ct.id | CHARBUF | the unique ID of the cloudtrail event (eventID in the json). |
ct.error | CHARBUF | The error code from the event. Will be “” (e.g. the NULL/empty/none value) if there was no error. |
ct.errormessage | CHARBUF | The description of an error. Will be “” (e.g. the NULL/empty/none value) if there was no error. |
ct.src | CHARBUF | the source of the cloudtrail event (eventSource in the json). |
ct.shortsrc | CHARBUF | the source of the cloudtrail event (eventSource in the json, without the ‘.amazonaws.com’ trailer). |
ct.name | CHARBUF | the name of the cloudtrail event (eventName in the json). |
ct.user | CHARBUF | the user of the cloudtrail event (userIdentity.userName in the json). |
ct.user.accountid | CHARBUF | the account id of the user of the cloudtrail event. |
ct.user.identitytype | CHARBUF | the kind of user identity (e.g. Root, IAMUser,AWSService, etc.) |
ct.user.principalid | CHARBUF | A unique identifier for the user that made the request. |
ct.user.arn | CHARBUF | the Amazon Resource Name (ARN) of the user that made the request. |
ct.region | CHARBUF | the region of the cloudtrail event (awsRegion in the json). |
ct.response.subnetid | CHARBUF | the subnet ID included in the response. |
ct.response.reservationid | CHARBUF | the reservation ID included in the response. |
ct.response | CHARBUF | All response elements. |
ct.request.availabilityzone | CHARBUF | the availability zone included in the request. |
ct.request.cluster | CHARBUF | the cluster included in the request. |
ct.request.functionname | CHARBUF | the function name included in the request. |
ct.request.groupname | CHARBUF | the group name included in the request. |
ct.request.host | CHARBUF | the host included in the request |
ct.request.name | CHARBUF | the name of the entity being acted on in the request. |
ct.request.policy | CHARBUF | the policy included in the request |
ct.request.serialnumber | CHARBUF | the serial number provided in the request. |
ct.request.servicename | CHARBUF | the service name provided in the request. |
ct.request.subnetid | CHARBUF | the subnet ID provided in the request. |
ct.request.taskdefinition | CHARBUF | the task definition prrovided in the request. |
ct.request.username | CHARBUF | the username provided in the request. |
ct.request | CHARBUF | All request parameters. |
ct.srcip | CHARBUF | the IP address generating the event (sourceIPAddress in the json). |
ct.useragent | CHARBUF | the user agent generating the event (userAgent in the json). |
ct.info | CHARBUF | summary information about the event. This varies depending on the event type and, for some events, it contains event-specific details. |
ct.managementevent | CHARBUF | ’true’ if the event is a management event (AwsApiCall, AwsConsoleAction, AwsConsoleSignIn, or AwsServiceEvent), ‘false’ otherwise. |
ct.readonly | CHARBUF | ’true’ if the event only reads information (e.g. DescribeInstances), ‘false’ if the event modifies the state (e.g. RunInstances, CreateLoadBalancer…). |
ct.requestid | CHARBUF | The value that identifies the request. |
ct.eventtype | CHARBUF | Identifies the type of event that generated the event record. |
ct.apiversion | CHARBUF | The API version associated with the AwsApiCall eventType value. |
ct.resources | CHARBUF | A list of resources accessed in the event. |
ct.recipientaccountid | CHARBUF | The account ID that received this event. |
ct.serviceeventdetails | CHARBUF | Identifies the service event, including what triggered the event and the result. |
ct.sharedeventid | CHARBUF | GUID generated by CloudTrail to uniquely identify CloudTrail events. |
ct.vpcendpointid | CHARBUF | Identifies the VPC endpoint in which requests were made. |
ct.eventcategory | CHARBUF | Shows the event category that is used in LookupEvents calls. |
ct.addendum.reason | CHARBUF | The reason that the event or some of its contents were missing. |
ct.addendum.updatedfields | CHARBUF | The event record fields that are updated by the addendum. |
ct.addendum.originalrequestid | CHARBUF | The original unique ID of the request. |
ct.addendum.originaleventid | CHARBUF | The original event ID. |
ct.sessioncredentialfromconsole | CHARBUF | Shows whether or not an event originated from an AWS Management Console session. |
ct.edgedevicedetails | CHARBUF | Information about edge devices that are targets of a request. |
ct.tlsdetails.tlsversion | CHARBUF | The TLS version of a request. |
ct.tlsdetails.ciphersuite | CHARBUF | The cipher suite (combination of security algorithms used) of a request. |
ct.tlsdetails.clientprovidedhostheader | CHARBUF | The client-provided host name used in the service API call. |
ct.additionaleventdata | CHARBUF | All additional event data attributes. |
s3.uri | CHARBUF | the s3 URI (s3:///). |
s3.bucket | CHARBUF | the bucket name for s3 events. |
s3.key | CHARBUF | the S3 key name. |
s3.bytes | UINT64 | the size of an s3 download or upload, in bytes. |
ec2.name | CHARBUF | the name of the ec2 instances, typically stored in the instance tags. |
ec2.imageid | CHARBUF | the ID for the image used to run the ec2 instance in the response. |
ecr.repository | CHARBUF | the name of the ecr Repository specified in the request. |
ecr.imagetag | CHARBUF | the tag of the image specified in the request. |
ct.request.rolename | CHARBUF | the role provided in the request. |
ct.targetaccountid | CHARBUF | The account ID that is the target of this event. |
ct.db | CHARBUF | the database instance identifier included in the request. |
iam.role | CHARBUF | the IAM role name provided in the request. |
iam.policy | CHARBUF | the IAM policy name provided in the request. |
