better description and event.outcome

2024-11-07 09:48:58 +00:00 · 2020-04-29 23:59:26 +01:00 · 2020-04-29 23:59:26 +01:00 · dfdb5b9550
commit dfdb5b9550
parent ac4a2b1f26
1 changed files with 3 additions and 3 deletions
--- a/tools/config/ecs-cloudtrail.yml
+++ b/tools/config/ecs-cloudtrail.yml
@ -1,4 +1,4 @@
-title: Elastic Common Schema mapping for cloudtrail logs
+title: Elastic Common Schema and Elastic Exported Fields mapping for AWS CloudTrail logs
 order: 20
 backends:
  - es-qs
@ -43,7 +43,7 @@ fieldmappings:
  userIdentity.userName: user.name
  vpcEndpointId: aws.cloudtrail.vpc_endpoint_id 
 overrides:
-  - field: event_outcome
+  - field: event.outcome
    value: failure
    regexes: 
      - (\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\))
@ -53,4 +53,4 @@ overrides:
      - (\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\))
      - (\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\))
      - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\))
-      - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\))
+      - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\))