From aa3d9651104a06be8d160fa4d18a1c1db358827f Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Tue, 29 Aug 2023 14:39:24 +0000 Subject: [PATCH] chore(plugins): update readmes Signed-off-by: Jason Dellaluce --- plugins/cloudtrail/README.md | 90 ++++++++++++++++++------------------ plugins/dummy_c/README.md | 10 ++-- plugins/okta/README.md | 2 +- 3 files changed, 51 insertions(+), 51 deletions(-) diff --git a/plugins/cloudtrail/README.md b/plugins/cloudtrail/README.md index 788246ef..24a0d45e 100644 --- a/plugins/cloudtrail/README.md +++ b/plugins/cloudtrail/README.md @@ -19,52 +19,52 @@ The event source for cloudtrail events is `aws_cloudtrail`. Here is the current set of supported fields: -| NAME | TYPE | ARG | DESCRIPTION | -|------------------------------|----------|------|----------------------------------------------------------------------------------------------------------------------------------------------------------| -| `ct.id` | `string` | None | the unique ID of the cloudtrail event (eventID in the json). | -| `ct.error` | `string` | None | The error code from the event. Will be "" (e.g. the NULL/empty/none value) if there was no error. | -| `ct.time` | `string` | None | the timestamp of the cloudtrail event (eventTime in the json). | -| `ct.src` | `string` | None | the source of the cloudtrail event (eventSource in the json). | -| `ct.shortsrc` | `string` | None | the source of the cloudtrail event (eventSource in the json, without the '.amazonaws.com' trailer). | -| `ct.name` | `string` | None | the name of the cloudtrail event (eventName in the json). | -| `ct.user` | `string` | None | the user of the cloudtrail event (userIdentity.userName in the json). | -| `ct.user.accountid` | `string` | None | the account id of the user of the cloudtrail event. | -| `ct.user.identitytype` | `string` | None | the kind of user identity (e.g. Root, IAMUser,AWSService, etc.) | -| `ct.user.principalid` | `string` | None | A unique identifier for the user that made the request. | -| `ct.user.arn` | `string` | None | the Amazon Resource Name (ARN) of the user that made the request. | -| `ct.region` | `string` | None | the region of the cloudtrail event (awsRegion in the json). | -| `ct.response.subnetid` | `string` | None | the subnet ID included in the response. | -| `ct.response.reservationid` | `string` | None | the reservation ID included in the response. | +| NAME | TYPE | ARG | DESCRIPTION | +|-------------------------------|----------|------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ct.id` | `string` | None | the unique ID of the cloudtrail event (eventID in the json). | +| `ct.error` | `string` | None | The error code from the event. Will be "" (e.g. the NULL/empty/none value) if there was no error. | +| `ct.time` | `string` | None | the timestamp of the cloudtrail event (eventTime in the json). | +| `ct.src` | `string` | None | the source of the cloudtrail event (eventSource in the json). | +| `ct.shortsrc` | `string` | None | the source of the cloudtrail event (eventSource in the json, without the '.amazonaws.com' trailer). | +| `ct.name` | `string` | None | the name of the cloudtrail event (eventName in the json). | +| `ct.user` | `string` | None | the user of the cloudtrail event (userIdentity.userName in the json). | +| `ct.user.accountid` | `string` | None | the account id of the user of the cloudtrail event. | +| `ct.user.identitytype` | `string` | None | the kind of user identity (e.g. Root, IAMUser,AWSService, etc.) | +| `ct.user.principalid` | `string` | None | A unique identifier for the user that made the request. | +| `ct.user.arn` | `string` | None | the Amazon Resource Name (ARN) of the user that made the request. | +| `ct.region` | `string` | None | the region of the cloudtrail event (awsRegion in the json). | +| `ct.response.subnetid` | `string` | None | the subnet ID included in the response. | +| `ct.response.reservationid` | `string` | None | the reservation ID included in the response. | | `ct.request.availabilityzone` | `string` | None | the availability zone included in the request. | -| `ct.request.cluster` | `string` | None | the cluster included in the request. | -| `ct.request.functionname` | `string` | None | the function name included in the request. | -| `ct.request.groupname` | `string` | None | the group name included in the request. | -| `ct.request.host` | `string` | None | the host included in the request | -| `ct.request.name` | `string` | None | the name of the entity being acted on in the request. | -| `ct.request.policy` | `string` | None | the policy included in the request | -| `ct.request.serialnumber` | `string` | None | the serial number provided in the request. | -| `ct.request.servicename` | `string` | None | the service name provided in the request. | -| `ct.request.subnetid` | `string` | None | the subnet ID provided in the request. | -| `ct.request.taskdefinition` | `string` | None | the task definition prrovided in the request. | -| `ct.request.username` | `string` | None | the username provided in the request. | -| `ct.srcip` | `string` | None | the IP address generating the event (sourceIPAddress in the json). | -| `ct.useragent` | `string` | None | the user agent generating the event (userAgent in the json). | -| `ct.info` | `string` | None | summary information about the event. This varies depending on the event type and, for some events, it contains event-specific details. | -| `ct.managementevent` | `string` | None | 'true' if the event is a management event (AwsApiCall, AwsConsoleAction, AwsConsoleSignIn, or AwsServiceEvent), 'false' otherwise. | -| `ct.readonly` | `string` | None | 'true' if the event only reads information (e.g. DescribeInstances), 'false' if the event modifies the state (e.g. RunInstances, CreateLoadBalancer...). | -| `s3.uri` | `string` | None | the s3 URI (s3:///). | -| `s3.bucket` | `string` | None | the bucket name for s3 events. | -| `s3.key` | `string` | None | the S3 key name. | -| `s3.bytes` | `uint64` | None | the size of an s3 download or upload, in bytes. | -| `s3.bytes.in` | `uint64` | None | the size of an s3 upload, in bytes. | -| `s3.bytes.out` | `uint64` | None | the size of an s3 download, in bytes. | -| `s3.cnt.get` | `uint64` | None | the number of get operations. This field is 1 for GetObject events, 0 otherwise. | -| `s3.cnt.put` | `uint64` | None | the number of put operations. This field is 1 for PutObject events, 0 otherwise. | -| `s3.cnt.other` | `uint64` | None | the number of non I/O operations. This field is 0 for GetObject and PutObject events, 1 for all the other events. | -| `ec2.name` | `string` | None | the name of the ec2 instances, typically stored in the instance tags. | -| `ec2.imageid` | `string` | None | the ID for the image used to run the ec2 instance in the response. | -| `ecr.repository` | `string` | None | the name of the ecr Repository specified in the request. | -| `ecr.imagetag` | `string` | None | the tag of the image specified in the request. | +| `ct.request.cluster` | `string` | None | the cluster included in the request. | +| `ct.request.functionname` | `string` | None | the function name included in the request. | +| `ct.request.groupname` | `string` | None | the group name included in the request. | +| `ct.request.host` | `string` | None | the host included in the request | +| `ct.request.name` | `string` | None | the name of the entity being acted on in the request. | +| `ct.request.policy` | `string` | None | the policy included in the request | +| `ct.request.serialnumber` | `string` | None | the serial number provided in the request. | +| `ct.request.servicename` | `string` | None | the service name provided in the request. | +| `ct.request.subnetid` | `string` | None | the subnet ID provided in the request. | +| `ct.request.taskdefinition` | `string` | None | the task definition prrovided in the request. | +| `ct.request.username` | `string` | None | the username provided in the request. | +| `ct.srcip` | `string` | None | the IP address generating the event (sourceIPAddress in the json). | +| `ct.useragent` | `string` | None | the user agent generating the event (userAgent in the json). | +| `ct.info` | `string` | None | summary information about the event. This varies depending on the event type and, for some events, it contains event-specific details. | +| `ct.managementevent` | `string` | None | 'true' if the event is a management event (AwsApiCall, AwsConsoleAction, AwsConsoleSignIn, or AwsServiceEvent), 'false' otherwise. | +| `ct.readonly` | `string` | None | 'true' if the event only reads information (e.g. DescribeInstances), 'false' if the event modifies the state (e.g. RunInstances, CreateLoadBalancer...). | +| `s3.uri` | `string` | None | the s3 URI (s3:///). | +| `s3.bucket` | `string` | None | the bucket name for s3 events. | +| `s3.key` | `string` | None | the S3 key name. | +| `s3.bytes` | `uint64` | None | the size of an s3 download or upload, in bytes. | +| `s3.bytes.in` | `uint64` | None | the size of an s3 upload, in bytes. | +| `s3.bytes.out` | `uint64` | None | the size of an s3 download, in bytes. | +| `s3.cnt.get` | `uint64` | None | the number of get operations. This field is 1 for GetObject events, 0 otherwise. | +| `s3.cnt.put` | `uint64` | None | the number of put operations. This field is 1 for PutObject events, 0 otherwise. | +| `s3.cnt.other` | `uint64` | None | the number of non I/O operations. This field is 0 for GetObject and PutObject events, 1 for all the other events. | +| `ec2.name` | `string` | None | the name of the ec2 instances, typically stored in the instance tags. | +| `ec2.imageid` | `string` | None | the ID for the image used to run the ec2 instance in the response. | +| `ecr.repository` | `string` | None | the name of the ecr Repository specified in the request. | +| `ecr.imagetag` | `string` | None | the tag of the image specified in the request. | ## Handling AWS Authentication diff --git a/plugins/dummy_c/README.md b/plugins/dummy_c/README.md index 95073032..0a62416e 100644 --- a/plugins/dummy_c/README.md +++ b/plugins/dummy_c/README.md @@ -15,11 +15,11 @@ The event source for dummy events is `dummy`. Here is the current set of supported fields: -| NAME | TYPE | ARG | DESCRIPTION | -|-------------------|----------|------|-------------------------------------------------------------------------| -| `dummy.divisible` | `uint64` | None | Return 1 if the value is divisible by the provided divisor, 0 otherwise | -| `dummy.value` | `uint64` | None | The sample value in the event | -| `dummy.strvalue` | `string` | None | The sample value in the event, as a string | +| NAME | TYPE | ARG | DESCRIPTION | +|-------------------|----------|-------|-------------------------------------------------------------------------| +| `dummy.divisible` | `uint64` | Index | Return 1 if the value is divisible by the provided divisor, 0 otherwise | +| `dummy.value` | `uint64` | Index | The sample value in the event | +| `dummy.strvalue` | `string` | Index | The sample value in the event, as a string | ## Configuration diff --git a/plugins/okta/README.md b/plugins/okta/README.md index c4fd50de..a5bd76c0 100644 --- a/plugins/okta/README.md +++ b/plugins/okta/README.md @@ -23,7 +23,7 @@ The event source for `okta` events is `okta`. # Supported Fields -| NAME | TYPE | ARG | DESCRIPTION | +| NAME | TYPE | ARG | DESCRIPTION | |---------------------------------|----------|-----------------|---------------------------------------| | `okta.app` | `string` | None | Application | | `okta.org` | `string` | None | Organization |