AWS CloudTrail Log Reference

Log Sample

Learn what a raw AWS CloudTrail event looks like before it’s processed in Logpoint:

{ "requestParameters": null, "awsRegion": "us-east-1", "additionalEventData": { "MFAUsed": "No", "LoginTo": "https://console.aws.amazon.com/console/home", "MobileVersion": "No" }, "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36", "eventID": "798ebe60-4ea7-45e3-a0d1-d615eba6c455", "sourceIPAddress": "1.1.1.1", "eventVersion": "1.05", "eventSource": "signin.amazonaws.com", "eventType": "AwsConsoleSignIn", "recipientAccountId": "111111111111", "responseElements": { "ConsoleLogin": "Failure" }, "userIdentity": { "type": "IAMUser", "accountId": "111111111111", "accessKeyId": "", "userName": "JOHN_DOE" }, "eventTime": "2021-04-21 08:45:46.062452", "errorMessage": "No username found in supplied account", "eventName": "ConsoleLogin" }

Field Mapping Reference

Learn how AWS CloudTrail fields map to Logpoint fields:

AWS CloudTrail Field

Logpoint Field

Description

requestParameters_bucketName

repo

requestParameters_host

host

The host or endpoint specified in the request parameters. This indicates the destination system or resource the request targeted.

additionalEventData_MFAUsed

mfa_authenticated

Shows whether Multi-Factor Authentication (MFA) was used during the request. Helps identify if an action was secured with MFA.

responseElements_ConsoleLogin

status

Indicates the result of a console login attempt, such as Success or Failure. Useful for tracking authentication outcomes.

userIdentity_type

identity_type

The type of identity that initiated the action, such as IAMUser, AssumedRole, Root, or FederatedUser. This clarifies the context of who or what performed the operation.

userIdentity_userName

user

The username or identity that initiated the event. This identifies the AWS user, role, or service that performed the action.

sourceIPAddress

source_address

The IP address from which the request originated. Useful for identifying the source of the activity such as internal network, external client, or suspicious location.

eventName

event

The name of the API operation or action that was performed. Example: CreateUser, DeleteBucket, StartInstances.

eventSource

event_source

The AWS service where the event occurred. Example: ec2.amazonaws.com, iam.amazonaws.com.

eventTime

log_ts

The timestamp (in UTC) when the event occurred.

awsRegion

region

The AWS region in which the request was made. Example: us-east-1, ap-south-1).

recipientAccountId

receiver_id

The AWS account ID that received the request and on which the action was executed.

CloudTrail Labels

Learn how AWS CloudTrail events are given their own labels in Logpoint.

AWS Service

AWS CloudTrail Event

Label

AWS Service

AWS CloudTrail Event

Label

Amazon EC2

DescribeInstances

Describe Instances

Amazon EC2

GetCallerIdentity

Get Caller Identity

Amazon EC2

CreateKeyPair

Create Key Pair

Amazon EC2

DescribeKeyPairs

Describe Key Pair

Amazon EC2

CreateDefaultVpc

Create Default VPC