Data Mapping: Cloud Activity Data

Field Name

Type

General Field

Description

Example

Products

additionalEventData

-

-

Additional data about the event that was not part of the request or response

  • {"SignatureVersion":"SigV4","CipherSuite":"ECDHE-RSA-AES128-GCM-SHA256"}

  • Trend Micro Cloud One - AWS CloudTrail

apiVersion

-

-

API version associated with the AwsApiCall eventType value

  • 2012-08-10

  • Trend Micro Cloud One - AWS CloudTrail

awsRegion

-

-

AWS region that the request was made to

  • us-east-1

  • us-east-2

  • us-west-1

  • Trend Micro Cloud One - AWS CloudTrail

bitwiseFilterRiskLevel

-

-

Bitwise risk-level filter search

  • 1

  • 2

  • 8

  • undefined

errorCode

-

-

AWS service error code

  • ThrottlingException

  • InvalidParameterValueException

  • NoSuchLifecycleConfiguration

  • Trend Micro Cloud One - AWS CloudTrail

errorMessage

-

-

Description of the error

  • The specified bucket does not have a website configuration

  • An unknown error occurred

  • The lifecycle configuration does not exist

  • Trend Micro Cloud One - AWS CloudTrail

eventCategory

-

-

Event category used in LookupEvents calls

  • Management

  • Data

  • Insight

  • Trend Micro Cloud One - AWS CloudTrail

eventID

-

-

GUID generated by AWS CloudTrail to identify events

  • d9fd6cde-5088-40c5-9d92-98f18a96fc67

  • 289d466c-7b56-442d-a781-f6997a252d9d

  • ef394572-cccc-4295-9585-98df134e6b07

  • Trend Micro Cloud One - AWS CloudTrail

eventName

-

-

Name of the requested action (one of the actions in the API for the service)

  • PutObject

  • GetObject

  • DescribeTable

  • Trend Micro Cloud One - AWS CloudTrail

eventSource

-

-

The AWS service the request was made to

  • s3.amazonaws.com

  • dynamodb.amazonaws.com

  • xray.amazonaws.com

  • Trend Micro Cloud One - AWS CloudTrail

eventTime

-

-

The date and time the request was made in coordinated universal time (UTC)

  • 2022-07-06T22:28:06Z

  • Trend Micro Cloud One - AWS CloudTrail

eventType

-

-

Type of event that generated the event record

  • AwsApiCall

  • AwsServiceEvent

  • AwsConsoleAction

  • Trend Micro Cloud One - AWS CloudTrail

eventVersion

-

-

Version of the log event format

  • 1.08

  • Trend Micro Cloud One - AWS CloudTrail

filterRiskLevel

-

-

Top-level risk level of the event

  • info

  • low

  • medium

  • undefined

mgmtInstanceId

-

-

The instance ID for a management scope, which is the same as tenantGuid (endpoint only)

  • f41a9efa-beee-6ff7-319d-e4ffa63f21df

  • undefined

packageTraceId

-

-

Package trace ID

  • 123456789012-us-east-1-2022-07-07T12:50:59.665Z

  • undefined

partitionKey

-

-

The partition key for a management scope (endpoint only)

  • ebb418f0-43b7-fd1e-a8f4-3a1261720071

  • undefined

policyTreePath

-

-

The policy tree path, provided by SAP (endpoint only)

  • policyname1/policyname2/policyname3

  • undefined

productCode

-

-

Internal product code (sct = Trend Micro Cloud One CloudTrail)

  • sct

  • undefined

readOnly

-

-

Whether the operation is read-only

  • true

  • false

  • Trend Micro Cloud One - AWS CloudTrail

receivedTime

-

-

Time the log was received

  • 1656324260000

  • undefined

recipientAccountId

-

-

Account ID that received the event

  • 123456789012

  • Trend Micro Cloud One - AWS CloudTrail

requestID

-

-

Value that identifies the request (The service being called generates this value)

  • 925513dd-ffbf-43ae-bd31-878fc278fa8f

  • b9b5fd99-7bca-455a-a2fa-9c67205469e5

  • 5d975177-e1b8-45f5-8f2e-68bd347f2ec4

  • Trend Micro Cloud One - AWS CloudTrail

requestParameters

-

-

The parameters, if any, that were sent with the request (Parameters are documented in the API reference docs for the appropriate AWS service)

  • {"durationSeconds": 3600, "roleSessionName":"BackplaneAssumeRoleSession"}

  • Trend Micro Cloud One - AWS CloudTrail

resources

-

-

List of resources accessed in the event

  • [{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::your-bucket/file.txt"}]

  • Trend Micro Cloud One - AWS CloudTrail

responseElements

-

-

Response elements for actions that made changes (create, update, or delete actions)

  • {"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}}

  • Trend Micro Cloud One - AWS CloudTrail

serviceEventDetails

-

-

Identifies the service event, including what triggered the event and the result

  • {"lifecycleEventPolicy":{"policyVersion":1,"policyId":"00bf7b21-eab1-39e0-b664-d0acfda1009d"}}

  • Trend Micro Cloud One - AWS CloudTrail

sharedEventID

-

-

GUID generated by AWS CloudTrail to uniquely identify CloudTrail events (From the same AWS action that is sent to different AWS accounts)

  • 4be7580e-1ab2-4d06-933f-dea5217fb04b

  • 6cd2a4b9-f6f1-43e4-8b4e-ce656ecd65ae

  • 0d849be3-cfff-495f-b1c0-066ca7928d04

  • Trend Micro Cloud One - AWS CloudTrail

sourceIPAddress

-

  • IPv4

  • IPv6

IP address the request was made from (For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.)

  • 239.255.255.250

  • apigateway.amazonaws.com

  • config.amazonaws.com

  • Trend Micro Cloud One - AWS CloudTrail

tags

-

-

Technique Id detected by the Security Analytics Engine based on the alert filter

  • MITREV9.T1090

  • MITRE.T1059

  • MITREV9.T1059.001

  • undefined

userAgent

-

  • CLICommand

The agent through which the request was made (Such as the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI)

  • signin.amazonaws.com

  • console.amazonaws.com

  • aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5

  • Trend Micro Cloud One - AWS CloudTrail

userIdentity

-

-

Information about the user that made a request

  • {"type":"AWSService","invokedBy":"apigateway.amazonaws.com"}

  • {"type":"AWSService","invokedBy":"lambda.amazonaws.com"}

  • Trend Micro Cloud One - AWS CloudTrail

uuid

-

-

Unique key of the log entry

  • 0000116b-ac61-48d2-89e1-3d1ce2d13cdd

  • 000017f4-ac10-43b4-8aef-97158e0f8533

  • 0000230c-15d8-428c-b707-ddb77cb9ed33

  • undefined

vpcEndpointId

-

-

VPC endpoint in which requests were made from a VPC to another AWS service (Such as Amazon S3)

  • vpce-00000000000000000

  • Trend Micro Cloud One - AWS CloudTrail