From 2bf471054bb3c6aa0afde1c430ac7933c21427ce Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 2 Sep 2021 11:46:18 -0400
Subject: [PATCH] Cloudtrail Event Fields

---
 salt/soc/files/soc/hunt.eventfields.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json
index 354aa31ce..fa5f41ded 100644
--- a/salt/soc/files/soc/hunt.eventfields.json
+++ b/salt/soc/files/soc/hunt.eventfields.json
@@ -44,5 +44,6 @@
           ":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ],
           ":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ],
           "::rootcheck": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ],
-          "::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "event.dataset", "event.module" ]
+          "::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "event.dataset", "event.module" ],
+          ":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "s        ource.ip", "source.geo.region_iso_code" ]
           }