<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">additionalEventData.LoginTo</span>
<span class="pill kill-chain">additionalEventData.MFAUsed</span>
<span class="pill kill-chain">additionalEventData.MobileVersion</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">authentication_method</span>
<span class="pill kill-chain">awsRegion</span>
<span class="pill kill-chain">aws_account_id</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">desc</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">errorCode</span>
<span class="pill kill-chain">errorMessage</span>
<span class="pill kill-chain">eventCategory</span>
<span class="pill kill-chain">eventID</span>
<span class="pill kill-chain">eventName</span>
<span class="pill kill-chain">eventSource</span>
<span class="pill kill-chain">eventTime</span>
<span class="pill kill-chain">eventType</span>
<span class="pill kill-chain">eventVersion</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">managementEvent</span>
<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">readOnly</span>
<span class="pill kill-chain">reason</span>
<span class="pill kill-chain">recipientAccountId</span>
<span class="pill kill-chain">region</span>
<span class="pill kill-chain">requestParameters</span>
<span class="pill kill-chain">responseElements.ConsoleLogin</span>
<span class="pill kill-chain">result</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourceIPAddress</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">start_time</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">tlsDetails.cipherSuite</span>
<span class="pill kill-chain">tlsDetails.clientProvidedHostHeader</span>
<span class="pill kill-chain">tlsDetails.tlsVersion</span>
<span class="pill kill-chain">userAgent</span>
<span class="pill kill-chain">userIdentity.accessKeyId</span>
<span class="pill kill-chain">userIdentity.accountId</span>
<span class="pill kill-chain">userIdentity.type</span>
<span class="pill kill-chain">userIdentity.userName</span>
<span class="pill kill-chain">user_access_key</span>
<span class="pill kill-chain">user_agent</span>
<span class="pill kill-chain">user_group_id</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
<span class="pill kill-chain">vendor_region</span>
</div>
Data Source: AWS CloudTrail ConsoleLogin
Description
Data source object for AWS CloudTrail ConsoleLogin
Details
Property | Value |
---|---|
Source | aws_cloudtrail |
Sourcetype | aws:cloudtrail |
Separator | eventName |
Supported Apps
- Splunk Add-on for AWS (version 7.7.1)
Event Fields
Example Log
1{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId": "140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"}, "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent": "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters": null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo": "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID": "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com"}}
Source: GitHub | Version: 1