Skip to main content

 

 

{ "AccountId": "741448936891", "Arn": "arn:aws:guardduty:ap-south-1:741448936891:detector/66ca0946c7dfd299da283198338550ee/finding/34ca0cfb393882ceadb00e62be29dfc0", "CreatedAt": "2024-12-30T23:46:09.137Z", "Description": "AWS CloudTrail trail arn:aws:cloudtrail:ap-south-1:741448936891:trail/sample_test was disabled by anurag-aws-learn-new calling StopLogging under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.", "Id": "34ca0cfb393882ceadb00e62be29dfc0", "Partition": "aws", "Region": "ap-south-1", "Resource": { "AccessKeyDetails": { "AccessKeyId": "ASIA2ZIOM5W5QMW3FGAP", "PrincipalId": "741448936891", "UserName": "anurag-aws-learn-new", "UserType": "Root" }, "ResourceType": "AccessKey" }, "SchemaVersion": "2.0", "Service": { "Action": { "ActionType": "AWS_API_CALL", "AwsApiCallAction": { "Api": "StopLogging", "CallerType": "Remote IP", "RemoteIpDetails": { "City": { "CityName": "Mumbai" }, "Country": { "CountryName": "India" }, "GeoLocation": { "Lat": 19.0748, "Lon": 72.8856 }, "IpAddressV4": "134.238.16.127", "Organization": { "Asn": "394089", "AsnOrg": "GCP-ENTERPRISE-USER-TRAFFIC", "Isp": "Palo Alto Networks", "Org": "Palo Alto Networks" } }, "ServiceName": "cloudtrail.amazonaws.com", "AffectedResources": { "AWS::CloudTrail::Trail": "arn:aws:cloudtrail:ap-south-1:741448936891:trail/sample_test" } } }, "Archived": false, "Count": 4, "DetectorId": "66ca0946c7dfd299da283198338550ee", "EventFirstSeen": "2024-12-30T23:36:16.000Z", "EventLastSeen": "2025-01-01T03:35:11.000Z", "ResourceRole": "TARGET", "ServiceName": "guardduty", "AdditionalInfo": { "Value": "{}", "Type": "default" } }, "Severity": 2, "Title": "An AWS CloudTrail trail arn:aws:cloudtrail:ap-south-1:741448936891:trail/sample_test was disabled.", "Type": "Stealth:IAMUser/CloudTrailLoggingDisabled", "UpdatedAt": "2025-01-01T03:45:57.674Z" }

 

 This is a sample json log. I want to parse it. Can somebody guide me? I am new to this. can somebody suggest me any documentation or video from where I can get hold of json parsing from scratch.


@jstoner 

The default GUARDDUTY log source should parse this log sample:

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/guard-duty

 

There are training materials for self service parser creation are available here:

https://www.cloudskillsboost.google/paths/110/course_templates/442/video/472768?locale=pt_PT

The product documentation covering parsers is available here:

https://cloud.google.com/chronicle/docs/event-processing/parser-tips-troubleshooting

 

And finally, just to check, ensure there is no PII in your sample, e.g., account ID, and if so redact as this is a public forum.

 

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.