<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">awsRegion</span>
<span class="pill kill-chain">aws_account_id</span>
<span class="pill kill-chain">change_type</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">errorCode</span>
<span class="pill kill-chain">eventCategory</span>
<span class="pill kill-chain">eventID</span>
<span class="pill kill-chain">eventName</span>
<span class="pill kill-chain">eventSource</span>
<span class="pill kill-chain">eventTime</span>
<span class="pill kill-chain">eventType</span>
<span class="pill kill-chain">eventVersion</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">managementEvent</span>
<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">readOnly</span>
<span class="pill kill-chain">recipientAccountId</span>
<span class="pill kill-chain">region</span>
<span class="pill kill-chain">requestID</span>
<span class="pill kill-chain">requestParameters.policyArn</span>
<span class="pill kill-chain">requestParameters.policyDocument</span>
<span class="pill kill-chain">requestParameters.setAsDefault</span>
<span class="pill kill-chain">responseElements.policyVersion.createDate</span>
<span class="pill kill-chain">responseElements.policyVersion.isDefaultVersion</span>
<span class="pill kill-chain">responseElements.policyVersion.versionId</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourceIPAddress</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">start_time</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">userAgent</span>
<span class="pill kill-chain">userIdentity.accessKeyId</span>
<span class="pill kill-chain">userIdentity.accountId</span>
<span class="pill kill-chain">userIdentity.arn</span>
<span class="pill kill-chain">userIdentity.principalId</span>
<span class="pill kill-chain">userIdentity.type</span>
<span class="pill kill-chain">userIdentity.userName</span>
<span class="pill kill-chain">userName</span>
<span class="pill kill-chain">user_access_key</span>
<span class="pill kill-chain">user_agent</span>
<span class="pill kill-chain">user_arn</span>
<span class="pill kill-chain">user_group_id</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
<span class="pill kill-chain">vendor_region</span>
</div>
Data Source: AWS CloudTrail CreatePolicyVersion
Description
Data source object for AWS CloudTrail CreatePolicyVersion
Details
| Property | Value |
|---|---|
| Source | aws_cloudtrail |
| Sourcetype | aws:cloudtrail |
| Separator | eventName |
Supported Apps
- Splunk Add-on for AWS (version 7.7.0)
Event Fields
Fields
Example Log
1{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLNMCDVJZAY", "arn": "arn:aws:iam::111111111111:user/rhino_escalate", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLHSQZPZFZ", "userName": "rhino_escalate"}, "eventTime": "2021-02-23T00:02:30Z", "eventSource": "iam.amazonaws.com", "eventName": "CreatePolicyVersion", "awsRegion": "us-east-1", "sourceIPAddress": "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64 command/iam.create-policy-version", "requestParameters": {"policyArn": "arn:aws:iam::111111111111:policy/rhino_escalate", "policyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AllowEverything\",\n \"Effect\": \"Allow\",\n \"Action\": \"iam:*\",\n \"Resource\": \"*\"\n }\n ]\n }", "setAsDefault": true}, "responseElements": {"policyVersion": {"versionId": "v2", "isDefaultVersion": true, "createDate": "Feb 23, 2021 12:02:30 AM"}}, "requestID": "fa42b4b2-f34a-4673-8f9f-b25cf1f5005a", "eventID": "33149175-90fd-4cff-a43b-408e4f848c1c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}
Source: GitHub | Version: 1