title: Elastic Common Schema And Elastic Exported Fields Mapping For AWS CloudTrail Logs
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
fieldmappings:
  additionalEventdata: aws.cloudtrail.additional_eventdata
  apiVersion: aws.cloudtrail.api_version
  awsRegion: cloud.region
  errorCode: aws.cloudtrail.error_code
  errorMessage: aws.cloudtrail.error_message
  eventID: event.id
  eventName: event.action
  eventSource: event.provider
  eventTime: '@timestamp'
  eventType: aws.cloudtrail.event_type
  eventVersion: aws.cloudtrail.event_version
  managementEvent: aws.cloudtrail.management_event
  readOnly: aws.cloudtrail.read_only
  requestID: aws.cloudtrail.request_id
  requestParameters: aws.cloudtrail.request_parameters
  resources.accountId: aws.cloudtrail.resources.account_id
  resources.ARN: aws.cloudtrail.resources.arn
  resources.type: aws.cloudtrail.resources.type
  responseElements: aws.cloudtrail.response_elements
  serviceEventDetails: aws.cloudtrail.service_event_details
  sharedEventId: aws.cloudtrail.shared_event_id
  sourceIPAddress: source.address
  userAgent: user_agent
  userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
  userIdentity.accountId: cloud.account.id
  userIdentity.arn: aws.cloudtrail.user_identity.arn
  userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
  userIdentity.principalId: user.id
  userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
  userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
  userIdentity.sessionContext.sessionIssuer.userName: role.name
  userIdentity.type: aws.cloudtrail.user_identity.type
  userIdentity.userName: user.name
  vpcEndpointId: aws.cloudtrail.vpc_endpoint_id 
overrides:
  - field: event.outcome
    value: failure
    regexes: 
      - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
      - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
      - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))
  - field: event.outcome
    value: success
    literals:
      - 'NOT (event.outcome:failure)'