Views:
Field Name
Type
General Field
Description
Example
Products
additionalEventData
-
-
The additional data about the event that was not part of the request or response
  • {"SignatureVersion":"SigV4","CipherSuite":"ECDHE-RSA-AES128-GCM-SHA256"}
  • Trend Cloud One - AWS CloudTrail
apiVersion
-
-
The API version associated with the AwsApiCall eventType value
  • 2012-08-10
  • Trend Cloud One - AWS CloudTrail
awsRegion
-
-
The AWS region that the request was made to
  • us-east-1
  • us-east-2
  • us-west-1
  • Trend Cloud One - AWS CloudTrail
errorCode
-
-
The AWS service error code
  • ThrottlingException
  • InvalidParameterValueException
  • NoSuchLifecycleConfiguration
  • Trend Cloud One - AWS CloudTrail
errorMessage
-
-
The error description
  • The specified bucket does not have a website configuration
  • An unknown error occurred
  • The lifecycle configuration does not exist
  • Trend Cloud One - AWS CloudTrail
eventCase
-
-
The AWS service that the request was made to
  • workspaces.amazonaws.com
  • sts.amazonaws.com
  • kms.amazonaws.com
  • Security Analytics Engine
eventCategory
-
-
The event category used in LookupEvents calls
  • Management
  • Data
  • Insight
  • Trend Cloud One - AWS CloudTrail
eventID
-
-
The GUID generated by AWS CloudTrail to identify events
  • d9fd6cde-5088-40c5-9d92-98f18a96fc67
  • 289d466c-7b56-442d-a781-f6997a252d9d
  • ef394572-cccc-4295-9585-98df134e6b07
  • Trend Cloud One - AWS CloudTrail
eventName
-
-
The name of the requested action (one of the actions in the API for the service)
  • PutObject
  • GetObject
  • DescribeTable
  • Trend Cloud One - AWS CloudTrail
eventSource
-
-
The AWS service the request was made to
  • s3.amazonaws.com
  • dynamodb.amazonaws.com
  • xray.amazonaws.com
  • Trend Cloud One - AWS CloudTrail
eventSubId
-
-
The access type
  • PutObject
  • GetObject
  • DescribeTable
  • Security Analytics Engine
eventTime
-
-
The time the agent detected the event
  • 2022-07-06T22:28:06Z
  • Trend Cloud One - AWS CloudTrail
eventType
-
-
The type of event that generated the event record
  • AwsApiCall
  • AwsServiceEvent
  • AwsConsoleAction
  • Trend Cloud One - AWS CloudTrail
eventVersion
-
-
The version of the log event format
  • 1.08
  • Trend Cloud One - AWS CloudTrail
filterRiskLevel
-
-
The top-level risk level of the event
  • info
  • low
  • medium
  • Security Analytics Engine
logReceivedTime
-
-
The time when the XDR log was received
  • 1656324260000
  • Security Analytics Engine
policyTreePath
-
-
The policy tree path (endpoint only)
  • policyname1/policyname2/policyname3
  • Security Analytics Engine
productCode
-
-
The internal product code
  • sct
  • Security Analytics Engine
readOnly
-
-
Whether the operation is read-only
  • true
  • false
  • Trend Cloud One - AWS CloudTrail
recipientAccountId
-
-
The Account ID that received the event
  • 123456789012
  • Trend Cloud One - AWS CloudTrail
requestID
-
-
The value that identifies the request (the service being called generates this value)
  • 925513dd-ffbf-43ae-bd31-878fc278fa8f
  • b9b5fd99-7bca-455a-a2fa-9c67205469e5
  • 5d975177-e1b8-45f5-8f2e-68bd347f2ec4
  • Trend Cloud One - AWS CloudTrail
requestParameters
-
-
The parameters that were sent with the request (documented in the API reference docs for each AWS service)
  • {"durationSeconds": 3600, "roleSessionName":"BackplaneAssumeRoleSession"}
  • Trend Cloud One - AWS CloudTrail
resources
-
-
The list of resources accessed in the event
  • [{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::your-bucket/file.txt"}]
  • Trend Cloud One - AWS CloudTrail
responseElements
-
-
The response elements for actions that made changes (create, update, or delete actions)
  • {"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}}
  • Trend Cloud One - AWS CloudTrail
serviceEventDetails
-
-
The service event (including what triggered the event and the result)
  • {"lifecycleEventPolicy":{"policyVersion":1,"policyId":"00bf7b21-eab1-39e0-b664-d0acfda1009d"}}
  • Trend Cloud One - AWS CloudTrail
sharedEventID
-
-
The GUID generated by AWS CloudTrail to uniquely identify CloudTrail events (from the same AWS action that is sent to different AWS accounts)
  • 4be7580e-1ab2-4d06-933f-dea5217fb04b
  • 6cd2a4b9-f6f1-43e4-8b4e-ce656ecd65ae
  • 0d849be3-cfff-495f-b1c0-066ca7928d04
  • Trend Cloud One - AWS CloudTrail
sourceIPAddress
-
  • IPv4
  • IPv6
The IP address the request was made from (For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.)
  • 239.255.255.250
  • apigateway.amazonaws.com
  • config.amazonaws.com
  • Trend Cloud One - AWS CloudTrail
tags
-
-
The detected technique ID based on the alert filter
  • MITREV9.T1090
  • MITRE.T1059
  • MITREV9.T1059.001
  • Security Analytics Engine
userAgent
-
  • CLICommand
The agent through which the request was made (such as the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI)
  • signin.amazonaws.com
  • console.amazonaws.com
  • aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5
  • Trend Cloud One - AWS CloudTrail
userIdentity
-
-
The information about the user that made a request
  • {"type":"AWSService","invokedBy":"apigateway.amazonaws.com"}
  • {"type":"AWSService","invokedBy":"lambda.amazonaws.com"}
  • Trend Cloud One - AWS CloudTrail
uuid
-
-
The unique key of the log entry
  • 0000116b-ac61-48d2-89e1-3d1ce2d13cdd
  • 000017f4-ac10-43b4-8aef-97158e0f8533
  • 0000230c-15d8-428c-b707-ddb77cb9ed33
  • Security Analytics Engine
vpcEndpointId
-
-
The VPC endpoint in which requests were made from a VPC to another AWS service (such as Amazon S3)
  • vpce-00000000000000000
  • Trend Cloud One - AWS CloudTrail