# Supported Log Types [Back To README](../README.md) | [READMEに戻る](../README_ja.md) | | securitylake | ocsf-json | vpcflowlogs | cloudtrail | networkfirewall | guardduty | inspector | securityhub | nlb | alb | clb | s3accesslog | config-history | config-snapshot | config-rules | cloudfront-realtime | cloudfront-standard | waf | route53resolver | clientvpn | rds-postgresql | rds-mysql-audit | rds-mysql-general | rds-mysql-error | rds-mysql-slowquery | elasticache-redis-slowlog | msk | cloudhsm | opensearch-audit | workspaces-event | workspaces-inventory | trustedadvisor | directory-service | fsx-win | windows-event | linux-secure | linux-os-syslog | index-metrics | |----------------------------|-----------------------------------------------------------------------------|-----------------------------------------------------------------------------|-----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|------------------------------------|--------------------------|-----------------------|----------------|-----------------|----------------|---------------------|---------------------|-------------------------|---------------------|-------------------------|----------------------------|------------------------------|-------------------|-------------------------------------------|---------------------|---------------------------|----------------|------------------|------------------------------------------------------------------------|------------------------|------------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|------------------|-----------------|--------------------------| |index_name |SCRIPT() |SCRIPT() |”log-aws-vpcflowlogs” |”log-aws-cloudtrail” |”log-aws-networkfirewall” |”log-aws-guardduty” |”log-aws-inspector” |”log-aws-securityhub” |”log-aws-elb” |”log-aws-elb” |”log-aws-elb” |”log-aws-s3accesslog” |”log-aws-config”|”log-aws-config” |”log-aws-config”|”log-aws-cloudfront” |”log-aws-cloudfront” |”log-aws-waf” |”log-aws-r53resolver”|”log-aws-clientvpn” |”log-aws-rds-postgresql” |”log-aws-rds-mysql” |”log-aws-rds-mysql”|”log-aws-rds-mysql” |”log-aws-rds-mysql” |”log-aws-elasticache” |”log-aws-msk” |”log-aws-cloudhsm”|”log-aws-opensearch” |”log-aws-workspaces” |”log-aws-workspaces” |”log-aws-trustedadvisor” |”log-aws-directory-service” |”log-aws-fsx-win” |”log-win-event” |”log-linux-secure”|”log-linux-os” |”metrics-opensearch-index”| |@log_type |”securitylake” |”ocsf-json” |”vpcflowlogs” |”cloudtrail” |”networkfirewall” |”guardduty” |”inspector” |”securityhub” |”nlb” |”alb” |”clb” |”s3accesslog” |”config-history”|”config-snapshot”|”config-rules” |”cloudfront-realtime”|”cloudfront-standard”|”waf” |”route53resolver” |”clientvpn” |”rds-postgresql” |”rds-mysql-audit” |”rds-mysql-general”|”rds-mysql-error” |”rds-mysql-slowquery”|”elasticache-redis-slowlog”|”msk” |”cloudhsm” |”opensearch-audit” |”workspaces-event” |”workspaces-inventory” |”trustedadvisor” |”directory-service” |”fsx-win” |”windows-event” |”linux-secure” |”linux-os-syslog”|”index-metrics” | |event.module |”securitylake” |”ocsf-json” |”vpcflowlogs” |”eventSource” |”event.event_type” |”guardduty” |”inspector” |SCRIPT() |”nlb” |”alb” |”clb” |”s3accesslog” |”config-history”|”config-snapshot”|”config-rules” |”cloudfront-realtime”|”cloudfront-standard”|”waf” |”route53resolver” |”clientvpn” |”rds-postgresql” |”audit” |”general” |”error” |”slowquery” |”redis-slowlog” |”msk” |”cloudhsm” |”opensearch-audit” |”workspaces-event” |”workspaces-inventory” |”trustedadvisor” |”Event.System.Channel” |”Event.System.Channel” |”Event.System.Channel” |”linux-secure” |”linux-os-syslog”|”index-metrics” | |event.kind | | |”event” |”event” |SCRIPT() |”alert” | |”alert” |”event” |”event” |”event” |”event” |”state” |”state” |”alert” |”event” |”event” |”alert” |”event” |”event” | | | | | | | | |”event” |”event” |”state” |SCRIPT() |”event” |”event” |”event” |”event” |”event” | | |event.category | | |”network” |”iam” |”network” |SCRIPT() | |SCRIPT() |”network” |”web” |”web” |”web” |”configuration” |”configuration” |”configuration” |”web” |”web” |”web” |”network” |”network” |SCRIPT() |”database” |”database” |”database” |”database” |”database” | | |SCRIPT() |”[authentication, host]”|”[host]” |SCRIPT() | | | |SCRIPT() |SCRIPT() | | |event.type | | | | | | | | | | | | |”info” |”info” |”change” | | | | | | | | | | | | | |”[info]” |”[info]” |”[info]” |”info” | | | | | | | |@id | | | | | | | | | | | | |SCRIPT() |SCRIPT() |SCRIPT() | | | | | | | | | | | | | | | | | | | | | | | | |cloud.account.id |${cloud.account_uid cloud.account.uid} |${cloud.account_uid cloud.account.uid} |${account_id} |${recipientAccountId} |[FromS3Key] |[FromS3Key] |[FromS3Key] |${AwsAccountId} |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |${awsAccountId} |${awsAccountId} |${awsAccountId} |[FromS3Key] |[FromS3Key] |SCRIPT() |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] | |cloud.availability_zone | | | | |${availability_zone} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |cloud.instance.id |${device.instance_uid dst_endpoint.instance_uid src_endpoint.instance_uid} |${device.instance_uid dst_endpoint.instance_uid src_endpoint.instance_uid} |${instance_id} |${requestParameters.instanceId responseElements.instancesSet.items.0.instanceId requestParameters.instancesSet.items.0.instanceId requestParameters.DescribeInstanceCreditSpecificationsRequest.InstanceId.content requestParameters.AssociateIamInstanceProfileRequest.InstanceId}| |${resource.instanceDetails.instanceId} |${resources.0.id} |SCRIPT() | | | | |SCRIPT() |SCRIPT() |SCRIPT() | | | |${instance} | | | | | | | | |SCRIPT() | | | | | | |SCRIPT() |SCRIPT() |SCRIPT() | | |cloud.region |[FromS3Key] |[FromS3Key] |${region} |${awsRegion} |[FromS3Key] |[FromS3Key] |[FromS3Key] |${Resources.0.Region} |[FromS3Key] |[FromS3Key] |[FromS3Key] |SCRIPT() |${awsRegion} |${awsRegion} |${awsRegion} |”global” |”global” |SCRIPT() |${region} |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |${result.flaggedResource.region}|[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] |[FromS3Key] | |destination |GEOIP() |GEOIP() |GEOIP() | |GEOIP() |GEOIP() | |GEOIP() |GEOIP() |GEOIP() |GEOIP() | | | | | | | | | | | | | | | | | | | | | |GEOIP() |GEOIP() |GEOIP() | | | | |destination.address |${dst_endpoint.ip dst_endpoint.domain} |${dst_endpoint.ip dst_endpoint.domain} |${dstaddr} |SCRIPT() | |SCRIPT() | |${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4} |${destination_ip} |${target_ip} |${backend_ip} |${EndPoint} | | | | | | | | | | | | | | | | | | | | | | | | | | | |destination.domain | | | | | | | | | | | |${EndPoint} | | | | | | | | | | | | | | | | | | | | | | | | | | | |destination.ip |${dst_endpoint.ip} |${dst_endpoint.ip} |${dstaddr} |SCRIPT() |${event.dest_ip} |SCRIPT() | |${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4} |${destination_ip} |${target_ip} |${backend_ip} | | | | | | | | | | | | | | | | | | | | | |${Event.EventData.Data.DestAddress} |${Event.EventData.Data.DestAddress} |${Event.EventData.Data.DestAddress} | | | | |destination.nat.ip | | | |SCRIPT() | |SCRIPT() | |${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/publicIp} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |destination.port |${dst_endpoint.port} |${dst_endpoint.port} |${dstport} | |${event.dest_port} |SCRIPT() | |${ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails/localPortDetails.0_/port ProductFields.aws/guardduty/service/action/networkConnectionAction/localPortDetails/port} |${destination_port} |${target_port} |${backend_port} | | | | | | | | | | | | | | | | | | | | | |${Event.EventData.Data.DestPort} |${Event.EventData.Data.DestPort} |${Event.EventData.Data.DestPort} | | | | |dns.answers.class | | | | | | | | | | | | | | | | | | |${answers.0.Class} | | | | | | | | | | | | | | | | | | | | |dns.answers.data | | | | | | | | | | | | | | | | | | |SCRIPT() | | | | | | | | | | | | | | | | | | | | |dns.answers.type | | | | | | | | | | | | | | | | | | |${answers.0.Type} | | | | | | | | | | | | | | | | | | | | |dns.question.class | | | | | | | | | | | | | | | | | | |${query_class} | | | | | | | | | | | | | | | | | | | | |dns.question.name | | | | | |${service.action.dnsRequestAction.domain} | |${ProductFields.aws/guardduty/service/action/dnsRequestAction/domain} | | | | | | | | | | |SCRIPT() | | | | | | | | | | | | | | | | | | | | |dns.question.type | | | | | | | | | | | | | | | | | | |${query_type} | | | | | | | | | | | | | | | | | | | | |dns.response_code | | | | | | | | | | | | | | | | | | |${rcode} | | | | | | | | | | | | | | | | | | | | |error.code | | | |${errorCode} | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${Event.System.Status} |${Event.System.Status} |${Event.System.Status} | | | | |error.message | | | |${errorMessage} | | | | | | | | | | | | | | | |SCRIPT() | | | | | | | | | | | | | | | | | | | |event.action | | |SCRIPT() |${eventName} |${event.alert.action} | | | | | | | | | | | | |${action} | | |SCRIPT() | | | | | | | | | | | |SCRIPT() |SCRIPT() |SCRIPT() |SCRIPT() |SCRIPT() | | |event.code | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${Event.System.EventID} |${Event.System.EventID} |${Event.System.EventID} | | | | |event.outcome | | |SCRIPT() |SCRIPT() | | | | | | | | | | | | | | | |SCRIPT() |SCRIPT() | | | | | | | |SCRIPT() |”success” | | |SCRIPT() |SCRIPT() |SCRIPT() |SCRIPT() |SCRIPT() | | |event.risk_score_norm | | | | | | | |${Severity.Normalized} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |event.severity | | | | |${event.alert.severity} |${severity} | |${Severity.Product} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |host.hostname | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${ComputerName} | | | | |${hostname} |${hostname} | | |host.id | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${workspaceId} |${WorkspaceId} | | | | | | | | |host.ip | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${IpAddress} | | | | | | | | |host.name | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${ComputerName} | |${Event.System.Computer} |${Event.System.Computer} |${Event.System.Computer} | | | | |http.request.bytes | | | | | | | | |${received_bytes} |${received_bytes} |${received_bytes} | | | | |${cs_bytes} |${cs_bytes} | | | | | | | | | | | | | | | | | | | | | | |http.request.method | | | | |${event.http.http_method} | | | | |${http_method} |${http_method} |${RequestURI_operation}| | | |${cs_method} |${cs_method} |${httpRequest.httpMethod}| | | | | | | | | | | | | | | | | | | | | |http.request.referrer | | | | | | | | | | | |${Referrer} | | | |${cs_referer} |${cs_referer} |SCRIPT() | | | | | | | | | | | | | | | | | | | | | |http.response.bytes | | | | | | | | |${sent_bytes} |${sent_bytes} |${sent_bytes} |${BytesSent} | | | |${sc_bytes} |${sc_bytes} | | | | | | | | | | | | | | | | | | | | | | |http.response.status_code | | | | | | | | | |${elb_status_code} |${elb_status_code} |${HTTPstatus} | | | |${sc_status} |${sc_status} | | | | | | | | | | | | | | | | | | | | | | |http.version | | | | | | | | | |${http_version} |${http_version} | | | | |SCRIPT() |SCRIPT() |SCRIPT() | | | | | | | | | | | | | | | | | | | | | |log.level | | | | | | | | | | | | | | | | | | | | |${postgresql_log_level} | | |${mysql_log_level} | | |${msk_log_level}| | | | | | | | | | | | |msk | | | | | | | | | | | | | | | | | | | | | | | | | | |SCRIPT() | | | | | | | | | | | | |network.bytes | | |${bytes} | |${event.netflow.bytes} | | | | | | | | | | | | | | |SCRIPT() | | | | | | | | | | | | | | | | | | | |network.direction | | |${flow_direction} | | |SCRIPT() | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |network.iana_number | | |${protocol} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |network.packets | | |${packets} | |${event.netflow.pkts} | | | | | | | | | | | | | | |SCRIPT() | | | | | | | | | | | | | | | | | | | |network.protocol | | | | |${event.app_proto} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |network.transport | | |SCRIPT() | |SCRIPT() | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |network.type | | |${type} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |process.name | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${proc} |${proc} | | |process.pid | | | | | | | | | | | | | | | | | | | | |${postgresql_pid} | | | | | | | | | | | | | | |${pid} |${pid} | | |rds.cluster_identifier | | | | | | | | | | | | | | | | | | | | |SCRIPT() | | | |SCRIPT() | | | | | | | | | | | | | | |rds.database_name | | | | | | | | | | | | | | | | | | | | |${postgresql_database} |${mysql_database} | | | | | | | | | | | | | | | | | |rds.instance_identifier | | | | | | | | | | | | | | | | | | | | |SCRIPT() | | | |SCRIPT() | | | | | | | | | | | | | | |rds.message | | | | | | | | | | | | | | | | | | | | |${postgresql_message} | | |${mysql_message mysql_server_audit_message}| | | | | | | | | | | | | | | |rds.query | | | | | | | | | | | | | | | | | | | | |SCRIPT() |SCRIPT() |SCRIPT() |SCRIPT() |SCRIPT() | | | | | | | | | | | | | | |rds.query_time | | | | | | | | | | | | | | | | | | | | |SCRIPT() | | | |${mysql_query_time} | | | | | | | | | | | | | | |related.host |${[device.instance_uid dst_endpoint.instance_uid, src_endpoint.instance_uid]}|${[device.instance_uid dst_endpoint.instance_uid, src_endpoint.instance_uid]}| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |related.hosts | | | | | | |${[resources.0.id]} | | | | | |SCRIPT() |SCRIPT() |SCRIPT() | | | | | | | | | | | | | |${[audit_rest_request_headers.Host]} |${[workspaceId]} |${[ComputerName, WorkspaceId]}| | | | |SCRIPT() |SCRIPT() | | |related.ip |${[dst_endpoint.ip, src_endpoint.ip]} |${[dst_endpoint.ip, src_endpoint.ip]} |${[srcaddr, dstaddr, pkt_srcaddr, pkt_dstaddr]}|${[sourceIPAddress]} |${[event.dest_ip, event.src_ip]} |${[resource.instanceDetails.networkInterfaces.0.privateIpAddress, service.action.networkConnectionAction.localIpDetails.ipAddressV4, resource.instanceDetails.networkInterfaces.0.publicIp, service.action.awsApiCallAction.remoteIpDetails.ipAddressV4, service.action.networkConnectionAction.remoteIpDetails.ipAddressV4, service.action.portProbeAction.portProbeDetails.0.remoteIpDetails.ipAddressV4, service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4, service.action.awsApiCallAction.remoteIpDetails.ipAddressV6, service.action.networkConnectionAction.remoteIpDetails.ipAddressV6, service.action.portProbeAction.portProbeDetails.0.remoteIpDetails.ipAddressV6, service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6, service.action.kubernetesApiCallAction.sourceIPs]}|${resources.0.details.awsEc2Instance.ipV4Addresses} |${[ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress, ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4, ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/publicIp, ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV6, ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV6, ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV6, ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/ipAddressV6]}|${[client_ip, destination_ip]}|${[target_ip, client_ip, http_host]}|${[backend_ip, client_ip]}|${[RemoteIP]} |SCRIPT() |SCRIPT() |SCRIPT() |${[c_ip]} |${[c_ip]} |${[httpRequest.clientIp]}|${[srcaddr]} |${[device-ip, client-ip]}|${postgresql_source_address}|${[mysql_host]} | | |${[mysql_source_ip]} |SCRIPT() | | |${[audit_request_remote_address, audit_rest_request_headers.Host]} |${[clientIpAddress]} |${[IpAddress]} | |${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]}|${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]}|${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]}|SCRIPT() |SCRIPT() | | |related.user | | | | | |${[resource.accessKeyDetails.userName]} | | | | | | |SCRIPT() |SCRIPT() |SCRIPT() | | | | |${username} | |${[mysql_username, rds.query]}| | |${[mysql_username]} | | | |${[audit_request_effective_user, audit_request_initiating_user]} | |${[UserName]} | |${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]} |${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]} |${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]} |SCRIPT() |SCRIPT() | | |rule.category | | | | | | |”vulnerability” | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |rule.description | | | | | |${description} | |${Description} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |rule.id | | | | |${event.alert.signature_id} |${type} | |${Types} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |rule.name | | | |${eventName} |${event.alert.signature} |${title} |${title} |${Title} | | | | | | | | | |${terminatingRuleId} | | | | | | | | | | |${audit_transport_request_type audit_rest_request_method audit_category}| | |${check.name} | | | | | | | |rule.ruleset | | | | | | | | | | | | | | | | | |SCRIPT() | | | | | | | | | | | | | | | | | | | | | |rule.version | | | | |${event.alert.rev} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |service.node.name | | | | |${firewall_name} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |source |GEOIP() |GEOIP() |GEOIP() |GEOIP() |GEOIP() |GEOIP() | |GEOIP() |GEOIP() |GEOIP() |GEOIP() |GEOIP() | | | |GEOIP() |GEOIP() |GEOIP() | |GEOIP() | | | | | | | | |GEOIP() |GEOIP() | | |GEOIP() |GEOIP() |GEOIP() |GEOIP() |GEOIP() | | |source.address |${src_endpoint.ip src_endpoint.domain} |${src_endpoint.ip src_endpoint.domain} |${srcaddr} |${sourceIPAddress} | |SCRIPT() | |${ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4} |${client_ip} |${client_ip} |${client_ip} |${RemoteIP} | | | |${c_ip} |${c_ip} |${httpRequest.clientIp} |${srcaddr} | |${postgresql_source_address}|${mysql_host} | | | | | | | | | | | | | | | | | |source.bytes | | |${bytes} | |${event.netflow.bytes} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |source.ip |${src_endpoint.ip} |${src_endpoint.ip} |${srcaddr} |${sourceIPAddress} |${event.src_ip} |SCRIPT() | |${ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4} |${client_ip} |${client_ip} |${client_ip} |${RemoteIP} | | | |${c_ip} |${c_ip} |${httpRequest.clientIp} |${srcaddr} |${device-ip} |${postgresql_source_address}|${mysql_host} | | |${mysql_source_ip} |SCRIPT() | | |${audit_request_remote_address} |${clientIpAddress} | | |${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress} |${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress} |${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress} |SCRIPT() |SCRIPT() | | |source.packets | | |${packets} | |${event.netflow.pkts} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |source.port |${src_endpoint.port} |${src_endpoint.port} |${srcport} | |${event.src_port} |SCRIPT() | |${ProductFields.aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port} |${client_port} |${client_port} |${client_port} | | | | |${c_port} |${c_port} | |${srcport} |${port} |${postgresql_source_port} | | | | |SCRIPT() | | | | | | |${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort} |${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort} |${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort} |SCRIPT() |SCRIPT() | | |url.domain | | | | |${event.http.hostname event.tls.sni}| | | |${domain_name} |${http_host} |${http_host} |${EndPoint} | | | |${cs_host} |${x_host_header} | | | | | | | | | | | | | | | | | | | | | | |url.full | | | | | | | | | |SCRIPT() |SCRIPT() | | | | |SCRIPT() |SCRIPT() | | | | | | | | | | | | | | | | | | | | | | |url.original | | | | | | | | | | | |${RequestURI_key} | | | | | | | | | | | | | | | | | | | | | | | | | | | |url.path | | | | | | | | | |${http_path} |${http_path} | | | | |SCRIPT() |${cs_uri_stem} |${httpRequest.uri} | | | | | | | | | | | | | | | | | | | | | |url.port | | | | | | | | |${destination_port} |${http_port} |${http_port} | | | | | | | | | | | | | | | | | | | | | | | | | | | | |url.query | | | | | | | | | |${http_query} |${http_query} | | | | |${cs_uri_query} |${cs_uri_query} |${httpRequest.args} | | | | | | | | | | | | | | | | | | | | | |url.scheme | | | | | | | | | |${http_protocol} |${http_protocol} | | | | |${cs_protocol} |${cs_protocol} | | | | | | | | | | | | | | | | | | | | | | |user.domain | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName} |${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName} |${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName} | | | | |user.id |${actor.user.credential_uid} |${actor.user.credential_uid} | |${userIdentity.accessKeyId} | |${resource.accessKeyDetails.accessKeyId} | |SCRIPT() | | | | | | | | | | | |${username} | | | | | | | |${user_id} | | |${UserName} | |${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid} |${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid} |${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid} |SCRIPT() |SCRIPT() | | |user.name |SCRIPT() |SCRIPT() | |SCRIPT() | |${resource.accessKeyDetails.userName} | |SCRIPT() | | | |SCRIPT() | | | | | | | |${username} |${postgresql_user} |${mysql_username rds.query} | | |${mysql_username} | | |SCRIPT() |${audit_request_effective_user, audit_request_initiating_user} | |${UserName} | |${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName} |${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName} |${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName} |SCRIPT() |SCRIPT() | | |user_agent.original |${http_request.user_agent} |${http_request.user_agent} | |${userAgent} |${event.http.http_user_agent} | | | | |${useragent} |${useragent} |${UserAgent} | | | |SCRIPT() |SCRIPT() |SCRIPT() | | | | | | | | | | |${audit_rest_request_headers.User-Agent} | | | | | | | | | | |vulnerability.category | | | | | | |${[type, resources.0.details.awsEc2Instance.platform, resources.0.details.awsEcrContainerImage.platform, resources.0.type]}| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |vulnerability.description | | | | | | |SCRIPT() | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |vulnerability.id | | | | | | |${packageVulnerabilityDetails.vulnerabilityId} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |vulnerability.reference | | | | | | |${packageVulnerabilityDetails.referenceUrls packageVulnerabilityDetails.sourceUrl} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |vulnerability.scanner.vendor| | | | | | |”inspector” | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |vulnerability.score.base | | | | | | |${inspectorScoreDetails.adjustedCvss.score} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |vulnerability.score.version | | | | | | |${inspectorScoreDetails.adjustedCvss.version} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |vulnerability.severity | | | | | | |${severity} | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [Back To README](../README.md) | [READMEに戻る](../README_ja.md)