Documentation
¶
Overview ¶
Package awslogs defines parsers and log types for AWS logs.
Index ¶
- Constants
- func ScanARN(w pantherlog.ValueWriter, input string)
- func ScanAccountID(w pantherlog.ValueWriter, input string)
- func ScanInstanceID(w pantherlog.ValueWriter, input string)
- func ScanTag(w pantherlog.ValueWriter, input string)
- type ALB
- type ALBParser
- type AWSExtractor
- type AWSPantherLog
- func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
- type AuroraMySQLAudit
- type AuroraMySQLAuditParser
- type CloudTrail
- type CloudTrailDigest
- type CloudTrailDigestLogFile
- type CloudTrailDigestParser
- type CloudTrailInsight
- type CloudTrailInsightParser
- type CloudTrailInsightRecords
- type CloudTrailParser
- type CloudTrailResources
- type CloudTrailSessionContext
- type CloudTrailSessionContextAttributes
- type CloudTrailSessionContextSessionIssuer
- type CloudTrailSessionContextWebIDFederationData
- type CloudTrailUserIdentity
- type CloudWatchEvent
- type CloudWatchEventParser
- type GuardDuty
- type GuardDutyParser
- type GuardDutyService
- type InsightAverage
- type InsightContext
- type InsightDetails
- type InsightStatistics
- type S3ServerAccess
- type S3ServerAccessParser
- type VPCFlow
- type VPCFlowParser
Constants ¶
View Source
const ( TypeALB = "AWS.ALB" TypeAuroraMySQLAudit = `AWS.AuroraMySQLAudit` TypeCloudTrail = `AWS.CloudTrail` TypeCloudTrailDigest = "AWS.CloudTrailDigest" TypeCloudTrailInsight = "AWS.CloudTrailInsight" TypeCloudWatchEvents = "AWS.CloudWatchEvents" TypeGuardDuty = "AWS.GuardDuty" TypeS3ServerAccess = "AWS.S3ServerAccess" TypeVPCFlow = "AWS.VPCFlow" )
View Source
const SizeAccountID = 12
Variables ¶
This section is empty.
Functions ¶
func ScanARN ¶ added in v1.8.0
func ScanARN(w pantherlog.ValueWriter, input string)
func ScanAccountID ¶ added in v1.8.0
func ScanAccountID(w pantherlog.ValueWriter, input string)
func ScanInstanceID ¶ added in v1.8.0
func ScanInstanceID(w pantherlog.ValueWriter, input string)
func ScanTag ¶ added in v1.8.0
func ScanTag(w pantherlog.ValueWriter, input string)
Types ¶
type ALB ¶
type ALB struct {
Type *string `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."`
Timestamp *timestamp.RFC3339 `` /* 198-byte string literal not displayed */
ELB *string `` /* 168-byte string literal not displayed */
ClientIP *string `json:"clientIp,omitempty" description:"The IP address of the requesting client."`
ClientPort *int `json:"clientPort,omitempty" description:"The port of the requesting client."`
TargetIP *string `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."`
TargetPort *int `json:"targetPort,omitempty" description:"The port of the target that processed this request."`
RequestProcessingTime *float64 `` /* 513-byte string literal not displayed */
TargetProcessingTime *float64 `` /* 536-byte string literal not displayed */
ResponseProcessingTime *float64 `` /* 579-byte string literal not displayed */
ELBStatusCode *int `` /* 127-byte string literal not displayed */
TargetStatusCode *int `` /* 202-byte string literal not displayed */
ReceivedBytes *int `` /* 257-byte string literal not displayed */
SentBytes *int `` /* 232-byte string literal not displayed */
RequestHTTPMethod *string `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."`
RequestURL *string `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."`
RequestHTTPVersion *string `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."`
UserAgent *string `` /* 243-byte string literal not displayed */
SSLCipher *string `` /* 141-byte string literal not displayed */
SSLProtocol *string `` /* 145-byte string literal not displayed */
TargetGroupARN *string `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."`
TraceID *string `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."`
DomainName *string `` /* 280-byte string literal not displayed */
ChosenCertARN *string `` /* 243-byte string literal not displayed */
MatchedRulePriority *int `` /* 338-byte string literal not displayed */
RequestCreationTime *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."`
ActionsExecuted []string `` /* 270-byte string literal not displayed */
RedirectURL *string `` /* 181-byte string literal not displayed */
ErrorReason *string `` /* 278-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type ALBParser ¶
type ALBParser struct {
CSVReader *csvstream.StreamingCSVReader
}
ALBParser parses AWS Application Load Balancer logs
type AWSExtractor ¶ added in v0.2.0
type AWSExtractor struct {
// contains filtered or unexported fields
}
extracts useful AWS features that can be detected generically (w/context)
func NewAWSExtractor ¶ added in v0.2.0
func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor
func (*AWSExtractor) Extract ¶ added in v0.2.0
func (e *AWSExtractor) Extract(key, value gjson.Result)
type AWSPantherLog ¶ added in v0.2.0
type AWSPantherLog struct {
parsers.PantherLog
PantherAnyAWSAccountIds *parsers.PantherAnyString `` /* 131-byte string literal not displayed */
PantherAnyAWSInstanceIds *parsers.PantherAnyString `` /* 133-byte string literal not displayed */
PantherAnyAWSARNs *parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"`
PantherAnyAWSTags *parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"`
}
nolint(lll)
func (*AWSPantherLog) AppendAnyAWSARNPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSARNs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSAccountIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSInstanceIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSTagPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSTags ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
NOTE: value should be of the form <key>:<value>
type AuroraMySQLAudit ¶
type AuroraMySQLAudit struct {
Timestamp *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."`
ServerHost *string `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."`
Username *string `json:"username,omitempty" description:"The connected user name of the user."`
Host *string `json:"host,omitempty" description:"The host that the user connected from."`
ConnectionID *int `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."`
QueryID *int `` /* 182-byte string literal not displayed */
Operation *string `` /* 216-byte string literal not displayed */
Database *string `json:"database,omitempty" description:"The active database, as set by the USE command."`
Object *string `` /* 143-byte string literal not displayed */
RetCode *int `json:"retCode,omitempty" description:"The return code of the logged operation."`
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type AuroraMySQLAuditParser ¶
type AuroraMySQLAuditParser struct {
CSVReader *csvstream.StreamingCSVReader
}
AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs
func (*AuroraMySQLAuditParser) LogType ¶
func (p *AuroraMySQLAuditParser) LogType() string
LogType returns the log type supported by this parser
func (*AuroraMySQLAuditParser) New ¶ added in v0.3.0
func (p *AuroraMySQLAuditParser) New() parsers.LogParser
func (*AuroraMySQLAuditParser) Parse ¶
func (p *AuroraMySQLAuditParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type CloudTrail ¶
type CloudTrail struct {
AdditionalEventData *jsoniter.RawMessage `` /* 128-byte string literal not displayed */
APIVersion *string `json:"apiVersion,omitempty" description:"Identifies the API version associated with the AwsApiCall eventType value."`
AWSRegion *string `json:"awsRegion,omitempty" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
ErrorCode *string `json:"errorCode,omitempty" description:"The AWS service error if the request returns an error."`
ErrorMessage *string `` /* 246-byte string literal not displayed */
EventID *string `` /* 269-byte string literal not displayed */
EventName *string `` /* 139-byte string literal not displayed */
EventSource *string `` /* 196-byte string literal not displayed */
EventTime *timestamp.RFC3339 `` /* 137-byte string literal not displayed */
EventType *string `` /* 213-byte string literal not displayed */
EventVersion *string `json:"eventVersion,omitempty" validate:"required" description:"The version of the log event format."`
ManagementEvent *bool `` /* 307-byte string literal not displayed */
ReadOnly *bool `json:"readOnly,omitempty" description:"Identifies whether this operation is a read-only operation."`
RecipientAccountID *string `` /* 278-byte string literal not displayed */
RequestID *string `` /* 126-byte string literal not displayed */
RequestParameters *jsoniter.RawMessage `` /* 205-byte string literal not displayed */
Resources []CloudTrailResources `json:"resources,omitempty" description:"A list of resources accessed in the event."`
ResponseElements *jsoniter.RawMessage `` /* 341-byte string literal not displayed */
ServiceEventDetails *jsoniter.RawMessage `` /* 131-byte string literal not displayed */
SourceIPAddress *string `` /* 309-byte string literal not displayed */
UserAgent *string `` /* 167-byte string literal not displayed */
UserIdentity *CloudTrailUserIdentity `json:"userIdentity,omitempty" validate:"required" description:"Information about the user that made a request."`
VPCEndpointID *string `` /* 154-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll
type CloudTrailDigest ¶ added in v1.2.0
type CloudTrailDigest struct {
AWSAccountID *string `json:"awsAccountId" validate:"required" description:"The AWS account ID for which the digest file has been delivered."`
DigestStartTime *timestamp.RFC3339 `` /* 198-byte string literal not displayed */
DigestEndTime *timestamp.RFC3339 `` /* 194-byte string literal not displayed */
DigestS3Bucket *string `` /* 141-byte string literal not displayed */
DigestS3Object *string `` /* 149-byte string literal not displayed */
NewestEventTime *timestamp.RFC3339 `` /* 140-byte string literal not displayed */
OldestEventTime *timestamp.RFC3339 `` /* 136-byte string literal not displayed */
PreviousDigestS3Bucket *string `json:"previousDigestS3Bucket,omitempty" description:"The Amazon S3 bucket to which the previous digest file was delivered."`
PreviousDigestS3Object *string `` /* 148-byte string literal not displayed */
PreviousDigestHashValue *string `` /* 147-byte string literal not displayed */
PreviousDigestHashAlgorithm *string `` /* 137-byte string literal not displayed */
PreviousDigestSignature *string `json:"previousDigestSignature,omitempty" description:"The hexadecimal encoded signature of the previous digest file."`
DigestPublicKeyFingerprint *string `` /* 181-byte string literal not displayed */
DigestSignatureAlgorithm *string `json:"digestSignatureAlgorithm" validate:"required" description:"The algorithm used to sign the digest file."`
LogFiles []CloudTrailDigestLogFile `json:"logFiles" validate:"required,min=0" description:"Log files delivered in this digest"`
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type CloudTrailDigestLogFile ¶ added in v1.2.0
type CloudTrailDigestLogFile struct {
S3Bucket *string `json:"s3Bucket" validate:"required" description:"The name of the Amazon S3 bucket for the log file."`
S3Object *string `json:"s3Object" validate:"required" description:"The Amazon S3 object key of the current log file."`
HashValue *string `json:"hashValue" validate:"required" description:"The hexadecimal encoded hash value of the uncompressed log file content."`
HashAlgorithm *string `json:"hashAlgorithm" validate:"required" description:"The hash algorithm used to hash the log file."`
NewestEventTime *timestamp.RFC3339 `` /* 128-byte string literal not displayed */
OldestEventTime *timestamp.RFC3339 `json:"oldestEventTime" validate:"required" description:"The UTC time of the oldest event among the events in the log file."`
}
nolint:lll
type CloudTrailDigestParser ¶ added in v1.2.0
type CloudTrailDigestParser struct{}
func (*CloudTrailDigestParser) LogType ¶ added in v1.2.0
func (p *CloudTrailDigestParser) LogType() string
LogType returns the log type supported by this parser
func (*CloudTrailDigestParser) New ¶ added in v1.2.0
func (p *CloudTrailDigestParser) New() parsers.LogParser
func (*CloudTrailDigestParser) Parse ¶ added in v1.2.0
func (p *CloudTrailDigestParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type CloudTrailInsight ¶ added in v1.1.0
type CloudTrailInsight struct {
EventVersion *string `json:"eventVersion" validate:"required" description:"The version of the log event format."`
EventTime *timestamp.RFC3339 `` /* 127-byte string literal not displayed */
AWSRegion *string `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
EventID *string `` /* 259-byte string literal not displayed */
EventType *string `` /* 227-byte string literal not displayed */
RecipientAccountID *string `` /* 278-byte string literal not displayed */
InsightDetails *InsightDetails `` /* 235-byte string literal not displayed */
EventCategory *string `` /* 168-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
Reference from https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html nolint:lll
type CloudTrailInsightParser ¶ added in v1.1.0
type CloudTrailInsightParser struct{}
func (*CloudTrailInsightParser) LogType ¶ added in v1.1.0
func (p *CloudTrailInsightParser) LogType() string
LogType returns the log type supported by this parser
func (*CloudTrailInsightParser) New ¶ added in v1.1.0
func (p *CloudTrailInsightParser) New() parsers.LogParser
func (*CloudTrailInsightParser) Parse ¶ added in v1.1.0
func (p *CloudTrailInsightParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type CloudTrailInsightRecords ¶ added in v1.1.0
type CloudTrailInsightRecords struct {
Records []*CloudTrailInsight `json:"Records" validate:"required,dive"`
}
nolint:lll
type CloudTrailParser ¶
type CloudTrailParser struct{}
CloudTrailParser parses CloudTrail logs
func (*CloudTrailParser) LogType ¶
func (p *CloudTrailParser) LogType() string
LogType returns the log type supported by this parser
func (*CloudTrailParser) New ¶ added in v0.3.0
func (*CloudTrailParser) New() parsers.LogParser
func (*CloudTrailParser) Parse ¶
func (p *CloudTrailParser) Parse(log string) (results []*parsers.PantherLog, err error)
Parse returns the parsed events or nil if parsing failed
type CloudTrailResources ¶
type CloudTrailResources struct {
ARN *string `json:"arn"`
AccountID *string `json:"accountId"`
Type *string `json:"type"`
}
CloudTrailResources are the AWS resources used in the API call.
type CloudTrailSessionContext ¶
type CloudTrailSessionContext struct {
Attributes *CloudTrailSessionContextAttributes `json:"attributes,omitempty"`
SessionIssuer *CloudTrailSessionContextSessionIssuer `json:"sessionIssuer,omitempty"`
WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData,omitempty"`
}
CloudTrailSessionContext provides information about a session created for temporary credentials.
type CloudTrailSessionContextAttributes ¶
type CloudTrailSessionContextAttributes struct {
MfaAuthenticated *string `json:"mfaAuthenticated,omitempty"`
CreationDate *string `json:"creationDate,omitempty"`
}
CloudTrailSessionContextAttributes contains the attributes of the Session context object
type CloudTrailSessionContextSessionIssuer ¶
type CloudTrailSessionContextSessionIssuer struct {
Type *string `json:"type,omitempty"`
PrincipalID *string `json:"principalId,omitempty"`
Arn *string `json:"arn,omitempty"`
AccountID *string `json:"accountId,omitempty"`
Username *string `json:"userName,omitempty"`
}
CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer
type CloudTrailSessionContextWebIDFederationData ¶
type CloudTrailSessionContextWebIDFederationData struct {
FederatedProvider *string `json:"federatedProvider,omitempty"`
Attributes *jsoniter.RawMessage `json:"attributes,omitempty"`
}
CloudTrailSessionContextWebIDFederationData contains Web ID federation data
type CloudTrailUserIdentity ¶
type CloudTrailUserIdentity struct {
Type *string `json:"type,omitempty"`
PrincipalID *string `json:"principalId,omitempty"`
ARN *string `json:"arn,omitempty"`
AccountID *string `json:"accountId,omitempty"`
AccessKeyID *string `json:"accessKeyId,omitempty"`
Username *string `json:"userName,omitempty"`
SessionContext *CloudTrailSessionContext `json:"sessionContext,omitempty"`
InvokedBy *string `json:"invokedBy,omitempty"`
IdentityProvider *string `json:"identityProvider,omitempty"`
}
CloudTrailUserIdentity contains details about the type of IAM identity that made the request.
type CloudWatchEvent ¶ added in v1.6.0
type CloudWatchEvent struct {
ID *string `` /* 184-byte string literal not displayed */
Account *string `json:"account" validate:"required" description:"The 12-digit number identifying an AWS account."`
Source *string `` /* 315-byte string literal not displayed */
Resources []string `` /* 419-byte string literal not displayed */
Region *string `json:"region" validate:"required" description:"Identifies the AWS region where the event originated."`
DetailType *string `` /* 157-byte string literal not displayed */
Version *string `json:"version" validate:"required" description:"By default, this is set to 0 (zero) in all events."`
Time *timestamp.RFC3339 `` /* 294-byte string literal not displayed */
Detail *jsoniter.RawMessage `` /* 298-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type CloudWatchEventParser ¶ added in v1.6.0
type CloudWatchEventParser struct{}
CloudWatchEventParser parses AWS Cloudwatch Events
func (*CloudWatchEventParser) LogType ¶ added in v1.6.0
func (p *CloudWatchEventParser) LogType() string
LogType returns the log type supported by this parser
func (*CloudWatchEventParser) New ¶ added in v1.6.0
func (p *CloudWatchEventParser) New() parsers.LogParser
func (*CloudWatchEventParser) Parse ¶ added in v1.6.0
func (p *CloudWatchEventParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type GuardDuty ¶
type GuardDuty struct {
SchemaVersion *string `json:"schemaVersion" validate:"required" description:"The schema format version of this record."`
AccountID *string `` /* 165-byte string literal not displayed */
Region *string `json:"region" validate:"required" description:"The AWS region in which the finding was generated."`
Partition *string `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."`
ID *string `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."`
Arn *string `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."`
Type *string `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."`
Resource *jsoniter.RawMessage `` /* 154-byte string literal not displayed */
Severity *float32 `` /* 128-byte string literal not displayed */
CreatedAt *timestamp.RFC3339 `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."`
UpdatedAt *timestamp.RFC3339 `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."`
Title *string `json:"title" validate:"required" description:"A short description of the finding."`
Description *string `json:"description" validate:"required" description:"A long description of the finding."`
Service *GuardDutyService `json:"service" validate:"required" description:"Additional information about the affected service."`
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type GuardDutyParser ¶
type GuardDutyParser struct{}
VPCFlowParser parses AWS VPC Flow Parser logs
func (*GuardDutyParser) LogType ¶
func (p *GuardDutyParser) LogType() string
LogType returns the log type supported by this parser
func (*GuardDutyParser) New ¶ added in v0.3.0
func (p *GuardDutyParser) New() parsers.LogParser
func (*GuardDutyParser) Parse ¶
func (p *GuardDutyParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type GuardDutyService ¶
type GuardDutyService struct {
AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo"`
Action *jsoniter.RawMessage `json:"action"`
ServiceName *string `json:"serviceName" validate:"required"`
DetectorID *string `json:"detectorId" validate:"required"`
ResourceRole *string `json:"resourceRole"`
EventFirstSeen *timestamp.RFC3339 `json:"eventFirstSeen"`
EventLastSeen *timestamp.RFC3339 `json:"eventLastSeen"`
Archived *bool `json:"archived"`
Count *int `json:"count"`
}
type InsightAverage ¶ added in v1.1.0
type InsightAverage struct {
Average *float64 `json:"average,omitempty" description:"Average value for the insight metric"`
}
nolint:lll
type InsightContext ¶ added in v1.1.0
type InsightContext struct {
Statistics *InsightStatistics `` /* 242-byte string literal not displayed */
}
nolint:lll
type InsightDetails ¶ added in v1.1.0
type InsightDetails struct {
State *string `` /* 179-byte string literal not displayed */
EventSource *string `json:"eventSource" validate:"required" description:"The AWS API for which unusual activity was detected."`
EventName *string `json:"eventName" validate:"required" description:"The AWS API for which unusual activity was detected."`
InsightType *string `json:"insightType" validate:"required" description:"The type of Insights event. Value is ApiCallRateInsight. "`
InsightContext *InsightContext `` /* 177-byte string literal not displayed */
}
nolint:lll
type InsightStatistics ¶ added in v1.1.0
type InsightStatistics struct {
Baseline *InsightAverage `` /* 142-byte string literal not displayed */
Insight *InsightAverage `` /* 137-byte string literal not displayed */
InsightDuration *float32 `` /* 229-byte string literal not displayed */
}
nolint:lll
type S3ServerAccess ¶
type S3ServerAccess struct {
BucketOwner *string `` /* 196-byte string literal not displayed */
Bucket *string `` /* 230-byte string literal not displayed */
Time *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."`
RemoteIP *string `` /* 190-byte string literal not displayed */
Requester *string `` /* 329-byte string literal not displayed */
RequestID *string `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."`
Operation *string `` /* 188-byte string literal not displayed */
Key *string `` /* 132-byte string literal not displayed */
RequestURI *string `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."`
HTTPStatus *int `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."`
ErrorCode *string `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."`
BytesSent *int `` /* 126-byte string literal not displayed */
ObjectSize *int `json:"objectsize,omitempty" description:"The total size of the object in question."`
TotalTime *int `` /* 330-byte string literal not displayed */
TurnAroundTime *int `` /* 254-byte string literal not displayed */
Referrer *string `` /* 223-byte string literal not displayed */
UserAgent *string `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."`
VersionID *string `` /* 133-byte string literal not displayed */
HostID *string `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."`
SignatureVersion *string `` /* 166-byte string literal not displayed */
CipherSuite *string `` /* 136-byte string literal not displayed */
AuthenticationType *string `` /* 213-byte string literal not displayed */
HostHeader *string `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."`
TLSVersion *string `` /* 194-byte string literal not displayed */
AdditionalFields []string `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."`
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type S3ServerAccessParser ¶
type S3ServerAccessParser struct {
CSVReader *csvstream.StreamingCSVReader
}
S3ServerAccessParser parses AWS S3 Server Access logs
func (*S3ServerAccessParser) LogType ¶
func (p *S3ServerAccessParser) LogType() string
LogType returns the log type supported by this parser
func (*S3ServerAccessParser) New ¶ added in v0.3.0
func (p *S3ServerAccessParser) New() parsers.LogParser
func (*S3ServerAccessParser) Parse ¶
func (p *S3ServerAccessParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type VPCFlow ¶
type VPCFlow struct {
Version *int `` /* 165-byte string literal not displayed */
AccountID *string `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."`
InterfaceID *string `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."`
SrcAddr *string `` /* 258-byte string literal not displayed */
DstAddr *string `` /* 262-byte string literal not displayed */
SrcPort *int `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."`
DstPort *int `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."`
Protocol *int `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."`
Packets *int `json:"packets,omitempty" description:"The number of packets transferred during the flow."`
Bytes *int `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."`
Start *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."`
End *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."`
Action *string `` /* 296-byte string literal not displayed */
LogStatus *string `` /* 413-byte string literal not displayed */
// extended custom fields
VpcID *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."`
SubNetID *string `` /* 131-byte string literal not displayed */
InstanceID *string `` /* 291-byte string literal not displayed */
TCPFlags *int `` /* 379-byte string literal not displayed */
Type *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."`
PacketSrcAddr *string `` /* 518-byte string literal not displayed */
PacketDstAddr *string `` /* 526-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type VPCFlowParser ¶
type VPCFlowParser struct {
CSVReader *csvstream.StreamingCSVReader
// contains filtered or unexported fields
}
VPCFlowParser parses AWS VPC Flow Parser logs
func (*VPCFlowParser) LogType ¶
func (p *VPCFlowParser) LogType() string
LogType returns the log type supported by this parser
func (*VPCFlowParser) New ¶ added in v0.3.0
func (p *VPCFlowParser) New() parsers.LogParser
func (*VPCFlowParser) Parse ¶
func (p *VPCFlowParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
Source Files
Click to show internal directories.
Click to hide internal directories.