-
Notifications
You must be signed in to change notification settings - Fork 202
/
amazon-ec2_decoders.xml
28 lines (22 loc) · 1.16 KB
/
amazon-ec2_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<!--
- Amazon EC2 decoder
- v1.0 2016/01/05
- Created by Wazuh, Inc. <ossec@wazuh.com>.
- jose@wazuh.com
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
-->
<!-- amazon-ec2
AmazonAWS-ec2:
"AmazonAWS":"eventVersion":"1.03", ... "eventSource":"ec2.amazonaws.com", ...
AmazonAWS-ec2-fields:
"AmazonAWS":"eventVersion":"1.03", ... "eventName":"RunInstances","userIdentity":"{u'principalId': u'581201294259', u'accessKeyId': u'ASIAJ4AJ2RPCBPBCWV3Q', u'sessionContext': {u'attributes': {u'creationDate': u'2015-11-26T15:07:04Z', u'mfaAuthenticated': u'false'}}, u'type': u'Root', u'arn': u'arn:aws:iam::581201294259:root', u'accountId': u'581201294259'}","eventSource":"ec2.amazonaws.com", ...
-->
<decoder name="AmazonAWS-ec2">
<prematch>^"AmazonAWS"\.+"eventSource":"ec2.amazonaws.com"|\.+"eventSource":"elasticloadbalancing.amazonaws.com"</prematch>
</decoder>
<decoder name="AmazonAWS-ec2-fields">
<parent>AmazonAWS-ec2</parent>
<regex>"eventName":"(\S+)"\.+"userIdentity":"{u'\.+': u'(\S+)'\.+'accessKeyId': u'(\S+)'</regex>
<order>action,user,id</order>
</decoder>
<!-- amazon-ec2 decoder END -->