Hi Folks,
we have ingested the aws logs using aws add on and able to see the logs. now we are trying to extract the timestamp value from eventlastseen field and that value in eventlastseen field but it is not working while using the below method. could you please help me to extract timestamp value from eventlastseen field.
sample event:
[
{
"schemaVersion": "2.0",
"accountId": "893386011857",
"region": "us-east-2",
"partition": "aws",
"id": "42b1b691434e33399b13f013f9740757",
"arn": "arn:aws:guardduty:us-east-2:893386011857:detector/a8b16945bc4a8767dcac8d7edbf84e03/finding/42b1b691434e33399b13f013f9740757",
"type": "Recon:EC2/PortProbeUnprotectedPort",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-048dfd648094a1fdc",
"instanceType": "t2.micro",
"launchTime": "2018-05-17T07:06:43Z",
"platform": "windows",
"productCodes": [],
"iamInstanceProfile": null,
"networkInterfaces": [
{
"ipv6Addresses": [],
"networkInterfaceId": "eni-0b1a9d3e70ae5c43b",
"privateDnsName": "ip-172-31-22-179.us-east-2.compute.internal",
"privateIpAddress": "172.31.22.179",
"privateIpAddresses": [
{
"privateDnsName": "ip-172-31-22-179.us-east-2.compute.internal",
"privateIpAddress": "172.31.22.179"
}
],
"subnetId": "subnet-2076a65a",
"vpcId": "vpc-1d741675",
"securityGroups": [
{
"groupName": "launch-wizard-2",
"groupId": "sg-007141e05a28f56e8"
}
],
"publicDnsName": "ec2-18-191-78-236.us-east-2.compute.amazonaws.com",
"publicIp": "18.191.78.236"
}
],
"tags": [],
"instanceState": "running",
"availabilityZone": "us-east-2b",
"imageId": "ami-fd0f3298",
"imageDescription": "Microsoft Windows Server 2016 with Desktop Experience Locale English AMI provided by Amazon"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "a8b16945bc4a8767dcac8d7edbf84e03",
"action": {
"actionType": "PORT_PROBE",
"portProbeAction": {
"portProbeDetails": [
{
"localPortDetails": {
"port": 3389,
"portName": "RDP"
},
"remoteIpDetails": {
"ipAddressV4": "103.89.91.215",
"organization": {
"asn": "135905",
"asnOrg": "VIETNAM POSTS AND TELECOMMUNICATIONS GROUP",
"isp": "Vietnam Posts And Telecommunications Group",
"org": "Vietnam Posts And Telecommunications Group"
},
"country": {
"countryName": "Vietnam"
},
"city": {
"cityName": "Hanoi"
},
"geoLocation": {
"lat": 21.0333,
"lon": 105.85
}
}
}
],
"blocked": false
}
},
"resourceRole": "TARGET",
"additionalInfo": {
"threatName": "Scanner",
"threatListName": "ProofPoint"
},
"eventFirstSeen": "2018-05-17T08:02:12Z",
"eventLastSeen": "2018-05-17T08:55:47Z",
"archived": false,
"count": 2
},
"severity": 2,
"createdAt": "2018-05-17T08:06:09.308Z",
"updatedAt": "2018-05-17T09:06:09.505Z",
"title": "Unprotected port on EC2 instance i-048dfd648094a1fdc is being probed.",
"description": "EC2 instance has an unprotected port which is being probed by a known malicious host."
}
]
props.conf
TIME_PREFIX="eventLastSeen":\s"
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ
MAX_TIMESTAMP_LOOKAHEAD=20
... View more