-
Notifications
You must be signed in to change notification settings - Fork 362
/
aws_cloudtrail_updatetrail.yml
107 lines (107 loc) · 3 KB
/
aws_cloudtrail_updatetrail.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: AWS CloudTrail UpdateTrail
id: d5b7a1eb-711a-4c96-aa93-235fe3c8a939
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail UpdateTrail
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
version: 7.7.1
fields:
- _time
- app
- awsRegion
- aws_account_id
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.includeGlobalServiceEvents
- requestParameters.isMultiRegionTrail
- requestParameters.name
- responseElements.includeGlobalServiceEvents
- responseElements.isMultiRegionTrail
- responseElements.isOrganizationTrail
- responseElements.logFileValidationEnabled
- responseElements.name
- responseElements.s3BucketName
- responseElements.trailARN
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- timeendpos
- timestartpos
- tlsDetails.cipherSuite
- tlsDetails.clientProvidedHostHeader
- tlsDetails.tlsVersion
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.type
- userIdentity.userName
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
"gowthamaraj_cli"}, "eventTime": "2022-07-19T08:42:26Z", "eventSource": "cloudtrail.amazonaws.com",
"eventName": "UpdateTrail", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185",
"userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off
command/cloudtrail.update-trail", "requestParameters": {"name": "Regulatory", "includeGlobalServiceEvents":
true, "isMultiRegionTrail": true}, "responseElements": {"name": "Regulatory", "s3BucketName":
"s3-for-cloudtrail-logs111", "includeGlobalServiceEvents": true, "isMultiRegionTrail":
true, "trailARN": "arn:aws:cloudtrail:us-west-2:111111111111:trail/Regulatory",
"logFileValidationEnabled": false, "isOrganizationTrail": false}, "requestID": "0da61466-5bba-43f9-b7e1-27437de120b2",
"eventID": "ce02af60-f29e-4bc2-8b29-31c12f408fed", "readOnly": false, "eventType":
"AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
"Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'