Json parser | Community

{

  "AccountId": "741448936891",

  "Arn": "arn:aws:guardduty:ap-south-1:741448936891:detector/66ca0946c7dfd299da283198338550ee/finding/34ca0cfb393882ceadb00e62be29dfc0",

  "CreatedAt": "2024-12-30T23:46:09.137Z",

  "Description": "AWS CloudTrail trail arn:aws:cloudtrail:ap-south-1:741448936891:trail/sample_test was disabled by anurag-aws-learn-new calling StopLogging under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.",

  "Id": "34ca0cfb393882ceadb00e62be29dfc0",

  "Partition": "aws",

  "Region": "ap-south-1",

  "Resource": {

    "AccessKeyDetails": {

      "AccessKeyId": "ASIA2ZIOM5W5QMW3FGAP",

      "PrincipalId": "741448936891",

      "UserName": "anurag-aws-learn-new",

      "UserType": "Root"

    },

    "ResourceType": "AccessKey"

  },

  "SchemaVersion": "2.0",

  "Service": {

    "Action": {

      "ActionType": "AWS_API_CALL",

      "AwsApiCallAction": {

        "Api": "StopLogging",

        "CallerType": "Remote IP",

        "RemoteIpDetails": {

          "City": {

            "CityName": "Mumbai"

          },

          "Country": {

            "CountryName": "India"

          },

          "GeoLocation": {

            "Lat": 19.0748,

            "Lon": 72.8856

          },

          "IpAddressV4": "134.238.16.127",

          "Organization": {

            "Asn": "394089",

            "AsnOrg": "GCP-ENTERPRISE-USER-TRAFFIC",

            "Isp": "Palo Alto Networks",

            "Org": "Palo Alto Networks"

          }

        },

        "ServiceName": "cloudtrail.amazonaws.com",

        "AffectedResources": {

          "AWS::CloudTrail::Trail": "arn:aws:cloudtrail:ap-south-1:741448936891:trail/sample_test"

        }

      }

    },

    "Archived": false,

    "Count": 4,

    "DetectorId": "66ca0946c7dfd299da283198338550ee",

    "EventFirstSeen": "2024-12-30T23:36:16.000Z",

    "EventLastSeen": "2025-01-01T03:35:11.000Z",

    "ResourceRole": "TARGET",

    "ServiceName": "guardduty",

    "AdditionalInfo": {

      "Value": "{}",

      "Type": "default"

    }

  },

  "Severity": 2,

  "Title": "An AWS CloudTrail trail arn:aws:cloudtrail:ap-south-1:741448936891:trail/sample_test was disabled.",

  "Type": "Stealth:IAMUser/CloudTrailLoggingDisabled",

  "UpdatedAt": "2025-01-01T03:45:57.674Z"

}

This is a sample json log. I want to parse it. Can somebody guide me? I am new to this. can somebody suggest me any documentation or video from where I can get hold of json parsing from scratch.

@jstoner

Page 1 / 1

The default GUARDDUTY log source should parse this log sample:

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/guard-duty

There are training materials for self service parser creation are available here:

https://www.cloudskillsboost.google/paths/110/course_templates/442/video/472768?locale=pt_PT

The product documentation covering parsers is available here:

https://cloud.google.com/chronicle/docs/event-processing/parser-tips-troubleshooting

And finally, just to check, ensure there is no PII in your sample, e.g., account ID, and if so redact as this is a public forum.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded