forked from SEKOIA-IO/intake-formats
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfields.yml
153 lines (124 loc) · 4.82 KB
/
fields.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
action.target:
name: action.target
description: "The target of the action"
type: keyword
action.properties.requestParameters.userData:
name: action.properties.requestParameters.userData
description: "The userData parameters sent with the request"
type: keyword
action.properties.responseElements.publiclyAccessible:
name: action.properties.responseElements.publiclyAccessible
description: "Whether the requested ressource was public"
type: boolean
action.properties.responseElements.pendingModifiedValues.masterUserPassword:
name: action.properties.responseElements.pendingModifiedValues.masterUserPassword
description: "The new master password for the RDS instance"
type: keyword
action.properties.errorCode:
name: action.properties.errorCode
description: "The code of the error associated to the request"
type: keyword
action.properties.errorMessage:
name: action.properties.errorMessage
description: "The message of the error associated to the request"
type: keyword
action.properties.recipientAccountId:
name: action.properties.recipientAccountId
description: "The account ID that received the event"
type: keyword
action.properties.userIdentity:
name: action.properties.userIdentity
description: "Information about the user that made the request"
type: object
action.properties.resources:
name: action.properties.resources
description: "A list of resources accessed in the event"
type: list
aws.cloudtrail.flattened.response_elements:
name: aws.cloudtrail.flattened.response_elements
description: "The flattened version of the field responseElements"
type: keyword
aws.cloudtrail.flattened.request_parameters:
name: aws.cloudtrail.flattened.request_parameters
description: "The flattened version of the field requestParameters"
type: keyword
aws.cloudtrail.request_parameters.userData:
name: aws.cloudtrail.request_parameters.userData
description: "The userData parameters sent with the request"
type: keyword
aws.cloudtrail.request_parameters.userName:
name: aws.cloudtrail.request_parameters.userName
description: "The name of the user sent in the request"
type: keyword
aws.cloudtrail.response_elements.publiclyAccessible:
name: aws.cloudtrail.response_elements.publiclyAccessible
description: "Whether the requested ressource was public"
type: boolean
aws.cloudtrail.response_elements.pendingModifiedValues.masterUserPassword:
name: aws.cloudtrail.response_elements.pendingModifiedValues.masterUserPassword
description: "The new master password for the RDS instance"
type: keyword
aws.cloudtrail.response_elements.user.userName:
name: aws.cloudtrail.response_elements.user.userName
description: "The name of the user in the response"
type: keyword
aws.cloudtrail.response_elements.user.arn:
name: aws.cloudtrail.response_elements.user.arn
description: "The arn of the user in the response"
type: keyword
aws.cloudtrail.recipient_account_id:
name: aws.cloudtrail.recipient_account_id
description: "The account ID that received the event"
type: keyword
observable:
name: Recipient account ID
type: user-account
property: account_login
aws.cloudtrail.user_identity.accessKeyId:
name: aws.cloudtrail.user_identity.accessKeyId
description: "The identifier of the access key used"
type: keyword
aws.cloudtrail.user_identity.accountId:
name: aws.cloudtrail.user_identity.accountId
description: "The identifier of the account that sent the request"
type: keyword
aws.cloudtrail.user_identity.arn:
name: aws.cloudtrail.user_identity.arn
description: "The ARN of the principal that sent the request"
type: keyword
observable:
name: User ARN
type: user-account
property: account_login
aws.cloudtrail.user_identity.principalId:
name: aws.cloudtrail.user_identity.principalId
description: "The identifier of the principal that sent the request"
type: keyword
aws.cloudtrail.user_identity.sessionContext:
name: aws.cloudtrail.user_identity.sessionContext
description: "provides information abpout the session"
type: object
aws.cloudtrail.user_identity.type:
name: aws.cloudtrail.user_identity.type
description: "The type of the identity"
type: keyword
aws.cloudtrail.resources:
name: aws.cloudtrail.resources
description: "A list of resources accessed in the event"
type: list
aws.cloudtrail.event_version:
name: aws.cloudtrail.event_version
description: "The version of the event"
type: keyword
aws.cloudtrail.insight_details.state:
name: aws.cloudtrail.insight_details.state
description: "The status of the insight"
type: keyword
aws.cloudtrail.insight_details.type:
name: aws.cloudtrail.insight_details.type
description: "The type of the insight"
type: keyword
aws.cloudtrail.insight_details.context:
name: aws.cloudtrail.insight_details.context
description: "The context of the insight"
type: keyword