本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
下列各節提供每個事件資料存放區類型的支援SQL結構描述。
主題
CloudTrail 事件記錄欄位支援的結構描述
以下是 CloudTrail 管理和資料事件記錄欄位的有效SQL結構描述。如需 CloudTrail 事件記錄欄位的詳細資訊,請參閱 CloudTrail 記錄內容。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "useridentity", "Type": "struct<type:string,principalid:string,arn:string,accountid:string,accesskeyid:string, username:string,sessioncontext:struct<attributes:struct<creationdate:timestamp, mfaauthenticated:string>,sessionissuer:struct<type:string,principalid:string,arn:string, accountid:string,username:string>,webidfederationdata:struct<federatedprovider:string, attributes:map<string,string>>,sourceidentity:string,ec2roledelivery:string, ec2issuedinvpc:string>,onbehalfof:struct<userid:string,identitystorearn:string>, inscopeof:struct<sourcearn:string,sourceaccount:string,issuertype:string, credentiaisissuedto:string>,invokedby:string,identityprovider:string>" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "eventsource", "Type": "string" }, { "Name": "eventname", "Type": "string" }, { "Name": "awsregion", "Type": "string" }, { "Name": "sourceipaddress", "Type": "string" }, { "Name": "useragent", "Type": "string" }, { "Name": "errorcode", "Type": "string" }, { "Name": "errormessage", "Type": "string" }, { "Name": "requestparameters", "Type": "map<string,string>" }, { "Name": "responseelements", "Type": "map<string,string>" }, { "Name": "additionaleventdata", "Type": "map<string,string>" }, { "Name": "requestid", "Type": "string" }, { "Name": "eventid", "Type": "string" }, { "Name": "readonly", "Type": "boolean" }, { "Name": "resources", "Type": "array<struct<accountid:string,type:string,arn:string,arnprefix:string>>" }, { "Name": "eventtype", "Type": "string" }, { "Name": "apiversion", "Type": "string" }, { "Name": "managementevent", "Type": "boolean" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "sharedeventid", "Type": "string" }, { "Name": "annotation", "Type": "string" }, { "Name": "vpcendpointid", "Type": "string" }, { "Name": "vpcendpointaccountid", "Type": "string" }, { "Name": "serviceeventdetails", "Type": "map<string,string>" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "edgedevicedetails", "Type": "map<string,string>" }, { "Name": "insightdetails", "Type": "map<string,string>" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "tlsdetails", "Type": "struct<tlsversion:string,ciphersuite:string,clientprovidedhostheader:string>" }, { "Name": "sessioncredentialfromconsole", "Type": "string" }, { "Name": "eventjson", "Type": "string" } { "Name": "eventjsonchecksum", "Type": "string" } ]
CloudTrail Insights 事件記錄欄位支援的結構描述
以下是 Insights SQL 事件記錄的有效結構描述欄位。對於 Insights 事件,eventcategory 的值為 Insight,eventtype 的值為 AwsCloudTrailInsight。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "sharedeventid", "Type": "string" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "insightsource", "Type": "string" }, { "Name": "insightstate", "Type": "string" }, { "Name": "insighteventsource", "Type": "string" }, { "Name": "insighteventname", "Type": "string" }, { "Name": "insighterrorcode", "Type": "string" }, { "Name": "insighttype", "Type": "string" }, { "Name": "insightContext", "Type": "struct<baselineaverage:double,insightaverage:double,baselineduration:integer, insightduration:integer,attributions:struct<attribute:string,insightvalue:string, insightaverage:double,baselinevalue:string,baselineaverage:double>>" } ]
支援的 AWS Config 組態項目記錄欄位結構描述
以下是組態項目記錄欄位的有效SQL結構描述。對於組態項目,eventcategory 的值為 ConfigurationItem,eventtype 的值為 AwsConfigurationItem。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "eventdata", "Type": "struct<configurationitemversion:string,configurationitemcapturetime: string,configurationitemstatus:string,configurationitemstateid:string,accountid:string, resourcetype:string,resourceid:string,resourcename:string,arn:string,awsregion:string, availabilityzone:string,resourcecreationtime:string,configuration:map<string,string>, supplementaryconfiguration:map<string,string>,relatedevents:string, relationships:struct<name:string,resourcetype:string,resourceid:string, resourcename:string>,tags:map<string,string>>" } ]
AWS Audit Manager 證據記錄欄位支援的結構描述
以下是 Audit Manager 證據記錄欄位的有效SQL結構描述。對於 Audit Manager 證據記錄欄位,eventcategory 的值為 Evidence,eventtype 的值為 AwsAuditManagerEvidence。如需使用 Audit Manager 在 CloudTrail Lake 中彙總證據的詳細資訊,請參閱 AWS Audit Manager 使用者指南中的證據搜尋工具。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "addendum", "Type": "map<string,string>" }, { "Name": "eventdata", "Type": "struct<attributes:map<string,string>,awsaccountid:string,awsorganization:string, compliancecheck:string,datasource:string,eventname:string,eventsource:string, evidenceawsaccountid:string,evidencebytype:string,iamid:string,evidenceid:string, time:timestamp,assessmentid:string,controlsetid:string,controlid:string, controlname:string,controldomainname:string,frameworkname:string,frameworkid:string, service:string,servicecategory:string,resourcearn:string,resourcetype:string, evidencefolderid:string,description:string,manualevidences3resourcepath:string, evidencefoldername:string,resourcecompliancecheck:string>" } ]
非AWS 事件欄位支援的結構描述
以下是非AWS 事件的有效SQL結構描述。對於非AWS 事件, 的值eventcategory為 ActivityAuditLog,而 的值eventtype為 ActivityLog。
[ { "Name": "eventversion", "Type": "string" }, { "Name": "eventcategory", "Type": "string" }, { "Name": "eventtype", "Type": "string" }, "Name": "eventid", "Type": "string" }, { "Name": "eventtime", "Type": "timestamp" }, { "Name": "awsregion", "Type": "string" }, { "Name": "recipientaccountid", "Type": "string" }, { "Name": "addendum", "Type": "struct<reason:string,updatedfields:string,originalUID:string,originaleventid:string>" }, { "Name": "metadata", "Type": "struct<ingestiontime:string,channelarn:string>" }, { "Name": "eventdata", "Type": "struct<version:string,useridentity:struct<type:string, principalid:string,details:map<string,string>>,useragent:string,eventsource:string, eventname:string,eventtime:string,uid:string,requestparameters:map<string,string>>, responseelements":map<string,string>>,errorcode:string,errormssage:string,sourceipaddress:string, recipientaccountid:string,additionaleventdata":map<string,string>>" } ]
