...
Field | Description |
---|---|
DATE | eventTime - Extracted date from eventTime in YYYY-MM-DD format. This is the date the request was completed. |
TIME | eventTime - Extracted time from eventTime in HH:MM:SS format. This is the time the request was completed. |
SYSTEM | eventSource - The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com For example: AWS CloudFormation is cloudformation.amazonaws.com, Amazon EC2 is ec2.amazonaws.com, Amazon Simple Workflow Service is swf.amazonaws.com |
TABLE | AWSCloudTrailLog |
COLLECTIONDATETIME | Snare Central’s local date and time of the actual log collection from AWS Kinesis Data Stream in RFC3339Nano format |
CWLDATETIME | AWS CloudWatch Log’s timestamp when it receives the event log from other AWS services in RFC3339Nano format |
DATETIME | eventTime - The timestamp of the actual event log in RFC3339Nano format |
AWSREGION | awsRegion - The AWS region that the request was made to e.g. us-east-2 |
EVENTCATEGORY | eventCategory - Shows the event category that is used in Lookup Events calls: |
EVENTID | eventID - GUID generated by CloudTrail to uniquely identify each event. |
EVENTNAME | eventName - The requested action in the API for that service. |
EVENTTYPE | eventType - Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall – An API was called. |
RECIPIENTACCOUNTID | recipientAccountId - Represents the account ID that received this event. The recipient account ID may be different from the CloudTrail user Identity element account Id, this can occur in cross-account resource access. |
REQUESTID | requestID - The value that identifies the request. The service being called generates this value. |
REQUESTPARAMETERS | requestParameters - The parameters, if any, that were sent with the request. This field has a maximum size of 100 KB; content exceeding that limit is truncated. |
RESPONSEELEMENTS | responseElements - The response element for actions that make changes e.g. create, update, or delete actions. If an action does not change state e.g. request to get or list objects, this element is omitted. This field has a maximum size of 100 KB; content exceeding that limit is truncated. |
SRCADDR | sourceIPAddress - The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed. |
USERAGENT | userAgent - The agent through which the request was made. This field has a maximum size of 1 KB; content exceeding that limit is truncated. |
USERACCESSKEYID | accessKeyId - The access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials. |
USERAID | accountId - The account that owns the entity that granted permissions for the request. If the request was made with temporary security credentials, this is the account that owns the IAM user or role used to obtain credentials. |
USERARN | arn - The Amazon Resource Name (ARN) of the principal that made the call. |
USERNAME | userName - The friendly name of the identity that made the call. |
USERPID | principalId - A unique identifier for the entity that made the call. For requests made with temporary security credentials, this value includes the session name that is passed to the AssumeRole, AssumeRoleWithWebIdentity, or GetFederationToken API call. |
USERTYPE | type - The type of the identity. |
SNAREDATAMAP | All unclassified field/s in the log will be pushed into the SNAREDATAMAP. |
Notes
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
...