data_sources/aws_cloudtrail_copyobject.yml

name: AWS CloudTrail CopyObject
id: 965083f4-64a8-403f-99cc-252e1a6bd3b6
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail CopyObject
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
  url: https://splunkbase.splunk.com/app/1876
  version: 7.9.1
fields:
- _time
- additionalEventData.AuthenticationMethod
- additionalEventData.CipherSuite
- additionalEventData.SSEApplied
- additionalEventData.SignatureVersion
- additionalEventData.bytesTransferredIn
- additionalEventData.bytesTransferredOut
- additionalEventData.x-amz-id-2
- app
- awsRegion
- aws_account_id
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.Host
- requestParameters.bucketName
- requestParameters.key
- requestParameters.x-amz-copy-source
- requestParameters.x-amz-server-side-encryption
- requestParameters.x-amz-server-side-encryption-aws-kms-key-id
- resources{}.ARN
- resources{}.accountId
- resources{}.type
- responseElements.x-amz-server-side-encryption
- responseElements.x-amz-server-side-encryption-aws-kms-key-id
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.type
- userIdentity.userName
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
  "AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId":
  "111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"},
  "eventTime": "2021-01-11T12:40:47Z", "eventSource": "s3.amazonaws.com", "eventName":
  "CopyObject", "awsRegion": "us-west-2", "sourceIPAddress": "95.90.199.65", "userAgent":
  "[aws-cli/2.0.45 Python/3.7.4 Darwin/20.2.0 exe/x86_64 command/s3.cp]", "requestParameters":
  {"bucketName": "patricktestbucketencrypt", "x-amz-server-side-encryption-aws-kms-key-id":
  "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1", "Host":
  "patricktestbucketencrypt.s3.us-west-2.amazonaws.com", "x-amz-server-side-encryption":
  "aws:kms", "x-amz-copy-source": "patricktestbucketencrypt/kms_aws_events.json",
  "key": "kms_aws_events_encrypted.json"}, "responseElements": {"x-amz-server-side-encryption":
  "aws:kms", "x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"},
  "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
  "bytesTransferredIn": 0.0, "SSEApplied": "SSE_KMS", "AuthenticationMethod": "AuthHeader",
  "x-amz-id-2": "fqzX1iZV6ImDtkFxbGvziOE6fUwryRa+PhnLckfVAkLNHdbCAHNq4l/yckUd1a2HNJPL6NAS01U=",
  "bytesTransferredOut": 234.0}, "requestID": "6A7359F7A9414B02", "eventID": "b20d43de-175d-4443-acd7-f5f3e587ae00",
  "readOnly": false, "resources": [{"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events_encrypted.json"},
  {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucketencrypt"},
  {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucketencrypt"},
  {"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events.json"}],
  "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111",
  "eventCategory": "Data"}'