data_sources/aws_cloudtrail_createvirtualmfadevice.yml

name: AWS CloudTrail CreateVirtualMFADevice
id: 13e6e952-0dad-4190-865c-fb5911725f7a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail CreateVirtualMFADevice
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
  url: https://splunkbase.splunk.com/app/1876
  version: 7.9.0
fields:
- _time
- action
- app
- awsRegion
- aws_account_id
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.path
- requestParameters.virtualMFADeviceName
- responseElements.virtualMFADevice.serialNumber
- sessionCredentialFromConsole
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- status
- tag
- tag::eventtype
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.sessionContext.attributes.creationDate
- userIdentity.sessionContext.attributes.mfaAuthenticated
- userIdentity.type
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
  "accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
  {}, "attributes": {"creationDate": "2023-01-30T22:59:36Z", "mfaAuthenticated": "false"}}},
  "eventTime": "2023-01-30T23:02:23Z", "eventSource": "iam.amazonaws.com", "eventName":
  "CreateVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.6",
  "userAgent": "AWS Internal", "requestParameters": {"path": "/", "virtualMFADeviceName":
  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::140429656527:mfa/strt_mfa_2"}},
  "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027",
  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
  "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'