# Cloud AWS Version 1.1 \\ Please check back often. New fields as added to accommodate Vendor Changes. | **Field Name** | **Data Type** | **length** | | ------------------------------------------------------------------------ | ------------- | ---------- | | cloud.account.id | text | 32 | | cloud.instance.name | text | 32 | | cloud.provider | text | 8 | | cloud.region | text | 16 | | cloud.service.name | text | 16 | | destination.as.organization.name | text | 128 | | destination.geo.city\_name | text | 32 | | destination.geo.continent\_code | text | 6 | | destination.geo.country\_code | text | 6 | | destination.geo.country\_name | text | 32 | | destination.geo.location.lat | geopoint | | | destination.geo.location.lon | geopoint | | | destination.geo.region\_name | text | 64 | | event.action | text | 16 | | event.category | text | 64 | | event.created | date | | | event.dataset | text | 32 | | event.id | text | 64 | | event.kind | text | 8 | | event.module | text | 16 | | event.original | | | | event.outcome | text | 16 | | event.severity | text | 16 | | event.type | text | 32 | | organisation.id | text | 8 | | sensor.id | text | 10 | | source.as.number | text | 16 | | source.as.organization.name | text | 128 | | source.geo.city\_name | text | 32 | | source.geo.continent\_code | text | 6 | | source.geo.country\_code | text | 6 | | source.geo.country\_name | text | 32 | | source.geo.location.lat | geopoint | | | source.geo.location.lon | geopoint | | | source.geo.region\_name | text | 64 | | uuid | text | 36 | | source.locality | text | 16 | | destination.locality | text | 16 | | network.community.id | text | 128 | | source.ip | ip | | | destination.domain | text | 128 | | source.bytes | int | 64 | | destination.ip | ip | | | user\_agent.name | text | 256 | | http.request.method | text | 16 | | http.version | text | 16 | | source.port | int | 8 | | tls.cipher | text | 256 | | trace.id | text | 36 | | http.response.status\_code | int | 8 | | http.request.body.bytes | int | 64 | | http.response.body.bytes | int | 64 | | destination.bytes | int | 64 | | destination.port | int | 8 | | message | | | | source.address | ip | | | user.id | text | 36 | | user\_agent.original | text | 265 | | user.name | text | 64 | | file.path | text | 1024 | | file.hash.sha256 | text | 64 | | group.id | text | 64 | | user.target.id | text | 64 | | user.changes.name | text | 64 | | group.name | text | 64 | | user.target.name | text | 64 | | aws.cloudtrail.error\_code | text | 36 | | aws.cloudtrail.error\_message | text | 512 | | aws.cloudtrail.event\_type | text | 64 | | aws.cloudtrail.request\_parameters.attribute | text | 64 | | aws.cloudtrail.requestParameters.containerDefinitions.command | text | 64 | | aws.cloudtrail.responseElements | text | 64 | | aws.cloudtrail.responseElements.pendingModifiedValues.masterUserPassword | text | 64 | | aws.cloudtrail.responseElements.publiclyAccessible | text | 64 | | aws.cloudtrail.resources.type | text | 64 | | aws.cloudtrail.user\_identity.arn | text | 64 | | aws.cloudtrail.user\_identity.session\_context.session\_issuer.type | text | 64 | | aws.cloudtrail.user\_identity.type | text | 64 | | destination.address | ip | | | host.id | text | 36 | | cloud.machine.type | text | 64 | | host.type | text | 64 | | network.direction | text | 16 | | network.transport | text | 8 | | rule.name | text | 128 | | rule.category | text | 64 | | rule.ruleset | text | 128 | | user.roles | text | 128 | | dns.question.name | text | 128 | | network.protocol | text | 8 | | url.query | text | 1024 | | url.path | text | 1024 | | rule.id | text | 36 | | aws.waf.terminating\_rule\_match\_details | text | 128 | | aws.waf.source.name | text | 128 | | related.user | text | 128 | | related.hash | text | 128 | | related.ip | text | 128 | | related.hosts | text | 128 | | agent.type | text | 32 | | log.type | text | 32 | | observer.type | text | 32 | | threatintel.days | int | 16 | | threatintel.event\_data | text | 512 | | threatintel.malware.malware | text | 512 | | threatintel.malware.timestamp | date/time | | | threatintel.tags | text | 256 | | threatintel.white\_list | text | 32 | | threatintel.severity | text | 16 |