Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for AWSCloudTrail table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | AWS |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AdditionalEventData | string | Additional data about the event that was not part of the request or response. |
| APIVersion | string | Identifies the API version associated with the AwsApiCall eventType value. |
| AwsEventId | string | GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. |
| AWSRegion | string | The AWS region that the request was made to. |
| AwsRequestId | string | deprecated, please use AwsRequestId_ instead. |
| AwsRequestId_ | string | The value that identifies the request. The service being called generates this value. |
| Category | string | Shows the event category that is used in LookupEvents calls. |
| CidrIp | string | The CIDR IP is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IPv4 CIDR range. |
| CipherSuite | string | Optional. Part of tlsDetails. The cipher suite (combination of security algorithms used) of a request. |
| ClientProvidedHostHeader | string | Optional. Part of tlsDetails. The client-provided host name used in the service API call, which is typically the FQDN of the service endpoint. |
| DestinationPort | string | The DestinationPort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The end of port range for the TCP and UDP protocols, or an ICMP code. |
| EC2RoleDelivery | string | The friendly name of the user or role that issued the session. |
| ErrorCode | string | The AWS service error if the request returns an error. |
| ErrorMessage | string | The error description when available. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling. |
| EventName | string | The requested action, which is one of the actions in the API for that service. |
| EventSource | string | The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. |
| EventTypeName | string | Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleAction , AwsConsoleSignIn. |
| EventVersion | string | The version of the log event format. |
| IpProtocol | string | The IP protocol is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IP protocol name or number. The valid values are tcp, udp, icmp, or a protocol number. |
| ManagementEvent | bool | A Boolean value that identifies whether the event is a management event. |
| OperationName | string | Constant value: CloudTrail. |
| ReadOnly | bool | Identifies whether this operation is a read-only operation. |
| RecipientAccountId | string | Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access. |
| RequestParameters | string | The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service. |
| Resources | string | A list of resources accessed in the event. |
| ResponseElements | string | The response element for actions that make changes (create, update, or delete actions). If an action does not change state (for example, a request to get or list objects), this element is omitted. |
| ServiceEventDetails | string | Identifies the service event, including what triggered the event and the result. |
| SessionCreationDate | datetime | The date and time when the temporary security credentials were issued. |
| SessionIssuerAccountId | string | The account that owns the entity that was used to get credentials. |
| SessionIssuerArn | string | The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials. |
| SessionIssuerPrincipalId | string | The internal ID of the entity that was used to get credentials. |
| SessionIssuerType | string | The source of the temporary security credentials, such as Root, IAMUser, or Role. |
| SessionIssuerUserName | string | The friendly name of the user or role that issued the session. |
| SessionMfaAuthenticated | bool | The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false. |
| SharedEventId | string | GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. |
| SourceIpAddress | string | The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed. |
| SourcePort | string | The SourcePort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The start of port range for the TCP and UDP protocols, or an ICMP type number. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC). An event's time stamp comes from the local host that provides the service API endpoint on which the API call was made. |
| TlsVersion | string | Optional. Part of tlsDetails. The TLS version of a request. |
| Type | string | The name of the table |
| UserAgent | string | The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI. |
| UserIdentityAccessKeyId | string | The access key ID that was used to sign the request. |
| UserIdentityAccountId | string | The account that owns the entity that granted permissions for the request. |
| UserIdentityArn | string | The Amazon Resource Name (ARN) of the principal that made the call. |
| UserIdentityInvokedBy | string | The name of the AWS service that made the request. |
| UserIdentityPrincipalid | string | A unique identifier for the entity that made the call. |
| UserIdentityStoreArn | string | ARN of the identity store (e.g., IAM Identity Center/SSO directory) from which the user identity originates. |
| UserIdentityType | string | The type of the identity. The following values are possible: Root, IAMUser, AssumedRole, FederatedUser, Directory, AWSAccount, AWSService, Unknown. |
| UserIdentityUserId | string | Unique internal AWS identifier of the IAM entity (user, role, or federated identity) that performed the action. |
| UserIdentityUserName | string | The name of the identity that made the call. |
| VpcEndpointId | string | Identifies the VPC endpoint in which requests were made from a VPC to another AWS service. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Amazon Web Services | |
| Amazon Web Services S3 | EventName == "CreateUser" |
In solution Amazon Web Services:
| Analytic Rule | Selection Criteria |
|---|---|
| AWS Config Service Resource Deletion Attempts | EventName in "DeleteEventBus,DeleteFlowLogs,DeleteTrail,StopLogging,UpdateTrail" |
| Automatic image scanning disabled for ECR | EventName == "PutImageScanningConfiguration" |
| Changes made to AWS CloudTrail logs | EventName in "DeleteEventBus,DeleteFlowLogs,DeleteTrail,StopLogging,UpdateTrail" |
| Changes to AWS Elastic Load Balancer security groups | EventName in "ApplySecurityGroupsToLoadBalancer,SetSecurityGroups" |
| Changes to AWS Security Group ingress and egress settings | EventName in "AuthorizeSecurityGroupEgress,AuthorizeSecurityGroupIngress,RevokeSecurityGroupEgress,RevokeSecurityGroupIngress" |
| Changes to Amazon VPC settings | EventName in "CreateInternetGateway,CreateNatGateway,CreateNetworkAclEntry,CreateRoute,CreateRouteTable" |
| Changes to internet facing AWS RDS Database instances | EventName in "AuthorizeDBSecurityGroupIngress,CreateDBSecurityGroup,DeleteDBSecurityGroup,RevokeDBSecurityGroupIngress" |
| CloudFormation policy created then used for privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Created CRUD S3 policy and then privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creating keys with encrypt policy without MFA | EventName in "CreateKey,PutKeyPolicy" |
| Creation of Access Key for IAM User | EventName == "CreateAccessKey" |
| Creation of CRUD DynamoDB policy and then privilege escalation. | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of CRUD KMS policy and then privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of CRUD Lambda policy and then privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of DataPipeline policy and then privilege escalation. | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of EC2 policy and then privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of Glue policy and then privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of Lambda policy and then privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of SSM policy and then privilege escalation | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| Creation of new CRUD IAM policy and then privilege escalation. | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| EC2 Startup Shell Script Changed | EventName in "CreateLaunchTemplate,ModifyInstanceAttribute" |
| ECR image scan findings high or critical | EventName == "DescribeImageScanFindings" |
| Full Admin policy created and then attached to Roles, Users or Groups | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
| GuardDuty detector disabled or suspended | EventName in "DeleteDetector,UpdateDetector" |
| Login to AWS Management Console without MFA | EventName == "ConsoleLogin" |
| Monitor AWS Credential abuse or hijacking | EventName == "GetCallerIdentity" |
| NRT Login to AWS Management Console without MFA | EventName == "ConsoleLogin" |
| Network ACL with all the open ports to a specified CIDR | EventName in "CreateNetworkAclEntry,ReplaceNetworkAclEntry" |
| Policy version set to default | EventName == "SetDefaultPolicyVersion" |
| Privilege escalation via CRUD DynamoDB policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via CRUD IAM policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via CRUD KMS policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via CRUD Lambda policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via CRUD S3 policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via CloudFormation policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via DataPipeline policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via EC2 policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via Glue policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via Lambda policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation via SSM policy | EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
| Privilege escalation with AdministratorAccess managed policy | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy" |
| Privilege escalation with FullAccess managed policy | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy" |
| Privilege escalation with admin managed policy | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy" |
| RDS instance publicly exposed | EventName in "CreateDBInstance,ModifyDBInstance" |
| S3 Object Exfiltration from Anonymous User | EventName == "GetObject" |
| S3 bucket access point publicly exposed | EventName == "PutAccessPointPolicy" |
| S3 bucket exposed via ACL | EventName == "PutBucketAcl" |
| S3 bucket exposed via policy | EventName == "PutBucketPolicy" |
| S3 bucket suspicious ransomware activity | EventName in "GetObject,PutObject" |
| S3 object publicly exposed | EventName == "PutObjectAcl" |
| SAML update identity provider | EventName == "UpdateSAMLProvider" |
| SSM document is publicly exposed | EventName == "ModifyDocumentPermission" |
| Successful API executed from a Tor exit node | |
| Successful brute force attack on S3 Bucket. | EventName == "GetObject" |
| Suspicious AWS CLI Command Execution | |
| Suspicious AWS EC2 Compute Resource Deployments | EventName == "RunInstances" |
| Suspicious command sent to EC2 | EventName in "CreateAssociation,PutObject,SendCommand" |
| Suspicious overly permissive KMS key policy created | EventName in "CreateKey,PutKeyPolicy" |
| Tampering to AWS CloudTrail logs | EventName in "DeleteEventBus,DeleteFlowLogs,DeleteLogGroup,DeleteTrail,StopLogging,UpdateTrail" |
| Unauthorized EC2 Instance Setup Attempt | EventName == "RunInstances" |
| User IAM Enumeration | EventName in "ListAccessKeys,ListAttachedRolePolicies,ListAttachedUserPolicies,ListGroupsForUser,ListRoles,ListUsers" |
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC | |
| User agent search for log4j exploitation attempt |
In solution Business Email Compromise - Financial Fraud:
| Analytic Rule | Selection Criteria |
|---|---|
| Suspicious access of BEC related documents in AWS S3 buckets |
In solution Cloud Identity Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Multi-Factor Authentication Disabled for a User |
In solution Multi Cloud Attack Coverage Essentials - Resource Abuse:
| Analytic Rule | Selection Criteria |
|---|---|
| Cross-Cloud Password Spray detection | EventName == "ConsoleLogin" |
| High-Risk Cross-Cloud User Impersonation | EventName in "AddUserToGroup,ChangePassword,CreateAccessKey,CreateGroup,CreateMailUser,CreateOrganization,CreateRole,CreateServiceSpecificCredential,CreateUser,CreateVirtualMFADevice,DeleteAccessKey,DeleteGroup,DeleteGroupPolicy,DeleteLoginProfile,DeleteRole,DeleteServiceSpecificCredential,DeleteUser,DisableMailUsers,EnableMailUsers,RegisterToWorkMail,RemoveUserFromGroup,ResetPassword,SetDefaultMailDomain,SetMailUserDetails,UpdateAccountEmailAddress,UploadServerCertificate" |
| Successful AWS Console Login from IP Address Observed Conducting Password Spray | EventName == "ConsoleLogin" |
| Suspicious AWS console logins by credential access alerts | EventName == "ConsoleLogin" |
| User impersonation by Identity Protection alerts | EventName in "AddUserToGroup,ChangePassword,CreateAccessKey,CreateGroup,CreateRole,CreateUser,CreateVirtualMFADevice,DeleteAccessKey,DeleteGroup,DeleteLoginProfile,DeleteRole,DeleteUser,RemoveUserFromGroup" |
In solution Network Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| New UserAgent observed in last 24 hours |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map IP entity to AWSCloudTrail |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map IP entity to AWSCloudTrail |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Failed AWS Console logons but success logon to AzureAD | EventName == "ConsoleLogin" |
| Failed AzureAD logons but success logon to AWS Console | EventName == "ConsoleLogin" |
| Malformed user agent |
In solution Amazon Web Services:
| Hunting Query | Selection Criteria |
|---|---|
| Bucket versioning suspended | EventName == "PutBucketVersioning" |
| Changes made to AWS IAM objects | EventName in "CreateUser,DeleteGroup,DeleteUser" |
| Changes made to AWS IAM policy | EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion,DeleteGroupPolicy,DeletePolicy,DeletePolicyVersion,DeleteRolePolicy,DeleteUserPolicy,DetachGroupPolicy,DetachRolePolicy,PutGroupPolicy,PutUserPolicy" |
| CreateLoginProfile detected | EventName == "CreateLoginProfile" |
| CreatePolicyVersion with excessive permissions | EventName == "CreatePolicyVersion" |
| ECR image scan findings low | EventName == "DescribeImageScanFindings" |
| ECR image scan findings medium | EventName == "DescribeImageScanFindings" |
| Excessive execution of discovery events | EventName startswith "Describe"EventName startswith "Get"EventName startswith "List" |
| Failed brute force on S3 bucket | EventName == "GetObject" |
| IAM AccessDenied discovery events | |
| IAM Privilege Escalation by Instance Profile attachment | EventName in "AddRoleToInstanceProfile,RemoveRoleFromInstanceProfile" |
| IAM assume role policy brute force | EventName == "AssumeRole" |
| Lambda UpdateFunctionCode | EventName startswith "UpdateFunctionCode" |
| Lambda function throttled | EventName startswith "PutFunctionConcurrency" |
| Lambda layer imported from external account | EventName startswith "CreateFunction"EventName startswith "UpdateFunctionConfiguration" |
| Login profile updated | EventName == "UpdateLoginProfile" |
| Modification of route-table attributes | EventName in "CreateRoute,DeleteRoute,ReplaceRoute" |
| Modification of subnet attributes | EventName == "ModifySubnetAttribute" |
| Modification of vpc attributes | EventName == "ModifyVpcAttribute" |
| Multiple failed login attempts to an existing user without MFA | EventName == "ConsoleLogin" |
| Network ACL deleted | EventName == "DeleteNetworkAclEntry" |
| New AccessKey created for Root user | EventName == "CreateAccessKey" |
| New access key created to user | EventName == "CreateAccessKey" |
| Privileged role attached to Instance | EventName in "AddRoleToInstanceProfile,AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy" |
| RDS instance master password changed | EventName == "ModifyDBCluster" |
| Risky role name created | EventName == "CreateRole" |
| S3 bucket encryption modified | EventName in "DeleteBucketEncryption,PutBucketEncryption" |
| S3 bucket has been deleted | EventName == "DeleteBucket" |
| Suspicious EC2 launched without a key pair | EventName == "RunInstances" |
| Suspicious activity of STS Token related to Kubernetes worker node | |
| Suspicious activity of STS token related to EC2 | |
| Suspicious activity of STS token related to ECS | |
| Suspicious activity of STS token related to Glue | |
| Suspicious activity of STS token related to Lambda | |
| Suspicious credential token access of valid IAM Roles | EventName == "AssumeRole" |
| Unused or Unsupported Cloud Regions |
In solution Network Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Exploit and Pentest Framework User Agent |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| Tracking Privileged Account Rare Activity |
In solution Amazon Web Services:
| Workbook | Selection Criteria |
|---|---|
| AmazonWebServicesNetworkActivities | EventName in "AllocateAddress,AssociateAddress,AuthorizeSecurityGroupEgress,AuthorizeSecurityGroupIngress,CreateNetworkAcl,CreateSecurityGroup,DeleteNetworkAcl,DeleteSecurityGroup,DisassociateAddress,ReleaseAddress,ReplaceNetworkAclEntry,RevokeSecurityGroupEgress,RevokeSecurityGroupIngress"EventName !contains "Image"EventName !contains "KeyPair"EventName !contains "LaunchTemplate"EventName !contains "Tags"EventName !contains "Volume"EventName startswith "authorize"EventName startswith "create"EventName startswith "delete"EventName startswith "replace"EventName startswith "revoke" |
| AmazonWebServicesUserActivities | EventName == "GetCallerIdentity"EventName contains "Login"EventName contains "login"EventName contains "signin" |
In solution Apache Log4j Vulnerability Detection:
| Workbook | Selection Criteria |
|---|---|
| Log4jPostCompromiseHunting |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AWSS3 | EventName in "AllocateAddress,AssociateAddress,AuthorizeSecurityGroupEgress,AuthorizeSecurityGroupIngress,CreateNetworkAcl,CreateSecurityGroup,DeleteNetworkAcl,DeleteSecurityGroup,DisassociateAddress,GetCallerIdentity,ReleaseAddress,ReplaceNetworkAclEntry,RevokeSecurityGroupEgress,RevokeSecurityGroupIngress"EventName !contains "Image"EventName !contains "KeyPair"EventName !contains "LaunchTemplate"EventName !contains "Tags"EventName !contains "Volume"EventName contains "Login"EventName contains "login"EventName contains "signin"EventName startswith "authorize"EventName startswith "create"EventName startswith "delete"EventName startswith "replace"EventName startswith "revoke" |
| AmazonWebServicesNetworkActivities | EventName in "AllocateAddress,AssociateAddress,AuthorizeSecurityGroupEgress,AuthorizeSecurityGroupIngress,CreateNetworkAcl,CreateSecurityGroup,DeleteNetworkAcl,DeleteSecurityGroup,DisassociateAddress,ReleaseAddress,ReplaceNetworkAclEntry,RevokeSecurityGroupEgress,RevokeSecurityGroupIngress"EventName !contains "Image"EventName !contains "KeyPair"EventName !contains "LaunchTemplate"EventName !contains "Tags"EventName !contains "Volume"EventName startswith "authorize"EventName startswith "create"EventName startswith "delete"EventName startswith "replace"EventName startswith "revoke" |
| AmazonWebServicesUserActivities | EventName == "GetCallerIdentity"EventName contains "Login"EventName contains "login"EventName contains "signin" |
| DataCollectionHealthMonitoring | |
| Data_Latency_Workbook | |
| DoDZeroTrustWorkbook | EventName !contains "Image"EventName !contains "KeyPair"EventName !contains "LaunchTemplate"EventName !contains "Tags"EventName !contains "Volume"EventName startswith "authorize"EventName startswith "create"EventName startswith "delete"EventName startswith "replace"EventName startswith "revoke" |
| InvestigationInsights | |
| Log4jPostCompromiseHunting | |
| ZeroTrustStrategyWorkbook | EventName !contains "Image"EventName !contains "KeyPair"EventName !contains "LaunchTemplate"EventName !contains "Tags"EventName !contains "Volume"EventName startswith "authorize"EventName startswith "create"EventName startswith "delete"EventName startswith "replace"EventName startswith "revoke" |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuthenticationAWSCloudTrail | Authentication | AWS | EventName == "ConsoleLogin" |
| ASimFileEventAWSCloudTrail | FileEvent | AWS Cloud Trail | |
| ASimUserManagementAWSCloudTrail | UserManagement | AWS Cloud Trail |
References by type: 1 connectors, 97 content items, 1 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion" |
- | 12 | - | - | 12 |
EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy" |
- | 11 | - | - | 11 |
EventName == "ConsoleLogin" |
- | 8 | 1 | - | 9 |
EventName == "DescribeImageScanFindings" |
- | 3 | - | - | 3 |
EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy" |
- | 3 | - | - | 3 |
EventName == "GetObject" |
- | 3 | - | - | 3 |
EventName == "RunInstances" |
- | 3 | - | - | 3 |
EventName == "CreateAccessKey" |
- | 3 | - | - | 3 |
EventName in "DeleteEventBus,DeleteFlowLogs,DeleteTrail,StopLogging,UpdateTrail" |
- | 2 | - | - | 2 |
EventName in "CreateKey,PutKeyPolicy" |
- | 2 | - | - | 2 |
EventName == "AssumeRole" |
- | 2 | - | - | 2 |
EventName == "CreateUser" |
1 | - | - | - | 1 |
EventName in "AuthorizeDBSecurityGroupIngress,CreateDBSecurityGroup,DeleteDBSecurityGroup,RevokeDBSecurityGroupIngress" |
- | 1 | - | - | 1 |
EventName in "CreateInternetGateway,CreateNatGateway,CreateNetworkAclEntry,CreateRoute,CreateRouteTable" |
- | 1 | - | - | 1 |
EventName == "GetCallerIdentity" |
- | 1 | - | - | 1 |
EventName in "CreateLaunchTemplate,ModifyInstanceAttribute" |
- | 1 | - | - | 1 |
EventName == "PutImageScanningConfiguration" |
- | 1 | - | - | 1 |
EventName in "DeleteDetector,UpdateDetector" |
- | 1 | - | - | 1 |
EventName in "AuthorizeSecurityGroupEgress,AuthorizeSecurityGroupIngress,RevokeSecurityGroupEgress,RevokeSecurityGroupIngress" |
- | 1 | - | - | 1 |
EventName in "ApplySecurityGroupsToLoadBalancer,SetSecurityGroups" |
- | 1 | - | - | 1 |
EventName in "DeleteEventBus,DeleteFlowLogs,DeleteLogGroup,DeleteTrail,StopLogging,UpdateTrail" |
- | 1 | - | - | 1 |
EventName in "CreateNetworkAclEntry,ReplaceNetworkAclEntry" |
- | 1 | - | - | 1 |
EventName in "CreateDBInstance,ModifyDBInstance" |
- | 1 | - | - | 1 |
EventName == "PutAccessPointPolicy" |
- | 1 | - | - | 1 |
EventName == "PutBucketAcl" |
- | 1 | - | - | 1 |
EventName == "PutBucketPolicy" |
- | 1 | - | - | 1 |
EventName == "PutObjectAcl" |
- | 1 | - | - | 1 |
EventName in "GetObject,PutObject" |
- | 1 | - | - | 1 |
EventName == "UpdateSAMLProvider" |
- | 1 | - | - | 1 |
EventName == "SetDefaultPolicyVersion" |
- | 1 | - | - | 1 |
EventName == "ModifyDocumentPermission" |
- | 1 | - | - | 1 |
EventName in "CreateAssociation,PutObject,SendCommand" |
- | 1 | - | - | 1 |
EventName in "ListAccessKeys,ListAttachedRolePolicies,ListAttachedUserPolicies,ListGroupsForUser,ListRoles,ListUsers" |
- | 1 | - | - | 1 |
EventName in "AddUserToGroup,ChangePassword,CreateAccessKey,CreateGroup,CreateRole,CreateUser,CreateVirtualMFADevice,DeleteAccessKey,DeleteGroup,DeleteLoginProfile,DeleteRole,DeleteUser,RemoveUserFromGroup" |
- | 1 | - | - | 1 |
EventName in "AddUserToGroup,ChangePassword,CreateAccessKey,CreateGroup,CreateMailUser,CreateOrganization,CreateRole,CreateServiceSpecificCredential,CreateUser,CreateVirtualMFADevice,DeleteAccessKey,DeleteGroup,DeleteGroupPolicy,DeleteLoginProfile,DeleteRole,DeleteServiceSpecificCredential,DeleteUser,DisableMailUsers,EnableMailUsers,RegisterToWorkMail,RemoveUserFromGroup,ResetPassword,SetDefaultMailDomain,SetMailUserDetails,UpdateAccountEmailAddress,UploadServerCertificate" |
- | 1 | - | - | 1 |
EventName == "PutBucketVersioning" |
- | 1 | - | - | 1 |
EventName == "CreateLoginProfile" |
- | 1 | - | - | 1 |
EventName startswith "Describe"EventName startswith "Get"EventName startswith "List" |
- | 1 | - | - | 1 |
EventName in "CreateUser,DeleteGroup,DeleteUser" |
- | 1 | - | - | 1 |
EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion,DeleteGroupPolicy,DeletePolicy,DeletePolicyVersion,DeleteRolePolicy,DeleteUserPolicy,DetachGroupPolicy,DetachRolePolicy,PutGroupPolicy,PutUserPolicy" |
- | 1 | - | - | 1 |
EventName in "AddRoleToInstanceProfile,RemoveRoleFromInstanceProfile" |
- | 1 | - | - | 1 |
EventName startswith "PutFunctionConcurrency" |
- | 1 | - | - | 1 |
EventName startswith "CreateFunction"EventName startswith "UpdateFunctionConfiguration" |
- | 1 | - | - | 1 |
EventName startswith "UpdateFunctionCode" |
- | 1 | - | - | 1 |
EventName == "UpdateLoginProfile" |
- | 1 | - | - | 1 |
EventName in "CreateRoute,DeleteRoute,ReplaceRoute" |
- | 1 | - | - | 1 |
EventName == "ModifySubnetAttribute" |
- | 1 | - | - | 1 |
EventName == "ModifyVpcAttribute" |
- | 1 | - | - | 1 |
EventName == "DeleteNetworkAclEntry" |
- | 1 | - | - | 1 |
EventName == "CreatePolicyVersion" |
- | 1 | - | - | 1 |
EventName in "AddRoleToInstanceProfile,AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy" |
- | 1 | - | - | 1 |
EventName == "ModifyDBCluster" |
- | 1 | - | - | 1 |
EventName == "CreateRole" |
- | 1 | - | - | 1 |
EventName == "DeleteBucket" |
- | 1 | - | - | 1 |
EventName in "DeleteBucketEncryption,PutBucketEncryption" |
- | 1 | - | - | 1 |
EventName in "AllocateAddress,AssociateAddress,AuthorizeSecurityGroupEgress,AuthorizeSecurityGroupIngress,CreateNetworkAcl,CreateSecurityGroup,DeleteNetworkAcl,DeleteSecurityGroup,DisassociateAddress,ReleaseAddress,ReplaceNetworkAclEntry,RevokeSecurityGroupEgress,RevokeSecurityGroupIngress"EventName !contains "Image"EventName !contains "KeyPair"EventName !contains "LaunchTemplate"EventName !contains "Tags"EventName !contains "Volume"EventName startswith "authorize"EventName startswith "create"EventName startswith "delete"EventName startswith "replace"EventName startswith "revoke" |
- | 1 | - | - | 1 |
EventName == "GetCallerIdentity"EventName contains "Login"EventName contains "login"EventName contains "signin" |
- | 1 | - | - | 1 |
| Total | 1 | 97 | 1 | 0 | 99 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
AttachGroupPolicy |
- | 17 | - | - | 17 |
AttachRolePolicy |
- | 17 | - | - | 17 |
AttachUserPolicy |
- | 17 | - | - | 17 |
CreatePolicyVersion |
- | 14 | - | - | 14 |
CreatePolicy |
- | 13 | - | - | 13 |
PutGroupPolicy |
- | 12 | - | - | 12 |
PutUserPolicy |
- | 12 | - | - | 12 |
PutRolePolicy |
- | 11 | - | - | 11 |
ConsoleLogin |
- | 8 | 1 | - | 9 |
CreateAccessKey |
- | 5 | - | - | 5 |
CreateUser |
1 | 3 | - | - | 4 |
GetObject |
- | 4 | - | - | 4 |
DeleteEventBus |
- | 3 | - | - | 3 |
DeleteFlowLogs |
- | 3 | - | - | 3 |
DeleteTrail |
- | 3 | - | - | 3 |
StopLogging |
- | 3 | - | - | 3 |
UpdateTrail |
- | 3 | - | - | 3 |
DescribeImageScanFindings |
- | 3 | - | - | 3 |
RunInstances |
- | 3 | - | - | 3 |
CreateRole |
- | 3 | - | - | 3 |
DeleteGroup |
- | 3 | - | - | 3 |
DeleteUser |
- | 3 | - | - | 3 |
CreateNetworkAclEntry |
- | 2 | - | - | 2 |
CreateRoute |
- | 2 | - | - | 2 |
CreateKey |
- | 2 | - | - | 2 |
PutKeyPolicy |
- | 2 | - | - | 2 |
GetCallerIdentity |
- | 2 | - | - | 2 |
AuthorizeSecurityGroupEgress |
- | 2 | - | - | 2 |
AuthorizeSecurityGroupIngress |
- | 2 | - | - | 2 |
RevokeSecurityGroupEgress |
- | 2 | - | - | 2 |
RevokeSecurityGroupIngress |
- | 2 | - | - | 2 |
ReplaceNetworkAclEntry |
- | 2 | - | - | 2 |
PutObject |
- | 2 | - | - | 2 |
AddUserToGroup |
- | 2 | - | - | 2 |
ChangePassword |
- | 2 | - | - | 2 |
CreateGroup |
- | 2 | - | - | 2 |
CreateVirtualMFADevice |
- | 2 | - | - | 2 |
DeleteAccessKey |
- | 2 | - | - | 2 |
DeleteLoginProfile |
- | 2 | - | - | 2 |
DeleteRole |
- | 2 | - | - | 2 |
RemoveUserFromGroup |
- | 2 | - | - | 2 |
DeleteGroupPolicy |
- | 2 | - | - | 2 |
AssumeRole |
- | 2 | - | - | 2 |
AddRoleToInstanceProfile |
- | 2 | - | - | 2 |
AuthorizeDBSecurityGroupIngress |
- | 1 | - | - | 1 |
CreateDBSecurityGroup |
- | 1 | - | - | 1 |
DeleteDBSecurityGroup |
- | 1 | - | - | 1 |
RevokeDBSecurityGroupIngress |
- | 1 | - | - | 1 |
CreateInternetGateway |
- | 1 | - | - | 1 |
CreateNatGateway |
- | 1 | - | - | 1 |
CreateRouteTable |
- | 1 | - | - | 1 |
CreateLaunchTemplate |
- | 1 | - | - | 1 |
ModifyInstanceAttribute |
- | 1 | - | - | 1 |
PutImageScanningConfiguration |
- | 1 | - | - | 1 |
DeleteDetector |
- | 1 | - | - | 1 |
UpdateDetector |
- | 1 | - | - | 1 |
ApplySecurityGroupsToLoadBalancer |
- | 1 | - | - | 1 |
SetSecurityGroups |
- | 1 | - | - | 1 |
DeleteLogGroup |
- | 1 | - | - | 1 |
CreateDBInstance |
- | 1 | - | - | 1 |
ModifyDBInstance |
- | 1 | - | - | 1 |
PutAccessPointPolicy |
- | 1 | - | - | 1 |
PutBucketAcl |
- | 1 | - | - | 1 |
PutBucketPolicy |
- | 1 | - | - | 1 |
PutObjectAcl |
- | 1 | - | - | 1 |
UpdateSAMLProvider |
- | 1 | - | - | 1 |
SetDefaultPolicyVersion |
- | 1 | - | - | 1 |
ModifyDocumentPermission |
- | 1 | - | - | 1 |
CreateAssociation |
- | 1 | - | - | 1 |
SendCommand |
- | 1 | - | - | 1 |
ListAccessKeys |
- | 1 | - | - | 1 |
ListAttachedRolePolicies |
- | 1 | - | - | 1 |
ListAttachedUserPolicies |
- | 1 | - | - | 1 |
ListGroupsForUser |
- | 1 | - | - | 1 |
ListRoles |
- | 1 | - | - | 1 |
ListUsers |
- | 1 | - | - | 1 |
CreateMailUser |
- | 1 | - | - | 1 |
CreateOrganization |
- | 1 | - | - | 1 |
CreateServiceSpecificCredential |
- | 1 | - | - | 1 |
DeleteServiceSpecificCredential |
- | 1 | - | - | 1 |
DisableMailUsers |
- | 1 | - | - | 1 |
EnableMailUsers |
- | 1 | - | - | 1 |
RegisterToWorkMail |
- | 1 | - | - | 1 |
ResetPassword |
- | 1 | - | - | 1 |
SetDefaultMailDomain |
- | 1 | - | - | 1 |
SetMailUserDetails |
- | 1 | - | - | 1 |
UpdateAccountEmailAddress |
- | 1 | - | - | 1 |
UploadServerCertificate |
- | 1 | - | - | 1 |
PutBucketVersioning |
- | 1 | - | - | 1 |
CreateLoginProfile |
- | 1 | - | - | 1 |
startswith Describe |
- | 1 | - | - | 1 |
startswith Get |
- | 1 | - | - | 1 |
startswith List |
- | 1 | - | - | 1 |
DeletePolicy |
- | 1 | - | - | 1 |
DeletePolicyVersion |
- | 1 | - | - | 1 |
DeleteRolePolicy |
- | 1 | - | - | 1 |
DeleteUserPolicy |
- | 1 | - | - | 1 |
DetachGroupPolicy |
- | 1 | - | - | 1 |
DetachRolePolicy |
- | 1 | - | - | 1 |
RemoveRoleFromInstanceProfile |
- | 1 | - | - | 1 |
startswith PutFunctionConcurrency |
- | 1 | - | - | 1 |
startswith CreateFunction |
- | 1 | - | - | 1 |
startswith UpdateFunctionConfiguration |
- | 1 | - | - | 1 |
startswith UpdateFunctionCode |
- | 1 | - | - | 1 |
UpdateLoginProfile |
- | 1 | - | - | 1 |
DeleteRoute |
- | 1 | - | - | 1 |
ReplaceRoute |
- | 1 | - | - | 1 |
ModifySubnetAttribute |
- | 1 | - | - | 1 |
ModifyVpcAttribute |
- | 1 | - | - | 1 |
DeleteNetworkAclEntry |
- | 1 | - | - | 1 |
ModifyDBCluster |
- | 1 | - | - | 1 |
DeleteBucket |
- | 1 | - | - | 1 |
DeleteBucketEncryption |
- | 1 | - | - | 1 |
PutBucketEncryption |
- | 1 | - | - | 1 |
AllocateAddress |
- | 1 | - | - | 1 |
AssociateAddress |
- | 1 | - | - | 1 |
CreateNetworkAcl |
- | 1 | - | - | 1 |
CreateSecurityGroup |
- | 1 | - | - | 1 |
DeleteNetworkAcl |
- | 1 | - | - | 1 |
DeleteSecurityGroup |
- | 1 | - | - | 1 |
DisassociateAddress |
- | 1 | - | - | 1 |
ReleaseAddress |
- | 1 | - | - | 1 |
!contains Image |
- | 1 | - | - | 1 |
!contains KeyPair |
- | 1 | - | - | 1 |
!contains LaunchTemplate |
- | 1 | - | - | 1 |
!contains Tags |
- | 1 | - | - | 1 |
!contains Volume |
- | 1 | - | - | 1 |
startswith authorize |
- | 1 | - | - | 1 |
startswith create |
- | 1 | - | - | 1 |
startswith delete |
- | 1 | - | - | 1 |
startswith replace |
- | 1 | - | - | 1 |
startswith revoke |
- | 1 | - | - | 1 |
contains Login |
- | 1 | - | - | 1 |
contains login |
- | 1 | - | - | 1 |
contains signin |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊