SigmaHQ/tools/config/ala-azure-aws_cloudtrail.yml

title: AWS CloudTrail Logs mapping for Azure Log Analytics
order: 20
backends:
  - ala
  - ala-rule
fieldmappings:
  additionalEventdata: AdditionalEventData
  apiVersion: APIVersion
  awsRegion: AWSRegion
  errorCode: ErrorCode
  errorMessage: ErrorMessage
  eventID: AwsEventId
  eventName: EventName
  eventSource: EventSource
  eventTime: TimeGenerated
  eventType: EventTypeName
  eventVersion: EventVersion
  managementEvent: ManagementEvent
  readOnly: ReadOnly
  recipientAccountId: RecipientAccountId
  requestID: AwsRequestId_
  requestParameters: RequestParameters
  responseElements: ResponseElements
  serviceEventDetails: ServiceEventDetails
  sourceIPAddress: SourceIpAddress
  userAgent: UserAgent
  userIdentity.accessKeyId: UserIdentityAccessKeyId
  userIdentity.accountId: UserIdentityAccountId
  userIdentity.arn: UserIdentityArn
  userIdentity.invokedBy: UserIdentityInvokedBy
  userIdentity.principalId: UserIdentityPrincipalid
  userIdentity.sessionContext.attributes.creationDate: SessionCreationDate
  userIdentity.sessionContext.attributes.mfaAuthenticated: SessionMfaAuthenticated
  userIdentity.sessionContext.sessionIssuer.userName: SessionIssuerUserName
  userIdentity.sessionContext.sessionIssuer.type: SessionIssuerType
  userIdentity.sessionContext.sessionIssuer.principalId: SessionIssuerPrincipalId
  userIdentity.sessionContext.sessionIssuer.arn: SessionIssuerArn
  userIdentity.sessionContext.sessionIssuer.accountId: SessionIssuerAccountId
  userIdentity.type: UserIdentityType
  userIdentity.userName: UserIdentityUserName
  vpcEndpointId: VpcEndpointId
overrides:
  - field: ErrorCode
    value: 999999
    regexes:
      - (ErrorCode contains \'\')
Create ala-azure-aws_cloudtrail.yml AWS CloudTrail Logs mapping for Azure Log Analytics 2021-07-15 16:51:41 +00:00			`title: AWS CloudTrail Logs mapping for Azure Log Analytics`
			`order: 20`
			`backends:`
			`- ala`
			`- ala-rule`
			`fieldmappings:`
			`additionalEventdata: AdditionalEventData`
			`apiVersion: APIVersion`
			`awsRegion: AWSRegion`
			`errorCode: ErrorCode`
			`errorMessage: ErrorMessage`
			`eventID: AwsEventId`
			`eventName: EventName`
			`eventSource: EventSource`
			`eventTime: TimeGenerated`
			`eventType: EventTypeName`
			`eventVersion: EventVersion`
			`managementEvent: ManagementEvent`
			`readOnly: ReadOnly`
			`recipientAccountId: RecipientAccountId`
			`requestID: AwsRequestId_`
			`requestParameters: RequestParameters`
			`responseElements: ResponseElements`
			`serviceEventDetails: ServiceEventDetails`
			`sourceIPAddress: SourceIpAddress`
			`userAgent: UserAgent`
			`userIdentity.accessKeyId: UserIdentityAccessKeyId`
			`userIdentity.accountId: UserIdentityAccountId`
			`userIdentity.arn: UserIdentityArn`
			`userIdentity.invokedBy: UserIdentityInvokedBy`
			`userIdentity.principalId: UserIdentityPrincipalid`
			`userIdentity.sessionContext.attributes.creationDate: SessionCreationDate`
			`userIdentity.sessionContext.attributes.mfaAuthenticated: SessionMfaAuthenticated`
			`userIdentity.sessionContext.sessionIssuer.userName: SessionIssuerUserName`
			`userIdentity.sessionContext.sessionIssuer.type: SessionIssuerType`
			`userIdentity.sessionContext.sessionIssuer.principalId: SessionIssuerPrincipalId`
			`userIdentity.sessionContext.sessionIssuer.arn: SessionIssuerArn`
			`userIdentity.sessionContext.sessionIssuer.accountId: SessionIssuerAccountId`
			`userIdentity.type: UserIdentityType`
			`userIdentity.userName: UserIdentityUserName`
			`vpcEndpointId: VpcEndpointId`
			`overrides:`
			`- field: ErrorCode`
			`value: 999999`
			`regexes:`
			`- (ErrorCode contains \'\')`