Skip to content

Commit a7f5db9

Browse files
author
Patrick Bareiss
committed
Merge branch 'develop' into output_normalization_endpoint
2 parents 1c9debe + 6c82ebb commit a7f5db9

File tree

231 files changed

+2610
-1376
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

231 files changed

+2610
-1376
lines changed

data_sources/asl_aws_cloudtrail.yml

+9
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,12 @@ supported_TA:
1111
- name: Splunk Add-on for AWS
1212
url: https://splunkbase.splunk.com/app/1876
1313
version: 7.9.1
14+
output_fields:
15+
- action
16+
- dest
17+
- user
18+
- user_agent
19+
- src
20+
- vendor_account
21+
- vendor_region
22+
- vendor_product

data_sources/aws_cloudtrail_assumerolewithsaml.yml

+9
Original file line numberDiff line numberDiff line change
@@ -124,3 +124,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "pri
124124
"type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}],
125125
"eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
126126
"recipientAccountId": "111111111111"}'
127+
output_fields:
128+
- action
129+
- dest
130+
- user
131+
- user_agent
132+
- src
133+
- vendor_account
134+
- vendor_region
135+
- vendor_product

data_sources/aws_cloudtrail_consolelogin.yml

+9
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "acco
100100
"managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
101101
"Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
102102
"clientProvidedHostHeader": "signin.aws.amazon.com"}}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_copyobject.yml

+9
Original file line numberDiff line numberDiff line change
@@ -117,3 +117,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
117117
{"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events.json"}],
118118
"eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111",
119119
"eventCategory": "Data"}'
120+
output_fields:
121+
- action
122+
- dest
123+
- user
124+
- user_agent
125+
- src
126+
- vendor_account
127+
- vendor_region
128+
- vendor_product

data_sources/aws_cloudtrail_createaccesskey.yml

+9
Original file line numberDiff line numberDiff line change
@@ -101,3 +101,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
101101
"eventID": "5772e8d5-cccc-470d-81ef-acacfe85a804", "readOnly": false, "eventType":
102102
"AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
103103
"121521347698"}'
104+
output_fields:
105+
- action
106+
- dest
107+
- user
108+
- user_agent
109+
- src
110+
- vendor_account
111+
- vendor_region
112+
- vendor_product

data_sources/aws_cloudtrail_createkey.yml

+9
Original file line numberDiff line numberDiff line change
@@ -148,3 +148,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
148148
"111111111111", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}],
149149
"eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
150150
"recipientAccountId": "111111111111"}'
151+
output_fields:
152+
- action
153+
- dest
154+
- user
155+
- user_agent
156+
- src
157+
- vendor_account
158+
- vendor_region
159+
- vendor_product

data_sources/aws_cloudtrail_createloginprofile.yml

+9
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
100100
"eventID": "ffb76906-6dd1-4219-adfe-e26b92036a1e", "readOnly": false, "eventType":
101101
"AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
102102
"111111111111"}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_createnetworkaclentry.yml

+9
Original file line numberDiff line numberDiff line change
@@ -119,3 +119,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
119119
"_return": true}, "requestID": "d29c9c32-3a72-48d3-b612-6ba795e9ec64", "eventID":
120120
"6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall",
121121
"managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
122+
output_fields:
123+
- action
124+
- dest
125+
- user
126+
- user_agent
127+
- src
128+
- vendor_account
129+
- vendor_region
130+
- vendor_product

data_sources/aws_cloudtrail_createpolicyversion.yml

+9
Original file line numberDiff line numberDiff line change
@@ -104,3 +104,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
104104
"eventID": "33149175-90fd-4cff-a43b-408e4f848c1c", "readOnly": false, "eventType":
105105
"AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
106106
"111111111111"}'
107+
output_fields:
108+
- action
109+
- dest
110+
- user
111+
- user_agent
112+
- src
113+
- vendor_account
114+
- vendor_region
115+
- vendor_product

data_sources/aws_cloudtrail_createsnapshot.yml

+9
Original file line numberDiff line numberDiff line change
@@ -116,3 +116,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
116116
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
117117
"111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
118118
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
119+
output_fields:
120+
- action
121+
- dest
122+
- user
123+
- user_agent
124+
- src
125+
- vendor_account
126+
- vendor_region
127+
- vendor_product

data_sources/aws_cloudtrail_createtask.yml

+9
Original file line numberDiff line numberDiff line change
@@ -119,3 +119,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
119119
"111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
120120
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "datasync.us-west-2.amazonaws.com"},
121121
"sessionCredentialFromConsole": "true"}'
122+
output_fields:
123+
- action
124+
- dest
125+
- user
126+
- user_agent
127+
- src
128+
- vendor_account
129+
- vendor_region
130+
- vendor_product

data_sources/aws_cloudtrail_createvirtualmfadevice.yml

+10-1
Original file line numberDiff line numberDiff line change
@@ -97,4 +97,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
9797
"strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::1111111111111111:mfa/strt_mfa_2"}},
9898
"requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027",
9999
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
100-
"1111111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
100+
"140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
101+
output_fields:
102+
- action
103+
- dest
104+
- user
105+
- user_agent
106+
- src
107+
- vendor_account
108+
- vendor_region
109+
- vendor_product

data_sources/aws_cloudtrail_deactivatemfadevice.yml

+9
Original file line numberDiff line numberDiff line change
@@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
9898
null, "requestID": "d27cfb15-34b4-4c16-82bc-a55d15b4e47d", "eventID": "bfe9fd91-0b4d-470a-9c03-77839151806d",
9999
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
100100
"111111111111", "eventCategory": "Management"}'
101+
output_fields:
102+
- action
103+
- dest
104+
- user
105+
- user_agent
106+
- src
107+
- vendor_account
108+
- vendor_region
109+
- vendor_product

data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml

+9
Original file line numberDiff line numberDiff line change
@@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
9898
"requestID": "e3616938-1aac-4abd-9ea3-3b0367b85082", "eventID": "bbd8cb02-22ba-4d1b-b23d-b82975463376",
9999
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
100100
"111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
101+
output_fields:
102+
- action
103+
- dest
104+
- user
105+
- user_agent
106+
- src
107+
- vendor_account
108+
- vendor_region
109+
- vendor_product

data_sources/aws_cloudtrail_deletealarms.yml

+9
Original file line numberDiff line numberDiff line change
@@ -139,3 +139,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
139139
"bcfccd92-5bf1-4de1-9cfd-87fdeb70e452", "readOnly": false, "eventType": "AwsApiCall",
140140
"managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
141141
"Management"}'
142+
output_fields:
143+
- action
144+
- dest
145+
- user
146+
- user_agent
147+
- src
148+
- vendor_account
149+
- vendor_region
150+
- vendor_product

data_sources/aws_cloudtrail_deletedetector.yml

+9
Original file line numberDiff line numberDiff line change
@@ -96,3 +96,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
9696
"requestID": "1e832076-d7a8-432b-b0df-54ba62f6b62c", "eventID": "c1367a2f-8910-4e64-9256-a854d2e9f37d",
9797
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
9898
"111111111111", "eventCategory": "Management"}'
99+
output_fields:
100+
- action
101+
- dest
102+
- user
103+
- user_agent
104+
- src
105+
- vendor_account
106+
- vendor_region
107+
- vendor_product

data_sources/aws_cloudtrail_deletegroup.yml

+9
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
100100
null, "requestID": "15684d3b-a8c5-4334-a996-16619e901c17", "eventID": "ab65dca3-3d28-41f4-9f99-443606cc49fe",
101101
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
102102
"Management", "recipientAccountId": "121522247101"}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_deleteipset.yml

+9
Original file line numberDiff line numberDiff line change
@@ -97,3 +97,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
9797
"requestID": "70d36916-4ce7-4b6e-9226-9da47d58d554", "eventID": "884dc529-d98f-4529-bfa1-8cdd6c06d02f",
9898
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
9999
"111111111111", "eventCategory": "Management"}'
100+
output_fields:
101+
- action
102+
- dest
103+
- user
104+
- user_agent
105+
- src
106+
- vendor_account
107+
- vendor_region
108+
- vendor_product

data_sources/aws_cloudtrail_deleteloggroup.yml

+9
Original file line numberDiff line numberDiff line change
@@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
9898
"apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111",
9999
"eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite":
100100
"ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
101+
output_fields:
102+
- action
103+
- dest
104+
- user
105+
- user_agent
106+
- src
107+
- vendor_account
108+
- vendor_region
109+
- vendor_product

data_sources/aws_cloudtrail_deletelogstream.yml

+9
Original file line numberDiff line numberDiff line change
@@ -99,3 +99,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
9999
"AwsApiCall", "apiVersion": "20140328", "managementEvent": true, "recipientAccountId":
100100
"111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
101101
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
102+
output_fields:
103+
- action
104+
- dest
105+
- user
106+
- user_agent
107+
- src
108+
- vendor_account
109+
- vendor_region
110+
- vendor_product

data_sources/aws_cloudtrail_deletenetworkaclentry.yml

+9
Original file line numberDiff line numberDiff line change
@@ -108,3 +108,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
108108
"_return": true}, "requestID": "607474bb-836b-46be-be4a-351ebbef67d6", "eventID":
109109
"b9e05770-e9b0-4ba1-91e8-6537097e06e7", "readOnly": false, "eventType": "AwsApiCall",
110110
"managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
111+
output_fields:
112+
- action
113+
- dest
114+
- user
115+
- user_agent
116+
- src
117+
- vendor_account
118+
- vendor_region
119+
- vendor_product

data_sources/aws_cloudtrail_deletepolicy.yml

+9
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
100100
"responseElements": null, "requestID": "90cbe52f-e744-4bba-9f5c-1843c9ca1855", "eventID":
101101
"abd071bf-0a38-4fab-af4a-5eee55f0935e", "readOnly": false, "eventType": "AwsApiCall",
102102
"managementEvent": true, "eventCategory": "Management", "recipientAccountId": "151521547504"}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_deleterule.yml

+9
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
100100
"AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId":
101101
"111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
102102
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_deletesnapshot.yml

+9
Original file line numberDiff line numberDiff line change
@@ -143,3 +143,12 @@ example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", "
143143
"56f61d71-6620-4958-8dbf-03410913f1cc", "readOnly": false, "eventType": "AwsApiCall",
144144
"managementEvent": true, "recipientAccountId": "11111111111111", "eventCategory":
145145
"Management", "sessionCredentialFromConsole": "true"}'
146+
output_fields:
147+
- action
148+
- dest
149+
- user
150+
- user_agent
151+
- src
152+
- vendor_account
153+
- vendor_region
154+
- vendor_product

data_sources/aws_cloudtrail_deletetrail.yml

+9
Original file line numberDiff line numberDiff line change
@@ -96,3 +96,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
9696
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
9797
"111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
9898
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
99+
output_fields:
100+
- action
101+
- dest
102+
- user
103+
- user_agent
104+
- src
105+
- vendor_account
106+
- vendor_region
107+
- vendor_product

data_sources/aws_cloudtrail_deletevirtualmfadevice.yml

+9
Original file line numberDiff line numberDiff line change
@@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
9898
"01f0258f-b83f-4c0f-8fd3-380473840db8", "readOnly": false, "eventType": "AwsApiCall",
9999
"managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
100100
"Management", "sessionCredentialFromConsole": "true"}'
101+
output_fields:
102+
- action
103+
- dest
104+
- user
105+
- user_agent
106+
- src
107+
- vendor_account
108+
- vendor_region
109+
- vendor_product

data_sources/aws_cloudtrail_deletewebacl.yml

+9
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
100100
"AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId":
101101
"111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
102102
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_describeeventaggregates.yml

+9
Original file line numberDiff line numberDiff line change
@@ -95,3 +95,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
9595
"eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType":
9696
"AwsApiCall", "managementEvent": true, "recipientAccountId": "1111111111111111", "eventCategory":
9797
"Management", "sessionCredentialFromConsole": "true"}'
98+
output_fields:
99+
- action
100+
- dest
101+
- user
102+
- user_agent
103+
- src
104+
- vendor_account
105+
- vendor_region
106+
- vendor_product

0 commit comments

Comments
 (0)