Data Mapping: Cloud Activity Data

Field Name

Type

General Field

Description

Example

Products

eventID

string

-

The GUID generated by AWS CloudTrail to identify events

  • d9fd6cde-5088-40c5-9d92-98f18a96fc67

  • 289d466c-7b56-442d-a781-f6997a252d9d

  • ef394572-cccc-4295-9585-98df134e6b07

  • Trend Cloud One - AWS CloudTrail

eventName

string

-

The name of the requested action (one of the actions in the API for the service)

  • PutObject

  • GetObject

  • DescribeTable

  • Trend Cloud One - AWS CloudTrail

eventSource

string

-

The AWS service the request was made to

  • s3.amazonaws.com

  • dynamodb.amazonaws.com

  • xray.amazonaws.com

  • Trend Cloud One - AWS CloudTrail

filterRiskLevel

string

-

The top-level risk level of the event

  • info

  • low

  • medium

  • Security Analytics Engine

productCode

string

-

The internal product code

  • sct

  • Security Analytics Engine

readOnly

bool

-

Whether the operation is read-only

  • true

  • false

  • Trend Cloud One - AWS CloudTrail

requestParameters

object

-

The parameters, if any, that were sent with the request (Parameters are documented in the API reference docs for the appropriate AWS service.)

  • {"durationSeconds": 3600, "roleSessionName":"BackplaneAssumeRoleSession"}

  • Trend Cloud One - AWS CloudTrail

resources

dynamic

-

The list of resources accessed in the event

  • [{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::your-bucket/file.txt"}]

  • Trend Cloud One - AWS CloudTrail

responseElements

dynamic

-

The response elements for actions that made changes (create, update, or delete actions)

  • {"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}}

  • Trend Cloud One - AWS CloudTrail

sourceIPAddress

string

  • IPv4

  • IPv6

The IP address the request was made from (For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.)

  • 239.255.255.250

  • apigateway.amazonaws.com

  • config.amazonaws.com

  • Trend Cloud One - AWS CloudTrail

tags

string[]

-

The MITRE technique ID detected by Trend Vision One based on the alert filter

  • MITREV9.T1090

  • MITRE.T1059

  • MITREV9.T1059.001

  • Security Analytics Engine

userAgent

string

  • CLICommand

The agent through which the request was made (such as the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI)

  • signin.amazonaws.com

  • console.amazonaws.com

  • aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5

  • Trend Cloud One - AWS CloudTrail

userIdentity

dynamic

-

The information about the user that made a request

  • {"type":"AWSService","invokedBy":"apigateway.amazonaws.com"}

  • {"type":"AWSService","invokedBy":"lambda.amazonaws.com"}

  • Trend Cloud One - AWS CloudTrail

uuid

string

-

The unique key of the log entry

  • 0000116b-ac61-48d2-89e1-3d1ce2d13cdd

  • 000017f4-ac10-43b4-8aef-97158e0f8533

  • 0000230c-15d8-428c-b707-ddb77cb9ed33

  • Security Analytics Engine

vpcEndpointId

string

-

The VPC endpoint in which requests were made from a VPC to another AWS service (such as Amazon S3)

  • vpce-00000000000000000

  • Trend Cloud One - AWS CloudTrail