better description and event.outcome

tools/config/ecs-cloudtrail.yml

@@ -1,4 +1,4 @@
-title: Elastic Common Schema mapping for cloudtrail logs
+title: Elastic Common Schema and Elastic Exported Fields mapping for AWS CloudTrail logs
 order: 20
 backends:
   - es-qs
@@ -43,7 +43,7 @@ fieldmappings:
   userIdentity.userName: user.name
   vpcEndpointId: aws.cloudtrail.vpc_endpoint_id 
 overrides:
-  - field: event_outcome
+  - field: event.outcome
     value: failure
     regexes: 
       - (\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\))
@@ -53,4 +53,4 @@ overrides:
       - (\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\))
       - (\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\))
       - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\))
-      - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\))
+      - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\))