Event.action field for cloudTrail logs not being assigned event name when pulling cloud-trail logs using aws module

kbirhan · January 20, 2021, 8:16am

Hi I was looking into my cloudtrail logs i am pulling from s3 bucket, and it seems aws module of filebeat seems to give a generic value ("mangement") for the event.action field. As shown in the image,all event.action field are not mapped to the actual name of the API call (eventName) from the orginal cloudtrail logs. since a lot of SIEM rules depend on event.action being mapped to the actual API call made, any thought or suggestion is appreciated!

my filebeat.yml file is as shown below , i am running filebeat in a docker container (version: 7.10.1)

    filebeat.modules:
        - module: aws
          cloudtrail:
            enabled: true
            var.queue_url: ${queue_url}
            var.access_key_id: ${ACCESS_KEY}
            var.secret_access_key: ${SECRET_ACCESS_KEY}
            expand_event_list_from_field: Records

system · February 17, 2021, 8:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat doesn't providing event fields (event.name,event.module...) doesnt Beats filebeat	1	293	April 13, 2020
Missing events when shipping Cloudtrail logs with Filebeat and the AWS module Beats beats-module , filebeat	9	1130	August 12, 2020
Filebeat:aws:cloudtrail Beats filebeat	1	409	February 12, 2021
Filebeat and AWS Module unable to get CloudTrail logs Beats beats-module , filebeat	2	1416	June 25, 2020
Creating dynamic index name with Filebeat based on custom event field fails Beats filebeat	2	478	January 5, 2024

Event.action field for cloudTrail logs not being assigned event name when pulling cloud-trail logs using aws module

Related topics