Event.action field for cloudTrail logs not being assigned event name when pulling cloud-trail logs using aws module

Hi I was looking into my cloudtrail logs i am pulling from s3 bucket, and it seems aws module of filebeat seems to give a generic value ("mangement") for the event.action field. As shown in the image,all event.action field are not mapped to the actual name of the API call (eventName) from the orginal cloudtrail logs. since a lot of SIEM rules depend on event.action being mapped to the actual API call made, any thought or suggestion is appreciated!


my filebeat.yml file is as shown below , i am running filebeat in a docker container (version: 7.10.1)

    filebeat.modules:
        - module: aws
          cloudtrail:
            enabled: true
            var.queue_url: ${queue_url}
            var.access_key_id: ${ACCESS_KEY}
            var.secret_access_key: ${SECRET_ACCESS_KEY}
            expand_event_list_from_field: Records

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.