Skip to content

Latest commit

 

History

History
106 lines (103 loc) · 356 KB

suppoted_log_type.md

File metadata and controls

106 lines (103 loc) · 356 KB
Raw

Supported Log Types

Back To README | READMEに戻る

securitylake ocsf-json vpcflowlogs cloudtrail networkfirewall guardduty inspector securityhub nlb alb clb s3accesslog config-history config-snapshot config-rules cloudfront-realtime cloudfront-standard waf route53resolver clientvpn rds-postgresql rds-mysql-audit rds-mysql-general rds-mysql-error rds-mysql-slowquery elasticache-redis-slowlog msk cloudhsm opensearch-audit workspaces-event workspaces-inventory trustedadvisor directory-service fsx-win windows-event linux-secure linux-os-syslog apache-access apache-error nginx-access nginx-error index-metrics
index_name SCRIPT() SCRIPT() ”log-aws-vpcflowlogs” ”log-aws-cloudtrail” ”log-aws-networkfirewall” ”log-aws-guardduty” ”log-aws-inspector” ”log-aws-securityhub” ”log-aws-elb” ”log-aws-elb” ”log-aws-elb” ”log-aws-s3accesslog” ”log-aws-config” ”log-aws-config” ”log-aws-config” ”log-aws-cloudfront” ”log-aws-cloudfront” ”log-aws-waf” ”log-aws-r53resolver” ”log-aws-clientvpn” ”log-aws-rds-postgresql” ”log-aws-rds-mysql” ”log-aws-rds-mysql” ”log-aws-rds-mysql” ”log-aws-rds-mysql” ”log-aws-elasticache” ”log-aws-msk” ”log-aws-cloudhsm” ”log-aws-opensearch” ”log-aws-workspaces” ”log-aws-workspaces” ”log-aws-trustedadvisor” ”log-aws-directory-service” ”log-aws-fsx-win” ”log-win-event” ”log-linux-secure” ”log-linux-os” ”log-web-apache” ”log-web-apache” ”log-web-nginx” ”log-web-nginx” ”metrics-opensearch-index”
@log_type ”securitylake” ”ocsf-json” ”vpcflowlogs” ”cloudtrail” ”networkfirewall” ”guardduty” ”inspector” ”securityhub” ”nlb” ”alb” ”clb” ”s3accesslog” ”config-history” ”config-snapshot” ”config-rules” ”cloudfront-realtime” ”cloudfront-standard” ”waf” ”route53resolver” ”clientvpn” ”rds-postgresql” ”rds-mysql-audit” ”rds-mysql-general” ”rds-mysql-error” ”rds-mysql-slowquery” ”elasticache-redis-slowlog” ”msk” ”cloudhsm” ”opensearch-audit” ”workspaces-event” ”workspaces-inventory” ”trustedadvisor” ”directory-service” ”fsx-win” ”windows-event” ”linux-secure” ”linux-os-syslog” ”apache-access” ”apache-error” ”nginx-access” ”nginx-error” ”index-metrics”
event.module ”securitylake” ”ocsf-json” ”vpcflowlogs” ”eventSource” ”event.event_type” ”guardduty” ”inspector” SCRIPT() ”nlb” ”alb” ”clb” ”s3accesslog” ”config-history” ”config-snapshot” ”config-rules” ”cloudfront-realtime” ”cloudfront-standard” ”waf” ”route53resolver” ”clientvpn” ”rds-postgresql” ”audit” ”general” ”error” ”slowquery” ”redis-slowlog” ”msk” ”cloudhsm” ”opensearch-audit” ”workspaces-event” ”workspaces-inventory” ”trustedadvisor” ”Event.System.Channel” ”Event.System.Channel” ”Event.System.Channel” ”secure” ”system” ”access” ”error” ”access” ”error” ”index-metrics”
event.kind ”event” ”event” SCRIPT() ”alert” ”alert” ”event” ”event” ”event” ”event” ”state” ”state” ”alert” ”event” ”event” ”alert” ”event” ”event” ”event” ”event” ”state” SCRIPT() ”event” ”event” ”event” ”event” ”event” ”event” ”event” ”event” ”event”
event.category ”network” ”iam” ”network” SCRIPT() SCRIPT() ”network” ”web” ”web” ”web” ”configuration” ”configuration” ”configuration” ”web” ”web” ”web” ”network” ”network” SCRIPT() ”database” ”database” ”database” ”database” ”database” SCRIPT() ”[authentication, host]” ”[host]” SCRIPT() SCRIPT() SCRIPT() ”web” ”web” ”web” ”web”
event.type ”info” ”info” ”change” ”[info]” ”[info]” ”[info]” ”info” ”access” ”access” ”error”
@id SCRIPT() SCRIPT() SCRIPT()
apache.error.debug_message ${debug_message}
apache.error.module ${module}
cloud.account.id ${cloud.account_uid cloud.account.uid} ${cloud.account_uid cloud.account.uid} ${account_id} ${recipientAccountId} [FromS3Key] [FromS3Key] [FromS3Key] ${AwsAccountId} [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] ${awsAccountId} ${awsAccountId} ${awsAccountId} [FromS3Key] [FromS3Key] SCRIPT() [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key]
cloud.availability_zone ${availability_zone}
cloud.instance.id ${device.instance_uid dst_endpoint.instance_uid src_endpoint.instance_uid} ${device.instance_uid dst_endpoint.instance_uid src_endpoint.instance_uid} ${instance_id} ${requestParameters.instanceId responseElements.instancesSet.items.0.instanceId requestParameters.instancesSet.items.0.instanceId requestParameters.DescribeInstanceCreditSpecificationsRequest.InstanceId.content requestParameters.AssociateIamInstanceProfileRequest.InstanceId} ${resource.instanceDetails.instanceId} ${resources.0.id} SCRIPT() SCRIPT() SCRIPT() SCRIPT() ${instance} SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT()
cloud.region [FromS3Key] [FromS3Key] ${region} ${awsRegion} [FromS3Key] [FromS3Key] [FromS3Key] ${Resources.0.Region} [FromS3Key] [FromS3Key] [FromS3Key] SCRIPT() ${awsRegion} ${awsRegion} ${awsRegion} ”global” ”global” SCRIPT() ${region} [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] ${result.flaggedResource.region} [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key] [FromS3Key]
destination GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP()
destination.address ${dst_endpoint.ip dst_endpoint.domain} ${dst_endpoint.ip dst_endpoint.domain} ${dstaddr} SCRIPT() SCRIPT() ${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4} ${destination_ip} ${target_ip} ${backend_ip} ${EndPoint}
destination.domain ${EndPoint}
destination.ip ${dst_endpoint.ip} ${dst_endpoint.ip} ${dstaddr} SCRIPT() ${event.dest_ip} SCRIPT() ${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4} ${destination_ip} ${target_ip} ${backend_ip} ${Event.EventData.Data.DestAddress} ${Event.EventData.Data.DestAddress} ${Event.EventData.Data.DestAddress}
destination.nat.ip SCRIPT() SCRIPT() ${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/publicIp}
destination.port ${dst_endpoint.port} ${dst_endpoint.port} ${dstport} ${event.dest_port} SCRIPT() ${ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails/localPortDetails.0_/port ProductFields.aws/guardduty/service/action/networkConnectionAction/localPortDetails/port} ${destination_port} ${target_port} ${backend_port} ${Event.EventData.Data.DestPort} ${Event.EventData.Data.DestPort} ${Event.EventData.Data.DestPort}
dns.answers.class ${answers.0.Class}
dns.answers.data SCRIPT()
dns.answers.type ${answers.0.Type}
dns.question.class ${query_class}
dns.question.name ${service.action.dnsRequestAction.domain} ${ProductFields.aws/guardduty/service/action/dnsRequestAction/domain} SCRIPT()
dns.question.type ${query_type}
dns.response_code ${rcode}
error.code ${errorCode} ${Event.System.Status} ${Event.System.Status} ${Event.System.Status} ${message_code}
error.message ${errorMessage} SCRIPT() ${message} ${message}
event.action SCRIPT() ${eventName} ${event.alert.action} ${action} SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT()
event.code ${Event.System.EventID} ${Event.System.EventID} ${Event.System.EventID}
event.outcome SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT() ”success” SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT()
event.risk_score_norm ${Severity.Normalized}
event.severity ${event.alert.severity} ${severity} ${Severity.Product}
host.hostname ${ComputerName} ${hostname} ${hostname}
host.id ${workspaceId} ${WorkspaceId}
host.ip ${IpAddress}
host.name ${ComputerName} ${Event.System.Computer} ${Event.System.Computer} ${Event.System.Computer}
http.request.bytes ${received_bytes} ${received_bytes} ${received_bytes} ${cs_bytes} ${cs_bytes} ${request_bytes}
http.request.method ${event.http.http_method} ${http_method} ${http_method} ${RequestURI_operation} ${cs_method} ${cs_method} ${httpRequest.httpMethod} ${request_method} ${request_method}
http.request.referrer ${Referrer} ${cs_referer} ${cs_referer} SCRIPT() ${referer} ${referer}
http.response.body.bytes ${response_body_bytes} ${response_body_bytes}
http.response.bytes ${sent_bytes} ${sent_bytes} ${sent_bytes} ${BytesSent} ${sc_bytes} ${sc_bytes} ${response_bytes}
http.response.status_code ${elb_status_code} ${elb_status_code} ${HTTPstatus} ${sc_status} ${sc_status} ${response_status} ${response_status}
http.version ${http_version} ${http_version} SCRIPT() SCRIPT() SCRIPT() ${request_version} ${request_version}
log.level ${postgresql_log_level} ${mysql_log_level} ${msk_log_level} ${log_level} ${severity}
msk SCRIPT()
network.bytes ${bytes} ${event.netflow.bytes} SCRIPT()
network.direction ${flow_direction} SCRIPT()
network.iana_number ${protocol}
network.packets ${packets} ${event.netflow.pkts} SCRIPT()
network.protocol ${event.app_proto}
network.transport SCRIPT() SCRIPT()
network.type ${type}
process.name ${proc} ${proc}
process.pid ${postgresql_pid} ${pid} ${pid} ${pid} ${process_id}
process.thread.id ${tid} ${thread_id}
rds.cluster_identifier SCRIPT() SCRIPT()
rds.database_name ${postgresql_database} ${mysql_database}
rds.instance_identifier SCRIPT() SCRIPT()
rds.message ${postgresql_message} ${mysql_message mysql_server_audit_message}
rds.query SCRIPT() SCRIPT() SCRIPT() SCRIPT() SCRIPT()
rds.query_time SCRIPT() ${mysql_query_time}
related.host ${[device.instance_uid dst_endpoint.instance_uid, src_endpoint.instance_uid]} ${[device.instance_uid dst_endpoint.instance_uid, src_endpoint.instance_uid]}
related.hosts ${[resources.0.id]} SCRIPT() SCRIPT() SCRIPT() ${[audit_rest_request_headers.Host]} ${[workspaceId]} ${[ComputerName, WorkspaceId]} SCRIPT() SCRIPT()
related.ip ${[dst_endpoint.ip, src_endpoint.ip]} ${[dst_endpoint.ip, src_endpoint.ip]} ${[srcaddr, dstaddr, pkt_srcaddr, pkt_dstaddr]} ${[sourceIPAddress]} ${[event.dest_ip, event.src_ip]} ${[resource.instanceDetails.networkInterfaces.0.privateIpAddress, service.action.networkConnectionAction.localIpDetails.ipAddressV4, resource.instanceDetails.networkInterfaces.0.publicIp, service.action.awsApiCallAction.remoteIpDetails.ipAddressV4, service.action.networkConnectionAction.remoteIpDetails.ipAddressV4, service.action.portProbeAction.portProbeDetails.0.remoteIpDetails.ipAddressV4, service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4, service.action.awsApiCallAction.remoteIpDetails.ipAddressV6, service.action.networkConnectionAction.remoteIpDetails.ipAddressV6, service.action.portProbeAction.portProbeDetails.0.remoteIpDetails.ipAddressV6, service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6, service.action.kubernetesApiCallAction.sourceIPs]} ${resources.0.details.awsEc2Instance.ipV4Addresses} ${[ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress, ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4, ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/publicIp, ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV6, ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV6, ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV6, ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/ipAddressV6]} ${[client_ip, destination_ip]} ${[target_ip, client_ip, http_host]} ${[backend_ip, client_ip]} ${[RemoteIP]} SCRIPT() SCRIPT() SCRIPT() ${[c_ip]} ${[c_ip]} ${[httpRequest.clientIp]} ${[srcaddr]} ${[device-ip, client-ip]} ${postgresql_source_address} ${[mysql_host]} ${[mysql_source_ip]} SCRIPT() ${[audit_request_remote_address, audit_rest_request_headers.Host]} ${[clientIpAddress]} ${[IpAddress]} ${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]} ${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]} ${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]} SCRIPT() SCRIPT() ${source.ip} SCRIPT()
related.user ${[resource.accessKeyDetails.userName]} SCRIPT() SCRIPT() SCRIPT() ${username} ${[mysql_username, rds.query]} ${[mysql_username]} ${[audit_request_effective_user, audit_request_initiating_user]} ${[UserName]} ${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]} ${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]} ${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]} SCRIPT() SCRIPT()
rule.category ”vulnerability”
rule.description ${description} ${Description}
rule.id ${event.alert.signature_id} ${type} ${Types}
rule.name ${eventName} ${event.alert.signature} ${title} ${title} ${Title} ${terminatingRuleId} ${audit_transport_request_type audit_rest_request_method audit_category} ${check.name}
rule.ruleset SCRIPT()
rule.version ${event.alert.rev}
service.node.name ${firewall_name}
source GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP() GEOIP()
source.address ${src_endpoint.ip src_endpoint.domain} ${src_endpoint.ip src_endpoint.domain} ${srcaddr} ${sourceIPAddress} SCRIPT() ${ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4} ${client_ip} ${client_ip} ${client_ip} ${RemoteIP} ${c_ip} ${c_ip} ${httpRequest.clientIp} ${srcaddr} ${postgresql_source_address} ${mysql_host} ${remotehost} ${client_ip} ${remotehost} ${client_ip}
source.bytes ${bytes} ${event.netflow.bytes}
source.ip ${src_endpoint.ip} ${src_endpoint.ip} ${srcaddr} ${sourceIPAddress} ${event.src_ip} SCRIPT() ${ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4} ${client_ip} ${client_ip} ${client_ip} ${RemoteIP} ${c_ip} ${c_ip} ${httpRequest.clientIp} ${srcaddr} ${device-ip} ${postgresql_source_address} ${mysql_host} ${mysql_source_ip} SCRIPT() ${audit_request_remote_address} ${clientIpAddress} ${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress} ${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress} ${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress} SCRIPT() SCRIPT() ${remotehost} ${client_ip} ${remotehost} ${client_ip}
source.packets ${packets} ${event.netflow.pkts}
source.port ${src_endpoint.port} ${src_endpoint.port} ${srcport} ${event.src_port} SCRIPT() ${ProductFields.aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port} ${client_port} ${client_port} ${client_port} ${c_port} ${c_port} ${srcport} ${port} ${postgresql_source_port} SCRIPT() ${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort} ${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort} ${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort} SCRIPT() SCRIPT() ${client_port} ${client_port}
url.domain ${event.http.hostname event.tls.sni} ${domain_name} ${http_host} ${http_host} ${EndPoint} ${cs_host} ${x_host_header}
url.full SCRIPT() SCRIPT() SCRIPT() SCRIPT()
url.original ${RequestURI_key} ${request_path} ${request_path}
url.path ${http_path} ${http_path} SCRIPT() ${cs_uri_stem} ${httpRequest.uri}
url.port ${destination_port} ${http_port} ${http_port}
url.query ${http_query} ${http_query} ${cs_uri_query} ${cs_uri_query} ${httpRequest.args}
url.scheme ${http_protocol} ${http_protocol} ${cs_protocol} ${cs_protocol}
user.domain ${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName} ${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName} ${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName}
user.id ${actor.user.credential_uid} ${actor.user.credential_uid} ${userIdentity.accessKeyId} ${resource.accessKeyDetails.accessKeyId} SCRIPT() ${username} ${user_id} ${UserName} ${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid} ${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid} ${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid} SCRIPT() SCRIPT() ${authuser ident} ${authuser ident}
user.name SCRIPT() SCRIPT() SCRIPT() ${resource.accessKeyDetails.userName} SCRIPT() SCRIPT() ${username} ${postgresql_user} ${mysql_username rds.query} ${mysql_username} SCRIPT() ${audit_request_effective_user, audit_request_initiating_user} ${UserName} ${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName} ${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName} ${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName} SCRIPT() SCRIPT() ${authuser} ${authuser}
user_agent.original ${http_request.user_agent} ${http_request.user_agent} ${userAgent} ${event.http.http_user_agent} ${useragent} ${useragent} ${UserAgent} SCRIPT() SCRIPT() SCRIPT() ${audit_rest_request_headers.User-Agent} ${useragent} ${useragent}
vulnerability.category ${[type, resources.0.details.awsEc2Instance.platform, resources.0.details.awsEcrContainerImage.platform, resources.0.type]}
vulnerability.description SCRIPT()
vulnerability.id ${packageVulnerabilityDetails.vulnerabilityId}
vulnerability.reference ${packageVulnerabilityDetails.referenceUrls packageVulnerabilityDetails.sourceUrl}
vulnerability.scanner.vendor ”inspector”
vulnerability.score.base ${inspectorScoreDetails.adjustedCvss.score}
vulnerability.score.version ${inspectorScoreDetails.adjustedCvss.version}
vulnerability.severity ${severity}

Back To README | READMEに戻る