Skip to content

Commit b99d558

Browse files
authored
Merge pull request #3301 from splunk/output_normalization_aws
output normalization for AWS cloudtrail logs
2 parents 9c3fd5d + 9b112ca commit b99d558

File tree

135 files changed

+1295
-861
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

135 files changed

+1295
-861
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ external_repos/
1616

1717
# IDE
1818
.vscode/
19+
.cursor/
1920

2021
# usual mac files
2122
.DS_Store

data_sources/asl_aws_cloudtrail.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,13 @@ supported_TA:
1111
- name: Splunk Add-on for AWS
1212
url: https://splunkbase.splunk.com/app/1876
1313
version: 7.9.1
14+
output_fields:
15+
- action
16+
- dest
17+
- user
18+
- user_agent
19+
- status
20+
- src
21+
- vendor_account
22+
- vendor_region
23+
- vendor_product

data_sources/aws_cloudtrail.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,12 @@ supported_TA:
1111
- name: Splunk Add-on for AWS
1212
url: https://splunkbase.splunk.com/app/1876
1313
version: 7.9.1
14+
output_fields:
15+
- action
16+
- dest
17+
- user
18+
- user_agent
19+
- src
20+
- vendor_account
21+
- vendor_region
22+
- vendor_product

data_sources/aws_cloudtrail_assumerolewithsaml.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,3 +124,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "pri
124124
"type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}],
125125
"eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
126126
"recipientAccountId": "111111111111"}'
127+
output_fields:
128+
- action
129+
- dest
130+
- user
131+
- user_agent
132+
- src
133+
- vendor_account
134+
- vendor_region
135+
- vendor_product

data_sources/aws_cloudtrail_consolelogin.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "acco
100100
"managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
101101
"Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
102102
"clientProvidedHostHeader": "signin.aws.amazon.com"}}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_copyobject.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,3 +117,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
117117
{"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events.json"}],
118118
"eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111",
119119
"eventCategory": "Data"}'
120+
output_fields:
121+
- action
122+
- dest
123+
- user
124+
- user_agent
125+
- src
126+
- vendor_account
127+
- vendor_region
128+
- vendor_product

data_sources/aws_cloudtrail_createaccesskey.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,3 +101,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
101101
"eventID": "5772e8d5-cccc-470d-81ef-acacfe85a804", "readOnly": false, "eventType":
102102
"AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
103103
"121521347698"}'
104+
output_fields:
105+
- action
106+
- dest
107+
- user
108+
- user_agent
109+
- src
110+
- vendor_account
111+
- vendor_region
112+
- vendor_product

data_sources/aws_cloudtrail_createkey.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,3 +148,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
148148
"111111111111", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}],
149149
"eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
150150
"recipientAccountId": "111111111111"}'
151+
output_fields:
152+
- action
153+
- dest
154+
- user
155+
- user_agent
156+
- src
157+
- vendor_account
158+
- vendor_region
159+
- vendor_product

data_sources/aws_cloudtrail_createloginprofile.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
100100
"eventID": "ffb76906-6dd1-4219-adfe-e26b92036a1e", "readOnly": false, "eventType":
101101
"AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
102102
"111111111111"}'
103+
output_fields:
104+
- action
105+
- dest
106+
- user
107+
- user_agent
108+
- src
109+
- vendor_account
110+
- vendor_region
111+
- vendor_product

data_sources/aws_cloudtrail_createnetworkaclentry.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,3 +119,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
119119
"_return": true}, "requestID": "d29c9c32-3a72-48d3-b612-6ba795e9ec64", "eventID":
120120
"6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall",
121121
"managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
122+
output_fields:
123+
- action
124+
- dest
125+
- user
126+
- user_agent
127+
- src
128+
- vendor_account
129+
- vendor_region
130+
- vendor_product

0 commit comments

Comments
 (0)