Third-Party Logs

act

-

The action

action

-

The traffic processing action

additionalEventData

-

The additional event information that was not part of the request or response

apiVersion

-

The API version associated with the AwsApiCall eventType value

app

-

The network protocol

application

-

The name of the requested application

awsRegion

-

The AWS region the request was made to

azId

-

The Availability Zone ID

bytes

-

The number of transmitted data bytes

category

-

The event category

cloudAccountId

-

The owner AWS account ID of the source network interface (account-id)

cloudTrailEventId

-

The GUID generated by AWS CloudTrail to identify events

cnt

-

The total number of logs

dOSName

-

The destination OS

dUser1

The latest sign-in user of the destination

dhost

The destination hostname

direction

-

The direction

dmac

-

The destination MAC address

dpt

The destination port

dst

The destination IP

dstLocation

-

The destination country

dstZone

-

The destination zone of the session

duser

The email recipient

dvc

-

The device IP

-

dvchost

-

The network device hostname

errorCode

-

The AWS service error code

errorMessage

-

The error description

eventCase

-

The AWS service that the request was made to

eventCategory

-

The event category used in LookupEvents calls

eventId

-

The event ID

eventName

-

The log type

eventSource

-

The AWS service the request was made to

eventSubName

-

The event type sub-name

eventTime

-

The time the agent or product detected the event

eventType

-

The type of event that generated the event record

eventVersion

-

The log event format version

fileHash

The SHA-1 of the file

fileHashMd5

The MD5 of the file

fileHashSha256

The SHA-256 of the file

fileName

The file name

filePath

The file path

fileSize

-

The file size

fileType

-

The file type

filterRiskLevel

-

The top level filter risk of the event

flowDirection

-

The network interface traffic direction

flowId

-

The connection ID

flowType

-

The type of traffic (type)

groupId

-

The group ID for the management scope filter

hostName

The hostname

httpReferer

The HTTP referer

httpRespContentType

-

The HTTP response data content type

httpXForwardedFor

-

The HTTP X-Forwarded-For header

instanceId

-

The instance ID

ipProto

-

The protocol number (protocol)

logReceivedTime

-

The time when the XDR log was received

logStatus

-

The VPC Flow Log status

mailMsgSubject

The email subject

managementEvent

-

The management event

networkInterfaceId

-

The network interface ID (interface-id)

oldFileHash

The old file hash

packets

-

The number of transmitted data packets

pktDstAddr

The packet level destination IP

pktDstCloudServiceName

-

The subset IP address range name for the cloud service destination IP (pkt-dst-aws-service)

pktSrcAddr

The packet level source IP

pktSrcCloudServiceName

-

The subset IP address range name for the cloud service source IP (pkt-src-aws-service)

pname

-

The product name

policyName

-

The name of the triggered policy

policyTreePath

-

The policy tree path

policyUuid

-

The policy UUID

productCode

-

The internal product code

proto

-

The transport network protocol

pver

-

The product version

rating

-

The credibility level

readOnly

-

Whether the operation is read-only

recipientAccountId

-

The Account ID that received the event

regionCode

-

The network interface AWS Region

reqDataSize

-

The data volume transmitted over the transport layer by the client (in bytes)

requestClientApplication

-

The HTTP user agent

requestID

-

The request ID generated by the service this value)

requestMethod

-

The network protocol request method

requestParameters

-

The parameters sent with the request

requests

The URLs of the request

resources

-

The resources accessed in the event

respDataSize

-

The data volume transmitted over the transport layer by the server (in bytes)

responseElements

-

The response elements for create, update, and delete actions

ruleId

-

The rule ID

ruleName

-

The name of the rule that triggered the event

sOSName

-

The source OS

sUser1

The latest sign-in user of the source

serviceEventDetails

-

The service event details

sessionEnd

-

The session end time (in seconds)

sessionEndReason

-

The reason why a session was terminated

sessionStart

-

The session start name (in seconds)

severity

-

The severity of the event

sharedEventID

-

The AWS CloudTrail GUID (from the same AWS action sent to different AWS accounts) events

shost

The source hostname

smac

-

The source MAC address

sourceIPAddress

The request IP address (for service console actions: the customer resource, for AWS services: the DNS name)

spt

The source port

src

The source IP

srcLocation

-

The source country

srcZone

-

The source zone of the session

subLocationId

-

The sub-location ID

subLocationType

-

The sub-location type

subnetId

-

The subnet ID

suid

The username or mailbox

suser

The email sender

tags

The detected technique ID based on the alert filter

tcpFlags

-

The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags

tlsDetails

-

The TLS details

trafficPath

-

The egress traffic path number

urlCat

-

The requested URL category

userAgent

The user agent or the agent through which the request was made

userIdentity

-

The information about a user who made a request

uuid

-

The unique key of the log entry

vendor

-

The device vendor

vendorParsed

-

The normalized event log (JSON format)

vendorRaw

-

The original event log string

vpcEndpointId

-

The VPC endpoint in which requests where made from a VPC to another AWS service

vpcId

-

The VPC ID

vsysName

-

The virtual system of the session