AWSCloudTrail
CloudTrail logs, which ingested from Sentinel's connector, holds all your data and management events of your Amazon Wev Services account.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | No |
| Ingestion-time transformation | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AdditionalEventData | string | Additional data about the event that was not part of the request or response. |
| APIVersion | string | Identifies the API version associated with the AwsApiCall eventType value. |
| AwsEventId | string | GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. |
| AWSRegion | string | The AWS region that the request was made to. |
| AwsRequestId | string | deprecated, please use AwsRequestId_ instead. |
| AwsRequestId_ | string | The value that identifies the request. The service being called generates this value. |
| _BilledSize | real | The record size in bytes |
| Category | string | Shows the event category that is used in LookupEvents calls. |
| CidrIp | string | The CIDR IP is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IPv4 CIDR range. |
| CipherSuite | string | Optional. Part of tlsDetails. The cipher suite (combination of security algorithms used) of a request. |
| ClientProvidedHostHeader | string | Optional. Part of tlsDetails. The client-provided host name used in the service API call, which is typically the FQDN of the service endpoint. |
| DestinationPort | string | The DestinationPort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The end of port range for the TCP and UDP protocols, or an ICMP code. |
| EC2RoleDelivery | string | The friendly name of the user or role that issued the session. |
| ErrorCode | string | The AWS service error if the request returns an error. |
| ErrorMessage | string | The error description when available. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling. |
| EventName | string | The requested action, which is one of the actions in the API for that service. |
| EventSource | string | The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. |
| EventTypeName | string | Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleAction , AwsConsoleSignIn. |
| EventVersion | string | The version of the log event format. |
| IpProtocol | string | The IP protocol is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IP protocol name or number. The valid values are tcp, udp, icmp, or a protocol number. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| ManagementEvent | bool | A Boolean value that identifies whether the event is a management event. |
| OperationName | string | Constant value: CloudTrail. |
| ReadOnly | bool | Identifies whether this operation is a read-only operation. |
| RecipientAccountId | string | Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access. |
| RequestParameters | string | The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service. |
| Resources | string | A list of resources accessed in the event. |
| ResponseElements | string | The response element for actions that make changes (create, update, or delete actions). If an action does not change state (for example, a request to get or list objects), this element is omitted. |
| ServiceEventDetails | string | Identifies the service event, including what triggered the event and the result. |
| SessionCreationDate | datetime | The date and time when the temporary security credentials were issued. |
| SessionIssuerAccountId | string | The account that owns the entity that was used to get credentials. |
| SessionIssuerArn | string | The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials. |
| SessionIssuerPrincipalId | string | The internal ID of the entity that was used to get credentials. |
| SessionIssuerType | string | The source of the temporary security credentials, such as Root, IAMUser, or Role. |
| SessionIssuerUserName | string | The friendly name of the user or role that issued the session. |
| SessionMfaAuthenticated | bool | The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false. |
| SharedEventId | string | GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. |
| SourceIpAddress | string | The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed. |
| SourcePort | string | The SourcePort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The start of port range for the TCP and UDP protocols, or an ICMP type number. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC). An event's time stamp comes from the local host that provides the service API endpoint on which the API call was made. |
| TlsVersion | string | Optional. Part of tlsDetails. The TLS version of a request. |
| Type | string | The name of the table |
| UserAgent | string | The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI. |
| UserIdentityAccessKeyId | string | The access key ID that was used to sign the request. |
| UserIdentityAccountId | string | The account that owns the entity that granted permissions for the request. |
| UserIdentityArn | string | The Amazon Resource Name (ARN) of the principal that made the call. |
| UserIdentityInvokedBy | string | The name of the AWS service that made the request. |
| UserIdentityPrincipalid | string | A unique identifier for the entity that made the call. |
| UserIdentityType | string | The type of the identity. The following values are possible: Root, IAMUser, AssumedRole, FederatedUser, Directory, AWSAccount, AWSService, Unknown. |
| UserIdentityUserName | string | The name of the identity that made the call. |
| VpcEndpointId | string | Identifies the VPC endpoint in which requests were made from a VPC to another AWS service. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for