detail_resource_instanceDetails_instanceState

str

 

 

 

detail_resource_instanceDetails_availabilityZone

str

 

 

 

detail_resource_instanceDetails_imageId

str

 

 

 

detail_resource_instanceDetails_imageDescription

str

 

 

 

detail_service_serviceName

str

 

 

 

detail_service_detectorId

str

 

 

 

detail_service_action_actionType

str

 

 

 

detail_service_action_dnsRequestAction_domain

str

 

 

 

detail_service_action_dnsRequestAction_protocol

str

 

 

 

detail_service_action_dnsRequestAction_blocked

bool

 

 

 

detail_service_action_networkConnectionAction_connectionDirection

str

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_organization_org

str

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

 

 

 

detail_service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

 

 

 

detail_service_action_networkConnectionAction_remotePortDetails_port

int8

 

 

 

detail_service_action_networkConnectionAction_remotePortDetails_portName

str

 

 

 

detail_service_action_networkConnectionAction_localPortDetails_port

int8

 

 

 

detail_service_action_networkConnectionAction_localPortDetails_portName

str

 

 

 

detail_service_action_networkConnectionAction_protocol

str

 

 

 

detail_service_action_networkConnectionAction_blocked

bool

 

 

 

detail_service_resourceRole

str

 

 

 

detail_service_additionalInfo_portsScannedSample

[int8]

 

 

 

detail_service_additionalInfo_portsScannedSample_str

str

detail_service_additionalInfo_portsScannedSample

 

detail_service_additionalInfo_threatListName

str

 

 

 

detail_service_additionalInfo_sample

bool

 

 

 

threatIntelligenceDetails_threatNames_str

str

threatIntelligenceDetails_threatNames

 

threatIntelligenceDetails_threatListName_str

str

threatIntelligenceDetails_threatListName

 

detail_service_eventFirstSeen

timestamp

 

 

 

detail_service_eventLastSeen

timestamp

 

 

 

detail_service_archived

bool

 

 

 

detail_service_count

int8

 

 

 

detail_findings_schemaVersion

str

 

 

 

detail_findings_id

str

 

 

 

detail_findings_productArn

str

 

 

 

detail_findings_generatorId

str

 

 

 

detail_findings_awsAccountId

str

 

 

 

detail_findings_types_str

str

detail_findings_types

 

detail_findings_firstObservedAt

timestamp

 

 

 

detail_findings_lastObservedAt

timestamp

 

 

 

detail_findings_createdAt

timestamp

 

 

 

detail_findings_updatedAt

timestamp

 

 

 

detail_findings_severity_product

int4

 

 

 

detail_findings_severity_normalized

int4

 

 

 

detail_findings_description

str

 

 

 

detail_findings_remediation_recommendation_text

str

 

 

 

detail_findings_productFields_standardsGuideArn

str

 

 

 

detail_findings_productFields_standardsGuideSubscriptionArn

str

 

 

 

detail_findings_productFields_ruleId

str

 

 

 

detail_findings_productFields_recommendationUrl

str

 

 

 

detail_findings_productFields_relatedAWSResources_0_name

str

 

 

 

detail_findings_productFields_relatedAWSResources_0_type

str

 

 

 

detail_findings_productFields_recordState

str

 

 

 

detail_findings_productFields_aws_securityhub_findingId

str

 

 

 

detail_findings_productFields_aws_securityhub_severityLabel

str

 

 

 

detail_findings_productFields_aws_securityhub_productName

str

 

 

 

detail_findings_productFields_aws_securityhub_companyName

str

 

 

 

detail_findings_resources_type

str

 

 

 

detail_findings_resources_id

str

 

 

 

detail_findings_resources_partition

str

 

 

 

detail_findings_resources_region

str

 

 

 

detail_findings_resources_details_other_path

str

 

 

 

detail_findings_resources_details_other_userName

str

 

 

 

detail_findings_resources_details_other_userId

str

 

 

 

detail_findings_resources_details_other_arn

str

 

 

 

detail_findings_resources_details_other_createDate

timestamp

 

 

 

detail_findings_recordState

str

 

 

 

detail_findings_workflowState

str

 

 

 

detail_findings_approximateArrivalTimestamp

timestamp

detail_findings_approximateArrivalTimestamp_float

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

cloud.aws.guardduty.findings

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

ACCID_TAG

str

 

ACCID

 

REGION_TAG

str

 

REGION

 

schemaVersion

str

 

 

 

accountId

str

 

 

 

region

str

 

 

 

partition

str

 

 

 

id

str

 

 

 

arn

str

 

 

 

type

str

 

 

 

resource_resourceType

str

 

 

 

resource_accessKeyDetails_accessKeyId

str

 

 

 

resource_accessKeyDetails_principalId

str

 

 

 

resource_accessKeyDetails_userType

str

 

 

 

resource_accessKeyDetails_userName

str

 

 

 

resource_instanceDetails_instanceId

str

 

 

 

resource_instanceDetails_instanceType

str

 

 

 

resource_instanceDetails_launchTime

timestamp

 

 

 

resource_instanceDetails_platform

str

 

 

 

resource_instanceDetails_productCodes

str

 

 

 

resource_instanceDetails_iamInstanceProfile_arn

str

 

 

 

resource_instanceDetails_iamInstanceProfile_id

str

 

 

 

resource_instanceDetails_networkInterfaces_networkInterfaceId_str

str

resource_instanceDetails_networkInterfaces_networkInterfaceId

 

resource_instanceDetails_networkInterfaces_privateIpAddresses_str

str

resource_instanceDetails_networkInterfaces_privateIpAddresses

 

resource_instanceDetails_networkInterfaces_subnetId_str

str

resource_instanceDetails_networkInterfaces_subnetId

 

resource_instanceDetails_networkInterfaces_vpcId_str

str

resource_instanceDetails_networkInterfaces_vpcId

 

resource_instanceDetails_networkInterfaces_privateDnsName_str

str

resource_instanceDetails_networkInterfaces_privateDnsName

 

resource_instanceDetails_networkInterfaces_securityGroups_str

str

resource_instanceDetails_networkInterfaces_securityGroups

 

resource_instanceDetails_networkInterfaces_publicIp_str

str

resource_instanceDetails_networkInterfaces_publicIp

 

resource_instanceDetails_networkInterfaces_ipv6Addresses_str

str

resource_instanceDetails_networkInterfaces_ipv6Addresses

 

resource_instanceDetails_networkInterfaces_publicDnsName_str

str

resource_instanceDetails_networkInterfaces_publicDnsName

 

resource_instanceDetails_networkInterfaces_privateIpAddress_str

str

resource_instanceDetails_networkInterfaces_privateIpAddress

 

resource_instanceDetails_tags_value_str

str

resource_instanceDetails_tags_value

 

resource_instanceDetails_tags_key_str

str

resource_instanceDetails_tags_key

 

resource_instanceDetails_instanceState

str

 

 

 

resource_instanceDetails_availabilityZone

str

 

 

 

resource_instanceDetails_imageId

str

 

 

 

resource_instanceDetails_imageDescription

str

 

 

 

resource_s3BucketDetails_str

str

resource_s3BucketDetails

 

resource_instanceDetails_outpostArn

str

 

 

 

service_serviceName

str

 

 

 

service_detectorId

str

 

 

 

service_action_actionType

str

 

 

 

service_action_awsApiCallAction_api

str

 

 

 

service_action_awsApiCallAction_serviceName

str

 

 

 

service_action_awsApiCallAction_callerType

str

 

 

 

service_action_awsApiCallAction_remoteIpDetails_ipAddressV4

ip4

 

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_asn

str

 

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_asnOrg

str

 

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_isp

str

 

 

 

service_action_awsApiCallAction_remoteIpDetails_organization_org

str

 

 

 

service_action_awsApiCallAction_remoteIpDetails_country_countryName

str

 

 

 

service_action_awsApiCallAction_remoteIpDetails_city_cityName

str

 

 

 

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lat

float8

 

 

 

service_action_awsApiCallAction_remoteIpDetails_geoLocation_lon

float8

 

 

 

service_action_awsApiCallAction_affectedResources

str

 

 

 

service_action_dnsRequestAction_domain

str

 

 

 

service_action_dnsRequestAction_protocol

str

 

 

 

service_action_dnsRequestAction_blocked

bool

 

 

 

service_action_networkConnectionAction_blocked

bool

 

 

 

service_action_networkConnectionAction_connectionDirection

str

 

 

 

service_action_networkConnectionAction_localPortDetails_port

int8

 

 

 

service_action_networkConnectionAction_localPortDetails_portName

str

 

 

 

service_action_networkConnectionAction_protocol

str

 

 

 

service_action_networkConnectionAction_localIpDetails_ipAddressV4

ip4

 

 

 

service_action_networkConnectionAction_remoteIpDetails_city_cityName

str

 

 

 

service_action_networkConnectionAction_remoteIpDetails_country_countryCode

str

 

 

 

service_action_networkConnectionAction_remoteIpDetails_country_countryName

str

 

 

 

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lat

float8

 

 

 

service_action_networkConnectionAction_remoteIpDetails_geoLocation_lon

float8

 

 

 

service_action_networkConnectionAction_remoteIpDetails_ipAddressV4

ip4

 

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_asn

str

 

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_asnOrg

str

 

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_isp

str

 

 

 

service_action_networkConnectionAction_remoteIpDetails_organization_org

str

 

 

 

service_action_networkConnectionAction_remotePortDetails_port

int8

 

 

 

service_action_networkConnectionAction_remotePortDetails_portName

str

 

 

 

service_action_portProbeAction_portProbeDetails_localPortDetails_str

str

service_action_portProbeAction_portProbeDetails_localPortDetails

 

service_action_portProbeAction_portProbeDetails_localPortDetails_port_str

str

service_action_portProbeAction_portProbeDetails_localPortDetails_port

 

service_action_portProbeAction_portProbeDetails_localPortDetails_portName_str

str

service_action_portProbeAction_portProbeDetails_localPortDetails_portName

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_city_cityName

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryCode

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_country_countryName

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lat

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_geoLocation_lon

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV4

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_ipAddressV6

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asn

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_asnOrg

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_isp

 

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org_str

str

service_action_portProbeAction_portProbeDetails_remoteIpDetails_organization_org

 

service_action_portProbeAction_portProbeDetails_localIpDetails_str

str

service_action_portProbeAction_portProbeDetails_localIpDetails

 

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4_str

str

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV4

 

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6_str

str

service_action_portProbeAction_portProbeDetails_localIpDetails_ipAddressV6

 

service_action_portProbeAction_blocked

bool

 

 

 

service_resourceRole

str

 

 

 

service_additionalInfo_recentApiCalls_api_str

str

service_additionalInfo_recentApiCalls_api

 

service_additionalInfo_recentApiCalls_count_str

str

service_additionalInfo_recentApiCalls_count

 

service_additionalInfo_threatName

str

 

 

 

service_additionalInfo_threatListName

str

 

 

 

service_evidence_threatIntelligenceDetails_threatNames_str

str

service_evidence_threatIntelligenceDetails_threatNames

 

service_evidence_threatIntelligenceDetails_threatListName_str

str

service_evidence_threatIntelligenceDetails_threatListName

 

service_eventFirstSeen

timestamp

 

 

 

service_eventLastSeen

timestamp

 

 

 

service_archived

bool

 

 

 

service_count

int4

 

 

 

service_userFeedback

str

 

 

 

severity

int4

 

 

 

confidence

float8

 

 

 

createdAt

timestamp

 

 

 

updatedAt

timestamp

 

 

 

title

str

 

 

 

description

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓