valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7e742cc049
SigmaHQ/tools/config/ecs-cloudtrail.yml

61 lines
2.7 KiB
YAML
Raw Blame History

title: Elastic Common Schema And Elastic Exported Fields Mapping For AWS CloudTrail Logs
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
fieldmappings:
additionalEventdata: aws.cloudtrail.additional_eventdata
apiVersion: aws.cloudtrail.api_version
awsRegion: cloud.region
errorCode: aws.cloudtrail.error_code
errorMessage: aws.cloudtrail.error_message
eventID: event.id
eventName: event.action
eventSource: event.provider
eventTime: '@timestamp'
eventType: aws.cloudtrail.event_type
eventVersion: aws.cloudtrail.event_version
managementEvent: aws.cloudtrail.management_event
readOnly: aws.cloudtrail.read_only
requestID: aws.cloudtrail.request_id
requestParameters: aws.cloudtrail.request_parameters
resources.accountId: aws.cloudtrail.resources.account_id
resources.ARN: aws.cloudtrail.resources.arn
resources.type: aws.cloudtrail.resources.type
responseElements: aws.cloudtrail.response_elements
serviceEventDetails: aws.cloudtrail.service_event_details
sharedEventId: aws.cloudtrail.shared_event_id
sourceIPAddress: source.address
userAgent: user_agent
userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
userIdentity.accountId: cloud.account.id
userIdentity.arn: aws.cloudtrail.user_identity.arn
userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
userIdentity.principalId: user.id
userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
userIdentity.type: aws.cloudtrail.user_identity.type
userIdentity.userName: user.name
vpcEndpointId: aws.cloudtrail.vpc_endpoint_id
overrides:
- field: event.outcome
value: failure
regexes:
- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
- (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
- (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))
- field: event.outcome
value: success
literals:
- 'NOT (event.outcome:failure)'
Reference in New Issue View Git Blame Copy Permalink