Cloudtrail ECS

	A	B	C	D	E	F	G
1	This reference table is part of the 3CORESec ECS-Cloudtrail project: https://github.com/3CORESec/ECS-CloudTrail
2	Source	Source Field or Pattern	ECS Field	EXPORTED FIELDS - AWS	Category	Comment	Available in Sigma
3	CloudTrail	awsRegion	cloud.region		ECS - Cloud Fields		YES (ecs-cloutrail.yml)
4	CloudTrail	eventID	event.id		ECS - Event Fields		YES (ecs-cloutrail.yml)
5	CloudTrail	eventName	event.action		ECS - Event Fields		YES (ecs-cloutrail.yml)
6	CloudTrail	eventSource	event.provider		ECS - Event Fields		YES (ecs-cloutrail.yml)
7	CloudTrail	eventTime	@timestamp		ECS - Base Fields		YES (ecs-cloutrail.yml)
8	CloudTrail	eventType		aws.cloudtrail.event_type	AWS - session_context		YES (ecs-cloutrail.yml)
9	CloudTrail	recipientAccountId		aws.cloudtrail.recipient_account_id	AWS - resources		YES (ecs-cloutrail.yml)
10	CloudTrail	requestID		aws.cloudtrail.request_id	AWS - session_context		YES (ecs-cloutrail.yml)
11	CloudTrail	requestParameters		aws.cloudtrail.request_parameters	AWS - session_context		YES (ecs-cloutrail.yml)
12	CloudTrail	responseElements		aws.cloudtrail.response_elements	AWS - session_context		YES (ecs-cloutrail.yml)
13	CloudTrail	sourceIPAddress	source.address		ECS - Source Fields		YES (ecs-cloutrail.yml)
14	CloudTrail	sourceIPAddress	source.geo		ECS - Geo Fields		YES (ecs-cloutrail.yml)
15	CloudTrail	userIdentity.accessKeyId		aws.cloudtrail.user_identity.access_key_id	AWS - user_identity		YES (ecs-cloutrail.yml)
16	CloudTrail	userIdentity.accountId	cloud.account.id		ECS - Cloud Fields		YES (ecs-cloutrail.yml)
17	CloudTrail	userIdentity.arn		aws.cloudtrail.user_identity.arn	AWS - user_identity		YES (ecs-cloutrail.yml)
18	CloudTrail	userIdentity.invokedBy		aws.cloudtrail.user_identity.invoked_by	AWS - session_context		YES (ecs-cloutrail.yml)
19	CloudTrail	userIdentity.principalId	user.id		ECS - User Fields		YES (ecs-cloutrail.yml)
20	CloudTrail	userIdentity.sessionContext.attributes.creationDate		aws.cloudtrail.user_identity.session_context.creation_date	AWS - session_context		YES (ecs-cloutrail.yml)
21	CloudTrail	userIdentity.sessionContext.attributes.mfaAuthenticated		aws.cloudtrail.user_identity.session_context.mfa_authenticated	AWS - session_context		YES (ecs-cloutrail.yml)
22	CloudTrail	userAgent	user_agent.original		ECS - User agent Fields		YES (ecs-cloutrail.yml)
23	CloudTrail	vpcEndpointId		aws.cloudtrail.vpc_endpoint_id	AWS - resources		YES (ecs-cloutrail.yml)
24	CloudTrail	errorMessage		aws.cloudtrail.error_message	AWS - session_context		YES (ecs-cloutrail.yml)
25	CloudTrail	eventVersion		aws.cloudtrail.event_version	AWS - cloudtrail		YES (ecs-cloutrail.yml)
26	CloudTrail	sharedEventId		aws.cloudtrail.shared_event_id	AWS - resources		YES (ecs-cloutrail.yml)
27	CloudTrail	userIdentity.type		aws.cloudtrail.user_identity.type	AWS - user_identity		YES (ecs-cloutrail.yml)
28	CloudTrail	userIdentity.userName	user.name		ECS - User Fields		YES (ecs-cloutrail.yml)
29	CloudTrail	apiVersion		aws.cloudtrail.api_version	AWS - session_context		YES (ecs-cloutrail.yml)
30	CloudTrail	managementEvent		aws.cloudtrail.management_event	AWS - session_context		YES (ecs-cloutrail.yml)
31	CloudTrail	readOnly		aws.cloudtrail.read_only	AWS - session_context		YES (ecs-cloutrail.yml)
32	CloudTrail	resources.ARN		aws.cloudtrail.resources.arn	AWS - resources		YES (ecs-cloutrail.yml)
33	CloudTrail	resources.accountId		aws.cloudtrail.resources.account_id	AWS - resources		YES (ecs-cloutrail.yml)
34	CloudTrail	resources.type		aws.cloudtrail.resources.type	AWS - resources		YES (ecs-cloutrail.yml)
35	CloudTrail	errorCode			AWS - session_context		YES (ecs-cloutrail.yml)
36	CloudTrail	additionalEventdata		aws.cloudtrail.additional_eventdata	AWS - session_context		YES (ecs-cloutrail.yml)
37	CloudTrail	serviceEventDetails		aws.cloudtrail.service_event_details	AWS - resources		YES (ecs-cloutrail.yml)
38	CloudTrail	message	event.original		ECS - Event Fields		YES (ecs-cloutrail.yml)
39	CloudTrail	event (processor set = static content)	event.kind		ECS - Event Fields		YES (ecs-cloutrail.yml)
40	CloudTrail	aws (processor set = static content)	cloud.provider		ECS - Cloud Fields		YES (ecs-cloutrail.yml)
41	CloudTrail	info (processor set = static content)	event.type		ECS - Event Fields		YES (ecs-cloutrail.yml)
42	CloudTrail	authentication (script if event.action=consoleLogin)	event.category		ECS - Event Fields		YES (ecs-cloutrail.yml)
43	CloudTrail	script: authentication/failure or value from (aws.cloudtrail.response_elements)	event.outcome		ECS - Event Fields		YES (ecs-cloutrail.yml)
44	VPC Flow Logs	%{aws.vpcflow.version}		aws.vpcflow.version	AWS - vpcflow	Direct transform to exported field from dissect expression	Not currently in Sigma
45	VPC Flow Logs	%{cloud.account}	cloud.account.id	aws.vpcflow.account_id (for reference, not used)	ECS - Cloud Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
46	VPC Flow Logs	%{interface.id}	interface.id	aws.vpcflow.interface_id (for reference, not used)	ECS - Interface Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
47	VPC Flow Logs	%{source.address}	source.address	aws.vpcflow.pkt_srcaddr (for reference, not used)	ECS - Source Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
48	VPC Flow Logs	source.address	source.geo	aws.vpcflow.pkt_srcaddr (for reference, not used)	ECS - Source Fields	Direct transform to ECS	Not currently in Sigma
49	VPC Flow Logs	%{destination.address}	destination.address	aws.vpcflow.pkt_dstaddr (for reference, not used)	ECS - Destination Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
50	VPC Flow Logs	destination.address	destination.geo	aws.vpcflow.pkt_dstaddr (for reference, not used)	ECS - Destination Fields	Direct transform to ECS	Not currently in Sigma
51	VPC Flow Logs	%{source.port}	source.port		ECS - Source Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
52	VPC Flow Logs	%{destination.port}	destination.port		ECS - Destination Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
53	VPC Flow Logs	%{network.iana_number}	network.iana_number	aws.vpcflow.type (for reference, not used)	ECS - Network Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
54	VPC Flow Logs	%{network.packets}	network.packets		ECS - Network Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
55	VPC Flow Logs	%{network.bytes}	network.bytes		ECS - Network Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
56	VPC Flow Logs	%{aws.vpcflow.start}	event.start		ECS - Event Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
57	VPC Flow Logs	%{aws.vpcflow.end}	event.end		ECS - Event Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
58	VPC Flow Logs	%{aws.vpcflow.end}	@timestamp		ECS - Base Fields	Direct transform to exported field from dissect expression	Not currently in Sigma
59	VPC Flow Logs	%{aws.vpcflow.action}		aws.vpcflow.action	AWS - vpcflow	Direct transform to exported field from dissect expression	Not currently in Sigma
60	VPC Flow Logs	%{aws.vpcflow.log_status}		aws.vpcflow.log_status	AWS - vpcflow	Direct transform to exported field from dissect expression	Not currently in Sigma
61	VPC Flow Logs	aws (processor set = static content)	cloud.provider		ECS - Cloud Fields	Direct transform to ECS	Not currently in Sigma
62	VPC Flow Logs	event (processor set = static content)	event.kind		ECS - Event Fields	Direct transform to ECS	Not currently in Sigma
63	AWS Transfer						Sigma mapping not planned
64	AWS Transfer						Sigma mapping not planned
65	AWS Transfer						Sigma mapping not planned
66	AWS Transfer						Sigma mapping not planned
67	AWS Transfer						Sigma mapping not planned
68	AWS Transfer						Sigma mapping not planned
69	AWS Transfer						Sigma mapping not planned
70	⚠️ AWS EC2 (LOCALHOST) LOGS NOT INCLUDED AS THIS PIPELINE IS MEANT TO BE EXECUTED FROM ELASTICSEARCH AND NOT EC2 ⚠️						Sigma mapping not planned
71	⚠️ AWS ELB ACCESS LOGS NOT INCLUDED AS LOGS ARE REQUIRED TO BE STORED IN S3 BUCKET AND NOT DISPATCHED TO CLOUDWATCH (cannot be picked up by Functionbeat) ⚠️						Sigma mapping not planned
72	⚠️ AWS S3 SERVER ACCESS LOGS NOT INCLUDED AS LOGS ARE REQUIRED TO BE STORED IN S3 BUCKET AND NOT DISPATCHED TO CLOUDWATCH (cannot be picked up by Functionbeat) ⚠️						Sigma mapping not planned
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100