From dfdb5b9550794f0df4bf6015d901226671586be5 Mon Sep 17 00:00:00 2001
From: Tiago Faria <tiago.faria.backups@gmail.com>
Date: Wed, 29 Apr 2020 23:59:26 +0100
Subject: [PATCH] better description and event.outcome

---
 tools/config/ecs-cloudtrail.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/config/ecs-cloudtrail.yml b/tools/config/ecs-cloudtrail.yml
index cde889b20..a3ea6851b 100644
--- a/tools/config/ecs-cloudtrail.yml
+++ b/tools/config/ecs-cloudtrail.yml
@@ -1,4 +1,4 @@
-title: Elastic Common Schema mapping for cloudtrail logs
+title: Elastic Common Schema and Elastic Exported Fields mapping for AWS CloudTrail logs
 order: 20
 backends:
   - es-qs
@@ -43,7 +43,7 @@ fieldmappings:
   userIdentity.userName: user.name
   vpcEndpointId: aws.cloudtrail.vpc_endpoint_id 
 overrides:
-  - field: event_outcome
+  - field: event.outcome
     value: failure
     regexes: 
       - (\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\))
@@ -53,4 +53,4 @@ overrides:
       - (\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\))
       - (\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\))
       - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\))
-      - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\))
\ No newline at end of file
+      - (\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\))