NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commitb026dda

committed

add aws_cloudtrail for elastic esql

1 parent682f473 commitb026ddaCopy full SHA for b026dda

File tree

1 file changed

+57

-0

lines changed

uncoder-core/app/translator/mappings/platforms/elasticsearch_esql
- aws_cloudtrail.yml

1 file changed

+57

-0

lines changed

`‎uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml‎`

Lines changed: 57 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,57 @@`
	`1`	`+platform:ElasticSearch ES\|QL`
	`2`	`+source:aws_cloudtrail`
	`3`	`+log_source:`
	`4`	`+index:[logs-*]`
	`5`	`+default_log_source:`
	`6`	`+index:logs-*`
	`7`	`+field_mapping:`
	`8`	`+additionalEventdata:aws.cloudtrail.additional_eventdata`
	`9`	`+apiVersion:aws.cloudtrail.api_version`
	`10`	`+awsRegion:cloud.region`
	`11`	`+errorCode:aws.cloudtrail.error_code`
	`12`	`+errorMessage:aws.cloudtrail.error_message`
	`13`	`+eventID:event.id`
	`14`	`+eventName:event.action`
	`15`	`+eventSource:event.provider`
	`16`	`+eventTime:'@timestamp'`
	`17`	`+eventType:aws.cloudtrail.event_type`
	`18`	`+eventVersion:aws.cloudtrail.event_version`
	`19`	`+managementEvent:aws.cloudtrail.management_event`
	`20`	`+readOnly:aws.cloudtrail.read_only`
	`21`	`+requestID:aws.cloudtrail.request_id`
	`22`	`+requestParameters:aws.cloudtrail.request_parameters`
	`23`	`+resources.accountId:aws.cloudtrail.resources.account_id`
	`24`	`+resources.ARN:aws.cloudtrail.resources.arn`
	`25`	`+resources.type:aws.cloudtrail.resources.type`
	`26`	`+responseElements:aws.cloudtrail.response_elements`
	`27`	`+serviceEventDetails:aws.cloudtrail.service_event_details`
	`28`	`+sharedEventId:aws.cloudtrail.shared_event_id`
	`29`	`+sourceIPAddress:source.address`
	`30`	`+userAgent:user_agent`
	`31`	`+userIdentity.accessKeyId:aws.cloudtrail.user_identity.access_key_id`
	`32`	`+userIdentity.accountId:cloud.account.id`
	`33`	`+userIdentity.arn:aws.cloudtrail.user_identity.arn`
	`34`	`+userIdentity.invokedBy:aws.cloudtrail.user_identity.invoked_by`
	`35`	`+userIdentity.principalId:user.id`
	`36`	`+userIdentity.sessionContext.attributes.creationDate:aws.cloudtrail.user_identity.session_context.creation_date`
	`37`	`+userIdentity.sessionContext.attributes.mfaAuthenticated:aws.cloudtrail.user_identity.session_context.mfa_authenticated`
	`38`	`+userIdentity.sessionContext.sessionIssuer.userName:role.name`
	`39`	`+userIdentity.type:aws.cloudtrail.user_identity.type`
	`40`	`+userIdentity.userName:user.name`
	`41`	`+vpcEndpointId:aws.cloudtrail.vpc_endpoint_id`
	`42`	`+overrides:`
	`43`	`+ -field:event.outcome`
	`44`	`+value:failure`
	`45`	`+regexes:`
	`46`	`+ -(\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))`
	`47`	`+ -(\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))`
	`48`	`+ -(\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))`
	`49`	`+ -(\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))`
	`50`	`+ -(\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))`
	`51`	`+ -(\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))`
	`52`	`+ -(\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_message.keyword:\*\)\))`
	`53`	`+ -(\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_code.keyword:\*\)\))`
	`54`	`+ -field:event.outcome`
	`55`	`+value:success`
	`56`	`+literals:`
	`57`	`+ -'NOT (event.outcome:failure)'`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb026dda

File tree

1 file changed

1 file changed

`‎uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml‎`

0 commit comments