Cloud AWS
Version 1.1
\
Please check back often. New fields as added to accommodate Vendor Changes.
Field Name | Data Type | length |
cloud.account.id | text | 32 |
cloud.instance.name | text | 32 |
cloud.provider | text | 8 |
cloud.region | text | 16 |
cloud.service.name | text | 16 |
destination.as.organization.name | text | 128 |
destination.geo.city_name | text | 32 |
destination.geo.continent_code | text | 6 |
destination.geo.country_code | text | 6 |
destination.geo.country_name | text | 32 |
destination.geo.location.lat | geopoint | |
destination.geo.location.lon | geopoint | |
destination.geo.region_name | text | 64 |
event.action | text | 16 |
event.category | text | 64 |
event.created | date | |
event.dataset | text | 32 |
event.id | text | 64 |
event.kind | text | 8 |
event.module | text | 16 |
event.original | ||
event.outcome | text | 16 |
event.severity | text | 16 |
event.type | text | 32 |
organisation.id | text | 8 |
sensor.id | text | 10 |
source.as.number | text | 16 |
source.as.organization.name | text | 128 |
source.geo.city_name | text | 32 |
source.geo.continent_code | text | 6 |
source.geo.country_code | text | 6 |
source.geo.country_name | text | 32 |
source.geo.location.lat | geopoint | |
source.geo.location.lon | geopoint | |
source.geo.region_name | text | 64 |
uuid | text | 36 |
source.locality | text | 16 |
destination.locality | text | 16 |
network.community.id | text | 128 |
source.ip | ip | |
destination.domain | text | 128 |
source.bytes | int | 64 |
destination.ip | ip | |
user_agent.name | text | 256 |
http.request.method | text | 16 |
http.version | text | 16 |
source.port | int | 8 |
tls.cipher | text | 256 |
trace.id | text | 36 |
http.response.status_code | int | 8 |
http.request.body.bytes | int | 64 |
http.response.body.bytes | int | 64 |
destination.bytes | int | 64 |
destination.port | int | 8 |
message | ||
source.address | ip | |
user.id | text | 36 |
user_agent.original | text | 265 |
user.name | text | 64 |
file.path | text | 1024 |
file.hash.sha256 | text | 64 |
group.id | text | 64 |
user.target.id | text | 64 |
user.changes.name | text | 64 |
group.name | text | 64 |
user.target.name | text | 64 |
aws.cloudtrail.error_code | text | 36 |
aws.cloudtrail.error_message | text | 512 |
aws.cloudtrail.event_type | text | 64 |
aws.cloudtrail.request_parameters.attribute | text | 64 |
aws.cloudtrail.requestParameters.containerDefinitions.command | text | 64 |
aws.cloudtrail.responseElements | text | 64 |
aws.cloudtrail.responseElements.pendingModifiedValues.masterUserPassword | text | 64 |
aws.cloudtrail.responseElements.publiclyAccessible | text | 64 |
aws.cloudtrail.resources.type | text | 64 |
aws.cloudtrail.user_identity.arn | text | 64 |
aws.cloudtrail.user_identity.session_context.session_issuer.type | text | 64 |
aws.cloudtrail.user_identity.type | text | 64 |
destination.address | ip | |
host.id | text | 36 |
cloud.machine.type | text | 64 |
host.type | text | 64 |
network.direction | text | 16 |
network.transport | text | 8 |
rule.name | text | 128 |
rule.category | text | 64 |
rule.ruleset | text | 128 |
user.roles | text | 128 |
dns.question.name | text | 128 |
network.protocol | text | 8 |
url.query | text | 1024 |
url.path | text | 1024 |
rule.id | text | 36 |
aws.waf.terminating_rule_match_details | text | 128 |
aws.waf.source.name | text | 128 |
related.user | text | 128 |
related.hash | text | 128 |
related.ip | text | 128 |
related.hosts | text | 128 |
agent.type | text | 32 |
log.type | text | 32 |
observer.type | text | 32 |
threatintel.days | int | 16 |
threatintel.event_data | text | 512 |
threatintel.malware.malware | text | 512 |
threatintel.malware.timestamp | date/time | |
threatintel.tags | text | 256 |
threatintel.white_list | text | 32 |
threatintel.severity | text | 16 |