Required fields are in bold.
Application Load Balancer logs Layer 7 network logs for your application load balancer. Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html​
Column | Type | Description |
|
| The type of request or connection. |
|
| The time when the load balancer generated a response to the client (UTC). For WebSockets, this is the time when the connection is closed. |
|
| The resource ID of the load balancer. If you are parsing access log entries, note that resources IDs can contain forward slashes (/). |
|
| The IP address of the requesting client. |
|
| The port of the requesting client. |
|
| The IP address of the target that processed this request. |
|
| The port of the target that processed this request. |
|
| The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the request until the time it sent it to a target. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout. |
|
| The total time elapsed (in seconds, with millisecond precision) from the time the load balancer sent the request to a target until the target started to send the response headers. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout. |
|
| The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the response header from the target until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the client. This value is set to -1 if the load balancer can't send the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. |
|
| The status code of the response from the load balancer. |
|
| The status code of the response from the target. This value is recorded only if a connection was established to the target and the target sent a response. |
|
| The size of the request, in bytes, received from the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes received from the client on the connection. |
|
| The size of the response, in bytes, sent to the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes sent to the client on the connection. |
|
| The HTTP method parsed from the request. |
|
| The HTTP URL parsed from the request. |
|
| The HTTP version parsed from the request. |
|
| A User-Agent string that identifies the client that originated the request. The string consists of one or more product identifiers, product[/version]. If the string is longer than 8 KB, it is truncated. |
|
| [HTTPS listener] The SSL cipher. This value is set to NULL if the listener is not an HTTPS listener. |
|
| [HTTPS listener] The SSL protocol. This value is set to NULL if the listener is not an HTTPS listener. |
|
| The Amazon Resource Name (ARN) of the target group. |
|
| The contents of the X-Amzn-Trace-Id header. |
|
| [HTTPS listener] The SNI domain provided by the client during the TLS handshake. This value is set to NULL if the client doesn't support SNI or the domain doesn't match a certificate and the default certificate is presented to the client. |
|
| [HTTPS listener] The ARN of the certificate presented to the client. This value is set to session-reused if the session is reused. This value is set to NULL if the listener is not an HTTPS listener. |
|
| The priority value of the rule that matched the request. If a rule matched, this is a value from 1 to 50,000. If no rule matched and the default action was taken, this value is set to 0. If an error occurs during rules evaluation, it is set to -1. For any other error, it is set to NULL. |
|
| The time when the load balancer received the request from the client. |
|
| The actions taken when processing the request. This value is a comma-separated list that can include the values described in Actions Taken. If no action was taken, such as for a malformed request, this value is set to NULL. |
|
| The URL of the redirect target for the location header of the HTTP response. If no redirect actions were taken, this value is set to NULL. |
|
| The error reason code. If the request failed, this is one of the error codes described in Error Reason Codes. If the actions taken do not include an authenticate action or the target is not a Lambda function, this value is set to NULL. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of aws account ids associated with the row |
|
| Panther added field with collection of aws instance ids associated with the row |
|
| Panther added field with collection of aws arns associated with the row |
|
| Panther added field with collection of aws tags associated with the row |
AuroraMySQLAudit is an RDS Aurora audit log which contains context around database calls. Reference: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html​
Column | Type | Description |
|
| The timestamp for the logged event with microsecond precision (UTC). |
|
| The name of the instance that the event is logged for. |
|
| The connected user name of the user. |
|
| The host that the user connected from. |
|
| The connection ID number for the logged operation. |
|
| The query ID number, which can be used for finding the relational table events and related queries. For TABLE events, multiple lines are added. |
|
| The recorded action type. Possible values are: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, and DROP. |
|
| The active database, as set by the USE command. |
|
| For QUERY events, this value indicates the executed query. For TABLE events, it indicates the table name. |
|
| The return code of the logged operation. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of aws account ids associated with the row |
|
| Panther added field with collection of aws instance ids associated with the row |
|
| Panther added field with collection of aws arns associated with the row |
|
| Panther added field with collection of aws tags associated with the row |
AWSCloudTrail represents the content of a CloudTrail S3 object. Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html​
Column | Type | Description |
|
| Additional data about the event that was not part of the request or response. |
|
| Identifies the API version associated with the AwsApiCall eventType value. |
|
| The AWS region that the request was made to, such as us-east-2. |
|
| The AWS service error if the request returns an error. |
|
| If the request returns an error, the description of the error. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling. |
|
| GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database. |
|
| The requested action, which is one of the actions in the API for that service. |
|
| The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. |
|
| The date and time the request was made, in coordinated universal time (UTC). |
|
| Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleSignIn |
|
| The version of the log event format. |
|
| A Boolean value that identifies whether the event is a management event. managementEvent is shown in an event record if eventVersion is 1.06 or higher, and the event type is one of the following: AwsApiCall, AwsConsoleAction, AwsConsoleSignIn, AwsServiceEvent |
|
| Identifies whether this operation is a read-only operation. |
|
| Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access. |
|
| The value that identifies the request. The service being called generates this value. |
|
| The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service. |
|
| A list of resources accessed in the event. |
|
| The response element for actions that make changes (create, update, or delete actions). If an action does not change state (for example, a request to get or list objects), this element is omitted. These actions are documented in the API reference documentation for the appropriate AWS service. |
|
| Identifies the service event, including what triggered the event and the result. |
|
| GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. |
|
| The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed. |
|
| The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI. |
|
| Information about the user that made a request. |
|
| Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. |
|
| Panther added standardized event time (UTC) |
|
| Panther added standardized log parse time (UTC) |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of context trace identifiers |
|
| Panther added field with collection of AWS account ids associated with the row |
|
| Panther added field with collection of AWS instance ids associated with the row |
|
| Panther added field with collection of AWS ARNs associated with the row |
|
| Panther added field with collection of AWS Tags associated with the row |
AWSCloudTrailDigest contains the names of the log files that were delivered to your Amazon S3 bucket during the last hour, the hash values for those log files, and the signature of the previous digest file. Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-digest-file-structure.html​
Column | Type | Description |
|
| The AWS account ID for which the digest file has been delivered. |
|
| The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. |
|
| The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. |
|
| The name of the Amazon S3 bucket to which the current digest file has been delivered. |
|
| The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file. |
|
| The UTC time of the most recent event among all of the events in the log files in the digest. |
|
| The UTC time of the oldest event among all of the events in the log files in the digest. |
|
| The Amazon S3 bucket to which the previous digest file was delivered. |
|
| The Amazon S3 object key (that is, the Amazon S3 bucket location) of the previous digest file. |
|
| The hexadecimal encoded hash value of the uncompressed contents of the previous digest file. |
|
| The name of the hash algorithm that was used to hash the previous digest file. |
|
| The hexadecimal encoded signature of the previous digest file. |
|
| The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file. |
|
| The algorithm used to sign the digest file. |
|
| Log files delivered in this digest |
|
| Panther added standardized event time (UTC) |
|
| Panther added standardized log parse time (UTC) |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of AWS account ids associated with the row |
AWSCloudTrailInsight represents the content of a CloudTrail Insight event record S3 object. Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html​
Column | Type | Description |
|
| The version of the log event format. |
|
| The date and time the request was made, in coordinated universal time (UTC). |
|
| The AWS region that the request was made to, such as us-east-2. |
|
| GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database. |
|
| Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleSignIn |
|
| Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access. |
|
| A GUID that is generated by CloudTrail Insights to uniquely identify an Insights event. sharedEventID is common between the start and the end Insights events. |
|
| Shows information about the underlying triggers of an Insights event, such as event source, statistics, API name, and whether the event is the start or end of the Insights event. |
|
| Shows the event category that is used in LookupEvents calls. In Insights events, the value is insight. |
|
| Panther added standardized event time (UTC) |
|
| Panther added standardized log parse time (UTC) |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of context trace identifiers |
|
| Panther added field with collection of AWS account ids associated with the row |
|
| Panther added field with collection of AWS instance ids associated with the row |
|
| Panther added field with collection of AWS ARNs associated with the row |
|
| Panther added field with collection of AWS Tags associated with the row |
Amazon CloudWatch Events describe a change in Amazon Web Services (AWS) resources. Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html​
Column | Type | Description |
|
| A unique value is generated for every event. This can be helpful in tracing events as they move through rules to targets, and are processed. |
|
| The 12-digit number identifying an AWS account. |
|
| Identifies the service that sourced the event. All events sourced from within AWS begin with 'aws'. Customer-generated events can have any value here, as long as it doesn't begin with 'aws'. We recommend the use of Java package-name style reverse domain-name strings. |
|
| This JSON array contains ARNs that identify resources that are involved in the event. Inclusion of these ARNs is at the discretion of the service. For example, Amazon EC2 instance state-changes include Amazon EC2 instance ARNs, Auto Scaling events include ARNs for both instances and Auto Scaling groups, but API calls with AWS CloudTrail do not include resource ARNs. |
|
| Identifies the AWS region where the event originated. |
|
| Identifies, in combination with the source field, the fields and values that appear in the detail field. |
|
| By default, this is set to 0 (zero) in all events. |
|
| The event timestamp, which can be specified by the service originating the event. If the event spans a time interval, the service might choose to report the start time, so this value can be noticeably before the time the event is actually received. |
|
| A JSON object, whose content is at the discretion of the service originating the event. The detail content in the example above is very simple, just two fields. AWS API call events have detail objects with around 50 fields nested several levels deep. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of aws account ids associated with the row |
|
| Panther added field with collection of aws instance ids associated with the row |
|
| Panther added field with collection of aws arns associated with the row |
|
| Panther added field with collection of aws tags associated with the row |
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS Accounts. Reference: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html​
Column | Type | Description |
|
| The schema format version of this record. |
|
| The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding. |
|
| The AWS region in which the finding was generated. |
|
| The AWS partition in which the finding was generated. |
|
| A unique identifier for the finding. |
|
| A unique identifier formatted as an ARN for the finding. |
|
| A concise yet readable description of the potential security issue. |
|
| The AWS resource against which the activity took place that prompted GuardDuty to generate this finding. |
|
| The value of the severity can fall anywhere within the 0.1 to 8.9 range. |
|
| The initial creation time of the finding (UTC). |
|
| The last update time of the finding (UTC). |
|
| A short description of the finding. |
|
| A long description of the finding. |
|
| Additional information about the affected service. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of aws account ids associated with the row |
|
| Panther added field with collection of aws instance ids associated with the row |
|
| Panther added field with collection of aws arns associated with the row |
|
| Panther added field with collection of aws tags associated with the row |
S3ServerAccess is an AWS S3 Access Log. Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html​
Column | Type | Description |
|
| The canonical user ID of the owner of the source bucket. The canonical user ID is another form of the AWS account ID. |
|
| The name of the bucket that the request was processed against. If the system receives a malformed request and cannot determine the bucket, the request will not appear in any server access log. |
|
| The time at which the request was received (UTC). |
|
| The apparent internet address of the requester. Intermediate proxies and firewalls might obscure the actual address of the machine making the request. |
|
| The canonical user ID of the requester, or NULL for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes. |
|
| A string generated by Amazon S3 to uniquely identify each request. |
|
| The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT. |
|
| The key part of the request, URL encoded, or NULL if the operation does not take a key parameter. |
|
| The Request-URI part of the HTTP request message. |
|
| The numeric HTTP status code of the response. |
|
| The Amazon S3 Error Code, or NULL if no error occurred. |
|
| The number of response bytes sent, excluding HTTP protocol overhead, or NULL if zero. |
|
| The total size of the object in question. |
|
| The number of milliseconds the request was in flight from the server's perspective. This value is measured from the time your request is received to the time that the last byte of the response is sent. Measurements made from the client's perspective might be longer due to network latency. |
|
| The number of milliseconds that Amazon S3 spent processing your request. This value is measured from the time the last byte of your request was received until the time the first byte of the response was sent. |
|
| The value of the HTTP Referer header, if present. HTTP user-agents (for example, browsers) typically set this header to the URL of the linking or embedding page when making a request. |
|
| The value of the HTTP User-Agent header. |
|
| The version ID in the request, or NULL if the operation does not take a versionId parameter. |
|
| The x-amz-id-2 or Amazon S3 extended request ID. |
|
| The signature version, SigV2 or SigV4, that was used to authenticate the request or NULL for unauthenticated requests. |
|
| The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or NULL for HTTP. |
|
| The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or NULL for unauthenticated requests. |
|
| The endpoint used to connect to Amazon S3. |
|
| The Transport Layer Security (TLS) version negotiated by the client. The value is one of following: TLSv1, TLSv1.1, TLSv1.2; or NULL if TLS wasn't used. |
|
| The remaining columns in the record as an array. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of aws account ids associated with the row |
|
| Panther added field with collection of aws instance ids associated with the row |
|
| Panther added field with collection of aws arns associated with the row |
|
| Panther added field with collection of aws tags associated with the row |
DNS query logs of the queries that VPC DNS resolvers forward to Route 53. Reference: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs-format.html​
Column | Type | Description |
|
| The version number of the query log format. If we add fields to the log or change the format of existing fields, we'll increment this value. |
|
| The ID of the AWS account that created the VPC. |
|
| The AWS Region that you created the VPC in. |
|
| The ID of the VPC that the query originated in. |
|
| The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC) |
|
| The domain name (example.com) or subdomain name (www.example.com) that was specified in the query. |
|
| Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports. |
|
| The class of the query. |
|
| The DNS response code that Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is NOERROR, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see DNS RCODEs on the IANA website. |
|
| Answers to the query |
|
| The IP address of the instance that the query originated from. |
|
| The port on the instance that the query originated from. |
|
| The protocol used to submit the DNS query. |
|
| The list of IDs of the sources the DNS query originated from or passed through. |
|
| Panther added standardized event time (UTC) |
|
| Panther added standardized log parse time (UTC) |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of AWS account ids associated with the row |
|
| Panther added field with collection of AWS instance ids associated with the row |
VPCFlow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html​
Column | Type | Description |
|
| The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3. |
|
| The AWS account ID for the flow log. |
|
| The ID of the network interface for which the traffic is recorded. |
|
| The source address for incoming traffic, or the IPv4 or IPv6 address of the network interface for outgoing traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address. |
|
| The destination address for outgoing traffic, or the IPv4 or IPv6 address of the network interface for incoming traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address. |
|
| The source port of the traffic. |
|
| The destination port of the traffic. |
|
| The IANA protocol number of the traffic. |
|
| The number of packets transferred during the flow. |
|
| The number of bytes transferred during the flow. |
|
| The time of the start of the flow (UTC). |
|
| The time of the end of the flow (UTC). |
|
| The action that is associated with the traffic. ACCEPT: The recorded traffic was permitted by the security groups or network ACLs. REJECT: The recorded traffic was not permitted by the security groups or network ACLs. |
|
| The logging status of the flow log. OK: Data is logging normally to the chosen destinations. NODATA: There was no network traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error. |
|
| The ID of the VPC that contains the network interface for which the traffic is recorded. |
|
| The ID of the subnet that contains the network interface for which the traffic is recorded. |
|
| The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. Returns a '-' symbol for a requester-managed network interface; for example, the network interface for a NAT gateway. |
|
| The bitmask value for the following TCP flags: SYN: 2, SYN-ACK: 18, FIN: 1, RST: 4. ACK is reported only when it's accompanied with SYN. TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN. |
|
| The type of traffic: IPv4, IPv6, or EFA. |
|
| The packet-level (original) source IP address of the traffic. Use this field with the srcaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running. |
|
| The packet-level (original) destination IP address for the traffic. Use this field with the dstaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the final destination IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
|
| Panther added field with collection of aws account ids associated with the row |
|
| Panther added field with collection of aws instance ids associated with the row |
|
| Panther added field with collection of aws arns associated with the row |
|
| Panther added field with collection of aws tags associated with the row |