security_content/data_sources/aws_cloudtrail_createsnapshot.yml at develop · tapishj-splunk/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: AWS CloudTrail CreateSnapshot
id: 514135a2-f4b2-4d32-8f31-d87824887f9f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail CreateSnapshot
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
  url: https://splunkbase.splunk.com/app/1876
  version: 7.9.0
fields:
- _time
- app
- awsRegion
- aws_account_id
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.tagSpecificationSet.items{}.resourceType
- requestParameters.tagSpecificationSet.items{}.tags{}.key
- requestParameters.tagSpecificationSet.items{}.tags{}.value
- requestParameters.volumeId
- responseElements.encrypted
- responseElements.ownerId
- responseElements.requestId
- responseElements.snapshotId
- responseElements.startTime
- responseElements.status
- responseElements.tagSet.items{}.key
- responseElements.tagSet.items{}.value
- responseElements.volumeId
- responseElements.volumeSize
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- tag
- tag::eventtype
- timeendpos
- timestartpos
- tlsDetails.cipherSuite
- tlsDetails.clientProvidedHostHeader
- tlsDetails.tlsVersion
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.type
- userIdentity.userName
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
  "AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console",
  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName":
  "bhavin_console"}, "eventTime": "2023-03-20T22:31:18Z", "eventSource": "ec2.amazonaws.com",
  "eventName": "CreateSnapshot", "awsRegion": "us-west-2", "sourceIPAddress": "72.135.1.1",
  "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io)
  terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws)
  aws-sdk-go/1.44.157 (go1.19.3; darwin; amd64) stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d
  HashiCorp-terraform-exec/0.17.3", "requestParameters": {"volumeId": "vol-0363e53e12f67c9b7",
  "tagSpecificationSet": {"items": [{"resourceType": "snapshot", "tags": [{"key":
  "StratusRedTeam", "value": "true"}]}]}}, "responseElements": {"requestId": "fefed928-d461-45f0-802f-a99d94c833a8",
  "snapshotId": "snap-02effb3bb62786b18", "volumeId": "vol-0363e53e12f67c9b7", "status":
  "pending", "startTime": 1679351478226, "ownerId": "111111111111", "volumeSize":
  "1", "encrypted": false, "tagSet": {"items": [{"key": "StratusRedTeam", "value":
  "true"}]}}, "requestID": "fefed928-d461-45f0-802f-a99d94c833a8", "eventID": "2d52d141-d1e6-4d1f-a380-1461c1bf9f83",
  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'