Mappings: Recon_IAMUser (Sumo Logic)
Input | Value |
---|---|
Vendor | AWS |
Product | GuardDuty-Sumo-Logic |
Log Format | JSON |
Event ID Regex Pattern | Recon:IAMUser/.* |
Output | Value |
---|---|
Vendor | Amazon AWS |
Product | GuardDuty |
Record Type | Audit |
Cloud SIEM Schema Field | Original Record Key | Notes |
---|---|---|
accountId | accountId | |
description | title | |
device_hostname | resource.instanceDetails.networkInterfaces.1.privateDnsName | |
device_ip | resource.instanceDetails.networkInterfaces.1.privateIpAddress | |
device_uniqueId | resource.instanceDetails.instanceId | |
normalizedSeverity | severity | |
severity | severity | |
threat_name | description | |
threat_ruleType | None | The static text direct is populated in this schema field. |
threat_signalName | description | |
timestamp | time | We expect the orginal record value of time is in the format yyyy-MM-dd'T'HH:mm:ss'Z' |
user_username | resource.accessKeyDetails.userName |