Merge remote-tracking branch 'origin/datasource_enrichment' into datasource_enrichment

Author: delgado-jacob

data_sources/asl_aws_cloudtrail.yml

@@ -25,7 +25,6 @@ supported_TA:
   url: https://splunkbase.splunk.com/app/1876
   version: 7.9.1
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_assumerolewithsaml.yml

@@ -133,7 +133,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "pri
   "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
   "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_consolelogin.yml

@@ -109,7 +109,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "acco
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "signin.aws.amazon.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_copyobject.yml

@@ -125,7 +125,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111",
   "eventCategory": "Data"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createaccesskey.yml

@@ -109,7 +109,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
   "121521347698"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createkey.yml

@@ -156,7 +156,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
   "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createloginprofile.yml

@@ -108,7 +108,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
   "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createnetworkaclentry.yml

@@ -127,7 +127,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall",
   "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createpolicyversion.yml

@@ -112,7 +112,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
   "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createsnapshot.yml

@@ -124,7 +124,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createtask.yml

@@ -127,7 +127,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "datasync.us-west-2.amazonaws.com"},
   "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_createvirtualmfadevice.yml

@@ -106,7 +106,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
   "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deactivatemfadevice.yml

@@ -106,7 +106,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
   "111111111111", "eventCategory": "Management"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml

@@ -104,7 +104,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
   "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletealarms.yml

@@ -147,7 +147,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletedetector.yml

@@ -104,7 +104,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
   "111111111111", "eventCategory": "Management"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletegroup.yml

@@ -108,7 +108,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
   "Management", "recipientAccountId": "121522247101"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deleteipset.yml

@@ -104,7 +104,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
   "111111111111", "eventCategory": "Management"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deleteloggroup.yml

@@ -106,7 +106,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite":
   "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletelogstream.yml

@@ -107,7 +107,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletenetworkaclentry.yml

@@ -115,7 +115,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "b9e05770-e9b0-4ba1-91e8-6537097e06e7", "readOnly": false, "eventType": "AwsApiCall",
   "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletepolicy.yml

@@ -106,7 +106,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "abd071bf-0a38-4fab-af4a-5eee55f0935e", "readOnly": false, "eventType": "AwsApiCall",
   "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "151521547504"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deleterule.yml

@@ -108,7 +108,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletesnapshot.yml

@@ -151,7 +151,6 @@ example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", "
   "managementEvent": true, "recipientAccountId": "11111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletetrail.yml

@@ -104,7 +104,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletevirtualmfadevice.yml

@@ -104,7 +104,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_deletewebacl.yml

@@ -106,7 +106,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_describeeventaggregates.yml

@@ -101,7 +101,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "AwsApiCall", "managementEvent": true, "recipientAccountId": "1111111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_describeimagescanfindings.yml

@@ -900,7 +900,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
   "111111111111", "eventCategory": "Management"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml

@@ -103,7 +103,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_getobject.yml

@@ -118,7 +118,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "eventCategory": "Data", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite":
   "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "security-content.s3.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_getpassworddata.yml

@@ -119,7 +119,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_jobcreated.yml

@@ -87,7 +87,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"accountId": "1111111111
   "status": "New", "jobEventId": "4e70d2f1053c07a79d9be9a14e486020", "failureCodes":
   [], "statusChangeReason": []}, "eventCategory": "Management"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_modifydbinstance.yml

@@ -198,7 +198,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_modifyimageattribute.yml

@@ -112,7 +112,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_modifysnapshotattribute.yml

@@ -104,7 +104,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_putbucketacl.yml

@@ -120,7 +120,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "ARN": "arn:aws:s3:::patricktestbucket19"}], "eventType": "AwsApiCall", "managementEvent":
   true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_putbucketlifecycle.yml

@@ -124,7 +124,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "my-cloudtrail-bucket-alfsujjpnbpguqrh.s3.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_putbucketreplication.yml

@@ -144,7 +144,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_putbucketversioning.yml

@@ -132,7 +132,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_putimage.yml

@@ -155,8 +155,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111",
   "eventCategory": "Management"}'
 output_fields:
-- action
-- dest
 - user
 - user_agent
 - src

data_sources/aws_cloudtrail_putkeypolicy.yml

@@ -134,7 +134,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
   "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_replacenetworkaclentry.yml

@@ -121,7 +121,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "46fe04b8-d007-4933-8bb8-c8b65c1121fa", "readOnly": false, "eventType": "AwsApiCall",
   "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_setdefaultpolicyversion.yml

@@ -103,7 +103,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
   "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_stoplogging.yml

@@ -98,7 +98,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml

@@ -110,7 +110,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
   "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_updateloginprofile.yml

@@ -100,7 +100,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
   "Management", "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_updatesamlprovider.yml

@@ -191,7 +191,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
   "Management", "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent

data_sources/aws_cloudtrail_updatetrail.yml

@@ -111,7 +111,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent