Cloudtrail add actor and target (#12685)

* Add Cloudtrail Actor and Target

* Update toggle description

* Fix accountId typo

* Add versioning

* Fix ec2 events without complete response elements

* Improve error handling

* Improve error handling (add tag to the document on error)

* Use onBehalfOf in case of arn is not available in the user identity section

* Bump manifest version

Author: romulets

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.44.0"
+  changes:
+  - description: Add `actor.entity.id` and `target.entity.id`
+    type: enhancement
+    link: https://github.com/elastic/integrations/pull/12685
 - version: "2.43.0"
   changes:
     - description: Set `event.type` and `event.action` fields in vpcflow logs.

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log

@@ -0,0 +1 @@
+{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"98675cf5-df23-4169-8411-58429782c464","eventName":"AddPermission20150331v2","eventSource":"lambda.amazonaws.com","eventTime":"2024-10-10T15:07:03Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"84a87304-e9d7-4a99-ae71-dfc74faf5f12","requestParameters":{"action":"lambda:InvokeFunction","functionName":"cloudtrail-events-test","principal":"sns.amazonaws.com","statementId":"sns"},"responseElements":{"statement":"{\"Sid\":\"sns\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\"}"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"lambda.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8ce3f005-c362-4713-912a-4d6f5c122258 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#lambda.add-permission","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/[email protected]","principalId":"PRINCIPALID","type":"IAMUser","userName":"[email protected]"}}

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log-expected.json

@@ -0,0 +1,124 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-10-10T15:07:03.000Z",
+            "actor": {
+                "entity": {
+                    "id": [
+                        "arn:aws:iam::000000000:user/[email protected]"
+                    ]
+                }
+            },
+            "aws": {
+                "cloudtrail": {
+                    "event_category": "Management",
+                    "event_type": "AwsApiCall",
+                    "event_version": "1.08",
+                    "flattened": {
+                        "request_parameters": {
+                            "action": "lambda:InvokeFunction",
+                            "functionName": "cloudtrail-events-test",
+                            "principal": "sns.amazonaws.com",
+                            "statementId": "sns"
+                        },
+                        "response_elements": {
+                            "statement": "{\"Sid\":\"sns\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\"}"
+                        }
+                    },
+                    "read_only": false,
+                    "recipient_account_id": "000000000",
+                    "request_id": "84a87304-e9d7-4a99-ae71-dfc74faf5f12",
+                    "request_parameters": "{principal=sns.amazonaws.com, functionName=cloudtrail-events-test, statementId=sns, action=lambda:InvokeFunction}",
+                    "response_elements": "{statement={\"Sid\":\"sns\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\"}}",
+                    "user_identity": {
+                        "access_key_id": "ACCESSKEYID",
+                        "arn": "arn:aws:iam::000000000:user/[email protected]",
+                        "type": "IAMUser"
+                    }
+                }
+            },
+            "cloud": {
+                "account": {
+                    "id": "000000000"
+                },
+                "region": "us-east-1"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "AddPermission20150331v2",
+                "created": "2021-11-11T01:02:03.123456789Z",
+                "id": "98675cf5-df23-4169-8411-58429782c464",
+                "kind": "event",
+                "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"98675cf5-df23-4169-8411-58429782c464\",\"eventName\":\"AddPermission20150331v2\",\"eventSource\":\"lambda.amazonaws.com\",\"eventTime\":\"2024-10-10T15:07:03Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"84a87304-e9d7-4a99-ae71-dfc74faf5f12\",\"requestParameters\":{\"action\":\"lambda:InvokeFunction\",\"functionName\":\"cloudtrail-events-test\",\"principal\":\"sns.amazonaws.com\",\"statementId\":\"sns\"},\"responseElements\":{\"statement\":\"{\\\"Sid\\\":\\\"sns\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":{\\\"Service\\\":\\\"sns.amazonaws.com\\\"},\\\"Action\\\":\\\"lambda:InvokeFunction\\\",\\\"Resource\\\":\\\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\\\"}\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"lambda.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8ce3f005-c362-4713-912a-4d6f5c122258 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#lambda.add-permission\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/[email protected]\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"[email protected]\"}}",
+                "outcome": "success",
+                "provider": "lambda.amazonaws.com",
+                "type": [
+                    "info"
+                ]
+            },
+            "related": {
+                "entity": [
+                    "[email protected]",
+                    "ACCESSKEYID",
+                    "arn:aws:iam::000000000:user/[email protected]",
+                    "cloudtrail-events-test"
+                ],
+                "user": [
+                    "[email protected]"
+                ]
+            },
+            "source": {
+                "address": "216.160.83.56",
+                "as": {
+                    "number": 209
+                },
+                "geo": {
+                    "city_name": "Milton",
+                    "continent_name": "North America",
+                    "country_iso_code": "US",
+                    "country_name": "United States",
+                    "location": {
+                        "lat": 47.2513,
+                        "lon": -122.3149
+                    },
+                    "region_iso_code": "US-WA",
+                    "region_name": "Washington"
+                },
+                "ip": "216.160.83.56"
+            },
+            "tags": [
+                "preserve_original_event",
+                "actor_target_mapping"
+            ],
+            "target": {
+                "entity": {
+                    "id": [
+                        "cloudtrail-events-test"
+                    ]
+                }
+            },
+            "tls": {
+                "cipher": "TLS_AES_128_GCM_SHA256",
+                "client": {
+                    "server_name": "lambda.us-east-1.amazonaws.com"
+                },
+                "version": "1.3",
+                "version_protocol": "tls"
+            },
+            "user": {
+                "id": "PRINCIPALID",
+                "name": "[email protected]"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "aws-cli",
+                "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8ce3f005-c362-4713-912a-4d6f5c122258 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#lambda.add-permission",
+                "version": "2.17.60"
+            }
+        }
+    ]
+}

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json

@@ -2,6 +2,13 @@
     "expected": [
         {
             "@timestamp": "2014-03-25T21:08:14.000Z",
+            "actor": {
+                "entity": {
+                    "id": [
+                        "arn:aws:iam::123456789012:user/Alice"
+                    ]
+                }
+            },
             "aws": {
                 "cloudtrail": {
                     "event_version": "1.0",
@@ -52,7 +59,6 @@
             },
             "related": {
                 "entity": [
-                    "EX_PRINCIPAL_ID",
                     "arn:aws:iam::123456789012:user/Alice",
                     "Bob",
                     "EXAMPLE_KEY_ID",
@@ -68,7 +74,8 @@
                 "ip": "127.0.0.1"
             },
             "tags": [
-                "preserve_original_event"
+                "preserve_original_event",
+                "actor_target_mapping"
             ],
             "user": {
                 "id": "EX_PRINCIPAL_ID",
@@ -86,4 +93,4 @@
             }
         }
     ]
-}
+}

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json

@@ -2,6 +2,13 @@
     "expected": [
         {
             "@timestamp": "2019-10-02T22:12:29.000Z",
+            "actor": {
+                "entity": {
+                    "id": [
+                        "arn:aws:iam::111111111111:role/JohnRole1"
+                    ]
+                }
+            },
             "aws": {
                 "cloudtrail": {
                     "event_type": "AwsApiCall",
@@ -95,7 +102,6 @@
             },
             "related": {
                 "entity": [
-                    "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
                     "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
                     "Role2WithTags",
                     "AKIAI44QH8DHBEXAMPLE",
@@ -123,8 +129,16 @@
                 "ip": "81.2.69.144"
             },
             "tags": [
-                "preserve_original_event"
+                "preserve_original_event",
+                "actor_target_mapping"
             ],
+            "target": {
+                "entity": {
+                    "id": [
+                        "arn:aws:iam::111111111111:role/JohnRole2"
+                    ]
+                }
+            },
             "user": {
                 "id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
                 "name": "JohnDoe"
@@ -145,6 +159,13 @@
         },
         {
             "@timestamp": "2019-10-02T22:12:29.000Z",
+            "actor": {
+                "entity": {
+                    "id": [
+                        "arn:aws:iam::111111111111:role/JohnRole1"
+                    ]
+                }
+            },
             "aws": {
                 "cloudtrail": {
                     "event_type": "AwsApiCall",
@@ -243,7 +264,6 @@
             },
             "related": {
                 "entity": [
-                    "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
                     "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
                     "Role2WithTags",
                     "AKIAI44QH8DHBEXAMPLE",
@@ -270,8 +290,16 @@
                 "ip": "81.2.69.144"
             },
             "tags": [
-                "preserve_original_event"
+                "preserve_original_event",
+                "actor_target_mapping"
             ],
+            "target": {
+                "entity": {
+                    "id": [
+                        "arn:aws:iam::111111111111:role/JohnRole2"
+                    ]
+                }
+            },
             "user": {
                 "id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
                 "name": "JohnDoe"
@@ -291,4 +319,4 @@
             }
         }
     ]
-}
+}

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log

@@ -0,0 +1,2 @@
+{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"6bf9a009-b248-415d-a8a9-63b7fe5621c0","eventName":"AttachGroupPolicy","eventSource":"iam.amazonaws.com","eventTime":"2024-10-08T14:12:17Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"01d08e9a-35d9-4790-97a7-b41d30aa86bf","requestParameters":{"groupName":"TestGroupPolicy","policyArn":"arn:aws:iam::aws:policy/ReadOnlyAccess"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5bca7082-50b2-4c08-b5e2-1ecf49a48a2b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-group-policy","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/[email protected]","principalId":"PRINCIPALID","type":"IAMUser","userName":"[email protected]"}}
+