Skip to main content

AWS CloudTrail

Overview

AlphaSOC normalizes AWS CloudTrail telemetry into the Open Cybersecurity Schema Framework (OCSF) format. The fields listed below are available for use in Sigma detection rules. For complete field definitions and semantics, refer to the linked OCSF class schema pages.

AWS CloudTrail: API Activity

OCSF Category: Application Activity

OCSF Class: API Activity

OCSF Fields

  • activity_id
  • activity_name
  • actor.idp.name
  • actor.idp.uid
  • actor.session.created_time
  • actor.session.is_mfa
  • actor.session.issuer
  • actor.user.account.uid
  • actor.user.credential_uid
  • actor.user.name
  • actor.user.type
  • actor.user.uid
  • api.operation
  • api.request.uid
  • api.response.error
  • api.response.error_message
  • api.service.name
  • api.version
  • category_name
  • category_uid
  • class_name
  • class_uid
  • cloud.account.uid
  • cloud.provider
  • cloud.region
  • http_request.user_agent
  • metadata.event_code
  • metadata.product.feature.name
  • metadata.product.name
  • metadata.product.version
  • metadata.uid
  • metadata.version
  • severity
  • severity_id
  • src_endpoint.ip
  • src_endpoint.uid
  • status
  • status_id
  • time
  • type_name
  • type_uid

AWS CloudTrail: Account Change

OCSF Category: Identity & Access Management

OCSF Class: Account Change

OCSF Fields

  • activity_id
  • activity_name
  • actor.idp.name
  • actor.idp.uid
  • actor.session.created_time
  • actor.session.is_mfa
  • actor.session.issuer
  • actor.user.account.uid
  • actor.user.credential_uid
  • actor.user.name
  • actor.user.type
  • actor.user.uid
  • api.operation
  • api.request.uid
  • api.response.error
  • api.response.error_message
  • api.service.name
  • api.version
  • category_name
  • category_uid
  • class_name
  • class_uid
  • cloud.account.uid
  • cloud.provider
  • cloud.region
  • http_request.user_agent
  • metadata.event_code
  • metadata.product.feature.name
  • metadata.product.name
  • metadata.product.version
  • metadata.uid
  • metadata.version
  • policy.uid
  • severity
  • severity_id
  • src_endpoint.ip
  • src_endpoint.uid
  • status
  • status_id
  • time
  • type_name
  • type_uid
  • user.name
  • user.uid

AWS CloudTrail: Authentication

OCSF Category: Identity & Access Management

OCSF Class: Authentication

OCSF Fields

  • activity_id
  • activity_name
  • actor.idp.name
  • actor.idp.uid
  • actor.session.created_time
  • actor.session.is_mfa
  • actor.session.issuer
  • actor.user.account.uid
  • actor.user.credential_uid
  • actor.user.name
  • actor.user.type
  • actor.user.uid
  • api.operation
  • api.request.uid
  • api.response.error
  • api.response.error_message
  • api.service.name
  • api.version
  • category_name
  • category_uid
  • class_name
  • class_uid
  • cloud.account.uid
  • cloud.provider
  • cloud.region
  • dst_endpoint.svc_name
  • http_request.user_agent
  • metadata.event_code
  • metadata.product.feature.name
  • metadata.product.name
  • metadata.product.version
  • metadata.uid
  • metadata.version
  • session.credential_uid
  • session.uid
  • severity
  • severity_id
  • src_endpoint.ip
  • src_endpoint.uid
  • status
  • status_id
  • time
  • type_name
  • type_uid
  • user.name
  • user.uid

Further Reading