AWS CloudTrail

The cloudtrail log type monitors events from the AWS CloudTrail accounts. OpenSearch can ingest AWS CloudTrail log data from both Amazon Simple Storage Service (Amazon S3) accounts and Amazon Security Lake accounts.

The following code snippet contains all the raw_field, ecs, and ocsf mappings for this log type:

  1. "mappings": [
  2. {
  3. "raw_field":"eventName",
  4. "ecs":"aws.cloudtrail.event_name",
  5. "ocsf": "api.operation"
  6. },
  7. {
  8. "raw_field":"eventSource",
  9. "ecs":"aws.cloudtrail.event_source",
  10. "ocsf": "api.service.name"
  11. },
  12. {
  13. "raw_field":"eventVersion",
  14. "ecs":"aws.cloudtrail.event_version",
  15. "ocsf": "metadata.product.version"
  16. },
  17. {
  18. "raw_field":"eventID",
  19. "ecs":"aws.cloudtrail.event_id",
  20. "ocsf": "metadata.uid"
  21. },
  22. {
  23. "raw_field":"eventType",
  24. "ecs":"aws.cloudtrail.event_type",
  25. "ocsf": "unmapped.eventType"
  26. },
  27. {
  28. "raw_field":"eventCategory",
  29. "ecs":"aws.cloudtrail.event_category",
  30. "ocsf": "metadata.product.feature.name"
  31. },
  32. {
  33. "raw_field":"errorMessage",
  34. "ecs":"aws.cloudtrail.error_message",
  35. "ocsf": "api.response.message"
  36. },
  37. {
  38. "raw_field":"errorCode",
  39. "ecs":"aws.cloudtrail.error_code",
  40. "ocsf": "api.response.error"
  41. },
  42. {
  43. "raw_field":"apiVersion",
  44. "ecs":"aws.cloudtrail.api_version",
  45. "ocsf": "api.version"
  46. },
  47. {
  48. "raw_field":"awsRegion",
  49. "ecs":"aws.cloudtrail.aws_region",
  50. "ocsf": "cloud.region"
  51. },
  52. {
  53. "raw_field":"additionalEventData.LoginTo",
  54. "ecs":"aws.cloudtrail.additional_event_data.loginTo",
  55. "ocsf": "dst_endpoint.svc_name"
  56. },
  57. {
  58. "raw_field":"additionalEventData.MFAUsed",
  59. "ecs":"aws.cloudtrail.additional_event_data.mfaUsed",
  60. "ocsf": "mfa"
  61. },
  62. {
  63. "raw_field":"responseElements",
  64. "ecs":"aws.cloudtrail.response_elements.text",
  65. "ocsf": "unmapped.responseElements"
  66. },
  67. {
  68. "raw_field":"requestID",
  69. "ecs":"aws.cloudtrail.request_id",
  70. "ocsf": "api.request.uid"
  71. },
  72. {
  73. "raw_field":"sourceIPAddress",
  74. "ecs":"aws.cloudtrail.source_ip_address",
  75. "ocsf": "src_endpoint.ip"
  76. },
  77. {
  78. "raw_field":"userAgent",
  79. "ecs":"aws.cloudtrail.user_agent",
  80. "ocsf": "http_request.user_agent"
  81. },
  82. {
  83. "raw_field":"vpcEndpointId",
  84. "ecs":"aws.cloudtrail.vpc_endpoint_id",
  85. "ocsf": "src_endpoint.uid"
  86. },
  87. {
  88. "raw_field":"responseElements.pendingModifiedValues.masterUserPassword",
  89. "ecs":"aws.cloudtrail.response_elements.pending_modified_values.master_user_password",
  90. "ocsf": "unmapped.responseElements.pendingModifiedValues.masterUserPassword"
  91. },
  92. {
  93. "raw_field":"responseElements.publiclyAccessible",
  94. "ecs":"aws.cloudtrail.response_elements.publicly_accessible",
  95. "ocsf": "unmapped.responseElements.publiclyAccessible"
  96. },
  97. {
  98. "raw_field":"responseElements.ConsoleLogin",
  99. "ecs":"aws.cloudtrail.response_elements.publicly_accessible",
  100. "ocsf": "status_id"
  101. },
  102. {
  103. "raw_field":"requestParameters.arn",
  104. "ecs":"aws.cloudtrail.request_parameters.arn",
  105. "ocsf": "unmapped.requestParameters.arn"
  106. },
  107. {
  108. "raw_field":"requestParameters.attribute",
  109. "ecs":"aws.cloudtrail.request_parameters.attribute",
  110. "ocsf": "unmapped.requestParameters.attribute"
  111. },
  112. {
  113. "raw_field":"requestParameters.userName",
  114. "ecs":"aws.cloudtrail.request_parameters.username",
  115. "ocsf": "unmapped.requestParameters.userName"
  116. },
  117. {
  118. "raw_field":"requestParameters.roleArn",
  119. "ecs":"aws.cloudtrail.request_parameters.roleArn",
  120. "ocsf": "user.uuid"
  121. },
  122. {
  123. "raw_field":"requestParameters.roleSessionName",
  124. "ecs":"aws.cloudtrail.request_parameters.roleSessionName",
  125. "ocsf": "user.name"
  126. },
  127. {
  128. "raw_field":"requestParameters.containerDefinitions.command",
  129. "ecs":"aws.cloudtrail.request_parameters.container_definitions.command",
  130. "ocsf": "unmapped.requestParameters.containerDefinitions.command"
  131. },
  132. {
  133. "raw_field":"userIdentity.type",
  134. "ecs":"aws.cloudtrail.user_identity.type",
  135. "ocsf": "actor.user.type"
  136. },
  137. {
  138. "raw_field":"userIdentity.principalId",
  139. "ecs":"aws.cloudtrail.user_identity.principalId",
  140. "ocsf": "actor.user.uid"
  141. },
  142. {
  143. "raw_field":"userIdentity.arn",
  144. "ecs":"aws.cloudtrail.user_identity.arn",
  145. "ocsf": "actor.user.uuid"
  146. },
  147. {
  148. "raw_field":"userIdentity.accountId",
  149. "ecs":"aws.cloudtrail.user_identity.accountId",
  150. "ocsf": "actor.user.account_uid"
  151. },
  152. {
  153. "raw_field":"userIdentity.accessKeyId",
  154. "ecs":"aws.cloudtrail.user_identity.accessKeyId",
  155. "ocsf": "actor.user.credential_uid"
  156. },
  157. {
  158. "raw_field":"userIdentity.identityProvider",
  159. "ecs":"aws.cloudtrail.user_identity.identityProvider",
  160. "ocsf": "actor.idp.name"
  161. },
  162. {
  163. "raw_field":"userIdentity.userName",
  164. "ecs":"aws.cloudtrail.user_identity.userName",
  165. "ocsf": "actor.user.name"
  166. },
  167. {
  168. "raw_field":"userIdentity.invokedBy",
  169. "ecs":"aws.cloudtrail.user_identity.invokedBy",
  170. "ocsf": "actor.invoked_by"
  171. },
  172. {
  173. "raw_field":"userIdentity.sessionContext.sessionIssuer.type",
  174. "ecs":"aws.cloudtrail.user_identity.session_context.session_issuer.type",
  175. "ocsf": "unmapped.userIdentity.sessionContext.sessionIssuer.type"
  176. },
  177. {
  178. "raw_field":"userIdentity.sessionContext.sessionIssuer.arn",
  179. "ecs":"aws.cloudtrail.user_identity.session_context.session_issuer.arn",
  180. "ocsf": "actor.session.issuer"
  181. },
  182. {
  183. "raw_field":"userIdentity.sessionContext.attributes.creationDate",
  184. "ecs":"aws.cloudtrail.user_identity.session_context.attributes.creationDate",
  185. "ocsf": "actor.session.created_time"
  186. },
  187. {
  188. "raw_field":"userIdentity.sessionContext.attributes.mfaAuthenticated",
  189. "ecs":"aws.cloudtrail.user_identity.session_context.attributes.mfaAuthenticated",
  190. "ocsf": "actor.session.mfa"
  191. },
  192. {
  193. "raw_field":"userIdentity.webIdFederationData.federatedProvider",
  194. "ecs":"aws.cloudtrail.user_identity.web_id_federation_data.federatedProvider",
  195. "ocsf": "actor.idp.name"
  196. },
  197. {
  198. "raw_field":"resources[].ARN",
  199. "ecs":"aws.cloudtrail.resources.ARN",
  200. "ocsf": "resources[].uid"
  201. },
  202. {
  203. "raw_field":"resources[].accountId",
  204. "ecs":"aws.cloudtrail.resources.account_uid",
  205. "ocsf": "resources[].account_uid"
  206. },
  207. {
  208. "raw_field":"resources[].type",
  209. "ecs":"aws.cloudtrail.resources.type",
  210. "ocsf": "resources[].type"
  211. },
  212. {
  213. "raw_field":"eventTime",
  214. "ecs":"timestamp",
  215. "ocsf": "time"
  216. }
  217. ]