Mappings: Recon_EC2_Portscan (Sumo Logic)
Input | Value |
---|---|
Vendor | AWS |
Product | GuardDuty-Sumo-Logic |
Log Format | JSON |
Event ID Regex Pattern | Recon:EC2/Portscan |
Output | Value |
---|---|
Vendor | Amazon AWS |
Product | GuardDuty |
Record Type | Endpoint |
Cloud SIEM Schema Field | Original Record Key | Notes |
---|---|---|
accountId | accountId | |
description | title | |
device_hostname | resource.instanceDetails.networkInterfaces.1.privateDnsName | |
device_ip | resource.instanceDetails.networkInterfaces.1.privateIpAddress | |
device_uniqueId | resource.instanceDetails.instanceId | |
normalizedSeverity | severity | |
severity | severity | |
threat_name | type | |
threat_ruleType | None | The static text direct is populated in this schema field. |
threat_signalName | description | |
timestamp | time | We expect the orginal record value of time is in the format yyyy-MM-dd'T'HH:mm:ss'Z' |