Intelligence Entities
Intelligence uses information from CloudTrail and VPC Flow Logs (for AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.) and enriches it with more details, such as geolocation, malicious IP sources/destinations, etc.
The entities for these are described below.
Some common terms are defined here:
-
identity - Initiator of an action
-
event - The event or action captured in the log record(s)
-
issuer - The procedure by which the identity issued a token, for example, Access Key, Role, or the AWS Console
-
malicious info class - The class of malicious information, for example, 'Compromised Host', 'Anonymizer', 'Phishing'
-
request - The request, for example using an API, to do an action
-
user agent - The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI.
-
target - Target entity of an action
CloudTrail (Account Events)
Properties
| Property | Description | Type | Required |
|---|---|---|---|
|
event_error_message |
error message text |
STRING |
No |
|
event_id |
event id |
STRING |
No |
|
event_name |
event name |
STRING |
No |
|
event_status |
status for event (for example, 'success') |
STRING |
No |
|
event_time |
time the event occurred |
TIMESTAMP |
Yes |
|
event_type |
event type |
STRING |
No |
|
identity_account_id |
identity (initiator of the action) account id |
STRING |
No |
|
identity_assetid |
target asset id |
STRING |
No |
|
identity_id |
identity id |
STRING |
No |
|
identity_image |
identity image |
STRING |
No |
|
identity_name |
identity name |
STRING |
No |
|
identity_region |
cloud region for identity |
STRING |
No |
|
identity_tags |
tags for identity |
STRING |
No |
|
identity_type |
identity type |
STRING |
No |
|
identity_useragent |
identity user agent |
STRING |
No |
|
identity_vpc |
identity VPC |
STRING |
No |
|
issuer_id |
issuer id |
STRING |
No |
|
issuer_mfa |
MFA applied to issuer |
BOOLEAN |
No |
|
issuer_name |
name of issuer |
STRING |
No |
|
issuer_region |
cloud region for issuer |
STRING |
No |
|
issuer_sts_token |
AWS STS token for issuer |
STRING |
No |
|
issuer_token |
issuer access token |
STRING |
No |
|
issuer_type |
issuer (method used to gain access) type |
STRING |
No |
|
request_parameters |
additional parameters of the request, for the action |
STRING |
No |
|
src_address |
source IP address |
STRING |
No |
|
src_address_geolocation_countrycode |
source country code |
STRING |
No |
|
src_address_geolocation_countryname |
source country |
STRING |
No |
|
src_address_ip |
source IP address |
STRING |
No |
|
src_address_maliciousinfo_class |
source malicious information class |
STRING |
No |
|
src_address_maliciousinfo_malwarefamily |
source malicious information family |
STRING |
No |
|
src_address_maliciousinfo_owner |
source malicious information owner |
STRING |
No |
|
src_assetid |
source asset id |
STRING |
No |
|
src_image |
source image |
STRING |
No |
|
src_ismalicious |
source is malicious |
BOOLEAN |
No |
|
src_name |
source name |
STRING |
No |
|
src_region |
source cloud region |
STRING |
No |
|
src_type |
source type |
STRING |
No |
|
src_vpc |
source VPC |
STRING |
No |
|
target_account_id |
account id for target |
STRING |
No |
|
target_arn |
STRING |
No |
|
|
target_assetid |
target asset id |
STRING |
No |
|
target_id |
id for target |
STRING |
No |
|
target_image |
target image |
STRING |
No |
|
target_name |
target name |
STRING |
No |
|
target_region |
cloud region for target |
STRING |
No |
|
target_tags |
tags for target |
STRING |
No |
|
target_type |
target entity type |
STRING |
No |
|
target_vpc |
target VPC |
STRING |
No |
VPC Flow Logs (Traffic Events)
Properties
| Property | Description | Type | Required |
|---|---|---|---|
|
account |
account |
STRING |
No |
|
action |
action |
STRING |
No |
|
availabilityzone |
AWS availability zone |
STRING |
No |
|
bytes |
# of bytes |
INTEGER |
No |
|
direction |
direction of communication |
STRING |
No |
|
dst_address |
destination IP address |
STRING |
No |
|
dst_asset_assetid |
destination asset id |
STRING |
No |
|
dst_asset_availabilityzone |
AWS availability zone for destination |
STRING |
No |
|
dst_asset_description |
destination asset description |
STRING |
No |
|
dst_asset_groupbysgsid |
destination asset grouped by SG id |
STRING |
No |
|
dst_asset_image |
destination asset image |
STRING |
No |
|
dst_asset_ispublic |
destination asset is public |
BOOLEAN |
No |
|
dst_asset_name |
destination asset name |
STRING |
No |
|
dst_asset_nics_id |
destination asset NIC id |
STRING |
No |
|
dst_asset_nics_privateipaddress |
destination private IP address |
STRING |
No |
|
dst_asset_nics_publicdnsname |
destination public DNS name |
STRING |
No |
|
dst_asset_nics_publicipaddress |
public IP address of destination asset |
STRING |
No |
|
dst_asset_nics_sgs |
destination asset Security Groups |
STRING |
No |
|
dst_asset_nics_subnet_subnetid |
destination asset subnet id |
STRING |
No |
|
dst_asset_region |
destination asset region |
STRING |
No |
|
dst_asset_subtype |
destination asset subtype |
STRING |
No |
|
dst_asset_tags |
destination asset tags |
STRING |
No |
|
dst_asset_type |
destination asset type |
STRING |
No |
|
dst_asset_vpc |
destination asset VPC |
STRING |
No |
|
dst_geolocation_countrycode |
destination country code |
STRING |
No |
|
dst_geolocation_countryname |
destination country |
STRING |
No |
|
dst_ismalicious |
destination is malicious |
BOOLEAN |
No |
|
dst_maliciousinfo_class |
destination malicious information class |
STRING |
No |
|
dst_maliciousinfo_malwarefamily |
destination malicious information malware family |
STRING |
No |
|
dst_maliciousinfo_owner |
destination malicious information owner |
STRING |
No |
|
dst_port |
destination port |
INTEGER |
No |
|
eni |
elastic network interface |
STRING |
No |
|
event_date |
event date |
INTEGER |
No |
|
packets |
# packets |
INTEGER |
No |
|
protocol |
protocol |
INTEGER |
No |
|
region |
cloud region |
STRING |
No |
|
src_address |
source address |
STRING |
No |
|
src_asset_assetid |
source asset it |
STRING |
No |
|
src_asset_availabilityzone |
source asset cloud availability zone |
STRING |
No |
|
src_asset_description |
source asset description |
STRING |
No |
|
src_asset_image |
source asset image |
STRING |
No |
|
src_asset_ispublic |
source asset is public |
BOOLEAN |
No |
|
src_asset_name |
source asset name |
STRING |
No |
|
src_asset_nics_id |
source asset NIC id |
STRING |
No |
|
src_asset_nics_privateipaddress |
source asset private IP address |
STRING |
No |
|
src_asset_nics_publicdnsname |
source public DNS name |
STRING |
No |
|
src_asset_nics_publicipaddress |
source asset public IP address |
STRING |
No |
|
src_asset_nics_sgs |
source asset Security Groups |
STRING |
No |
|
src_asset_nics_subnet_subnetid |
source asset subnet id |
STRING |
No |
|
src_asset_region |
source asset region |
STRING |
No |
|
src_asset_subtype |
source asset subtype |
STRING |
No |
|
src_asset_tags |
source asset tags |
STRING |
No |
|
src_asset_type |
source asset type |
STRING |
No |
|
src_asset_vpc |
source asset VPC |
STRING |
No |
|
src_geolocation_countrycode |
source country code |
STRING |
No |
|
src_geolocation_countryname |
source country |
STRING |
No |
|
src_ismalicious |
source is malicious |
BOOLEAN |
No |
|
src_maliciousinfo_class |
source malicious information class |
STRING |
No |
|
src_maliciousinfo_malwarefamily |
source malicious information malware family |
STRING |
No |
|
src_maliciousinfo_owner |
source malicious information owner |
STRING |
No |
|
src_port |
source port |
INTEGER |
No |
|
starttime |
start time |
TIMESTAMP |
Yes |
|
status |
status |
STRING |
No |
|
stream_owner |
stream owner |
STRING |
No |
|
vpc |
the VPC for the CloudTrail |
STRING |
No |