Mappings: Recon_IAMUser (Sumo Logic)
| Input | Value |
|---|---|
| Vendor | AWS |
| Product | GuardDuty-Sumo-Logic |
| Log Format | JSON |
| Event ID Regex Pattern | Recon:IAMUser/.* |
| Output | Value |
|---|---|
| Vendor | Amazon AWS |
| Product | GuardDuty |
| Record Type | Audit |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| accountId | accountId | |
| description | title | |
| device_hostname | resource.instanceDetails.networkInterfaces.1.privateDnsName | |
| device_ip | resource.instanceDetails.networkInterfaces.1.privateIpAddress | |
| device_uniqueId | resource.instanceDetails.instanceId | |
| normalizedSeverity | severity | |
| severity | severity | |
| threat_name | description | |
| threat_ruleType | None | The static text direct is populated in this schema field. |
| threat_signalName | description | |
| timestamp | time | We expect the orginal record value of time is in the format yyyy-MM-dd'T'HH:mm:ss'Z' |
| user_username | resource.accessKeyDetails.userName |