diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 31c28a88a87..664fd747ff1 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.25.0-preview01" + changes: + - description: Add related.entity field. + type: enhancement + link: https://github.com/elastic/integrations/pull/11115 - version: "2.25.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json index f732eddc1e8..ee90799b758 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json @@ -51,6 +51,12 @@ "name": "admin" }, "related": { + "entity": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Bob", + "Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json index 826c32604c3..754781acad4 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json @@ -93,6 +93,18 @@ "info" ] }, + "related": { + "entity": [ + "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", + "Role2WithTags", + "JohnDoe", + "arn:aws:iam::111122223333:role/JohnRole2", + "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", + "arn:aws:iam::111111111111:role/JohnRole1", + "arn:aws:iam::111111111111:role/JohnRole2" + ] + }, "source": { "address": "81.2.69.144", "geo": { @@ -228,6 +240,17 @@ "info" ] }, + "related": { + "entity": [ + "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", + "Role2WithTags", + "JohnDoe", + "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", + "arn:aws:iam::111111111111:role/JohnRole1", + "arn:aws:iam::111111111111:role/JohnRole2" + ] + }, "source": { "address": "81.2.69.144", "geo": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json index bd43a032680..6bd056bccb0 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json @@ -44,6 +44,11 @@ ] }, "related": { + "entity": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] @@ -110,6 +115,11 @@ ] }, "related": { + "entity": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json index c572d8442ac..282b0156876 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json @@ -140,6 +140,7 @@ "path": "AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T193649Z.json.gz" }, "related": { + "entity": [], "hash": [ "10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json index 813a95eba75..9f1b1ed2b1e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json @@ -55,6 +55,11 @@ ] }, "related": { + "entity": [ + "AIDACKCEVSQ6C2EXAMPLE", + "JohnDoe", + "arn:aws:iam::111122223333:user/JohnDoe" + ], "user": [ "JohnDoe" ] @@ -158,6 +163,11 @@ ] }, "related": { + "entity": [ + "AIDACKCEVSQ6C2EXAMPLE", + "JaneDoe", + "arn:aws:iam::111122223333:user/JaneDoe" + ], "user": [ "JaneDoe" ] @@ -270,6 +280,14 @@ "info" ] }, + "related": { + "entity": [ + "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", + "arn:aws:iam::123456789012:role/RoleToBeAssumed", + "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", + "RoleToBeAssumed" + ] + }, "source": { "address": "89.160.20.156", "as": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json index 6fc71a8cbd3..d3c54637068 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json @@ -61,6 +61,13 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "EXAMPLE_KEY_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log new file mode 100644 index 00000000000..8b19e97a995 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"d82a0cd1-6987-459a-b7bc-557a06bf16f2","eventName":"CreateDBInstance","eventSource":"rds.amazonaws.com","eventTime":"2024-09-11T09:29:51Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"b51e7190-610a-40c7-bb1c-a0895e3518f8","requestParameters":{"allocatedStorage":20,"dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-14340","engine":"mysql","masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS","masterUsername":"admin"},"responseElements":{"allocatedStorage":20,"associatedRoles":[],"autoMinorVersionUpgrade":true,"backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"rds-ca-rsa2048-g1","certificateDetails":{"cAIdentifier":"rds-ca-rsa2048-g1"},"copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:1010101010101:db:test-cloudtrail-event-instance-14340","dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-14340","dBInstanceStatus":"creating","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-ANY6I3FNUJC7WQKYS5RFPU7ORM","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.35","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"in-sync"}],"pendingModifiedValues":{"masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS"},"performanceInsightsEnabled":false,"preferredBackupWindow":"09:23-09:53","preferredMaintenanceWindow":"sun:06:55-sun:07:25","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/rds.create-db-instance","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json new file mode 100644 index 00000000000..8d1e29682b7 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json @@ -0,0 +1,224 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-11T09:29:51.000Z", + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "allocatedStorage": 20, + "dBInstanceClass": "db.t3.micro", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-14340", + "engine": "mysql", + "masterUserPassword": "HIDDEN_DUE_TO_SECURITY_REASONS", + "masterUsername": "admin" + }, + "response_elements": { + "allocatedStorage": 20, + "autoMinorVersionUpgrade": true, + "backupRetentionPeriod": 1, + "backupTarget": "region", + "cACertificateIdentifier": "rds-ca-rsa2048-g1", + "certificateDetails": { + "cAIdentifier": "rds-ca-rsa2048-g1" + }, + "copyTagsToSnapshot": false, + "customerOwnedIpEnabled": false, + "dBInstanceArn": "arn:aws:rds:us-east-1:1010101010101:db:test-cloudtrail-event-instance-14340", + "dBInstanceClass": "db.t3.micro", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-14340", + "dBInstanceStatus": "creating", + "dBParameterGroups": [ + { + "dBParameterGroupName": "default.mysql8.0", + "parameterApplyStatus": "in-sync" + } + ], + "dBSubnetGroup": { + "dBSubnetGroupDescription": "default", + "dBSubnetGroupName": "default", + "subnetGroupStatus": "Complete", + "subnets": [ + { + "subnetAvailabilityZone": { + "name": "us-east-1d" + }, + "subnetIdentifier": "subnet-c4bf5e9b", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1a" + }, + "subnetIdentifier": "subnet-0a0bee6c", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1e" + }, + "subnetIdentifier": "subnet-37391109", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1b" + }, + "subnetIdentifier": "subnet-fee506df", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1f" + }, + "subnetIdentifier": "subnet-bf6ab5b1", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1c" + }, + "subnetIdentifier": "subnet-8bdf6bc6", + "subnetStatus": "Active" + } + ], + "vpcId": "vpc-73d2e309" + }, + "dbInstancePort": 0, + "dbiResourceId": "db-ANY6I3FNUJC7WQKYS5RFPU7ORM", + "dedicatedLogVolume": false, + "deletionProtection": false, + "engine": "mysql", + "engineLifecycleSupport": "open-source-rds-extended-support", + "engineVersion": "8.0.35", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "licenseModel": "general-public-license", + "masterUsername": "admin", + "monitoringInterval": 0, + "multiAZ": false, + "networkType": "IPV4", + "optionGroupMemberships": [ + { + "optionGroupName": "default:mysql-8-0", + "status": "in-sync" + } + ], + "pendingModifiedValues": { + "masterUserPassword": "HIDDEN_DUE_TO_SECURITY_REASONS" + }, + "performanceInsightsEnabled": false, + "preferredBackupWindow": "09:23-09:53", + "preferredMaintenanceWindow": "sun:06:55-sun:07:25", + "publiclyAccessible": true, + "storageEncrypted": false, + "storageThroughput": 0, + "storageType": "gp2", + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "1010101010101", + "request_id": "b51e7190-610a-40c7-bb1c-a0895e3518f8", + "request_parameters": "{dBInstanceIdentifier=test-cloudtrail-event-instance-14340, masterUsername=admin, allocatedStorage=20, engine=mysql, dBInstanceClass=db.t3.micro, masterUserPassword=HIDDEN_DUE_TO_SECURITY_REASONS}", + "response_elements": "{allocatedStorage=20, backupTarget=region, cACertificateIdentifier=rds-ca-rsa2048-g1, dbInstancePort=0, dBParameterGroups=[{dBParameterGroupName=default.mysql8.0, parameterApplyStatus=in-sync}], dbiResourceId=db-ANY6I3FNUJC7WQKYS5RFPU7ORM, preferredBackupWindow=09:23-09:53, deletionProtection=false, dBInstanceArn=arn:aws:rds:us-east-1:1010101010101:db:test-cloudtrail-event-instance-14340, dBInstanceIdentifier=test-cloudtrail-event-instance-14340, engine=mysql, publiclyAccessible=true, iAMDatabaseAuthenticationEnabled=false, networkType=IPV4, engineVersion=8.0.35, performanceInsightsEnabled=false, masterUsername=admin, certificateDetails={cAIdentifier=rds-ca-rsa2048-g1}, multiAZ=false, dBInstanceClass=db.t3.micro, storageEncrypted=false, dBSubnetGroup={vpcId=vpc-73d2e309, subnets=[{subnetIdentifier=subnet-c4bf5e9b, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1d}}, {subnetIdentifier=subnet-0a0bee6c, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1a}}, {subnetIdentifier=subnet-37391109, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1e}}, {subnetIdentifier=subnet-fee506df, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1b}}, {subnetIdentifier=subnet-bf6ab5b1, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1f}}, {subnetIdentifier=subnet-8bdf6bc6, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1c}}], subnetGroupStatus=Complete, dBSubnetGroupDescription=default, dBSubnetGroupName=default}, storageThroughput=0, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], customerOwnedIpEnabled=false, licenseModel=general-public-license, pendingModifiedValues={masterUserPassword=HIDDEN_DUE_TO_SECURITY_REASONS}, monitoringInterval=0, preferredMaintenanceWindow=sun:06:55-sun:07:25, dBInstanceStatus=creating, backupRetentionPeriod=1, engineLifecycleSupport=open-source-rds-extended-support, storageType=gp2, optionGroupMemberships=[{optionGroupName=default:mysql-8-0, status=in-sync}], dedicatedLogVolume=false, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false}", + "user_identity": { + "access_key_id": "ACCESS_KEY_EXAMPLE", + "arn": "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "1010101010101" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateDBInstance", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "d82a0cd1-6987-459a-b7bc-557a06bf16f2", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"d82a0cd1-6987-459a-b7bc-557a06bf16f2\",\"eventName\":\"CreateDBInstance\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-09-11T09:29:51Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"1010101010101\",\"requestID\":\"b51e7190-610a-40c7-bb1c-a0895e3518f8\",\"requestParameters\":{\"allocatedStorage\":20,\"dBInstanceClass\":\"db.t3.micro\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-14340\",\"engine\":\"mysql\",\"masterUserPassword\":\"HIDDEN_DUE_TO_SECURITY_REASONS\",\"masterUsername\":\"admin\"},\"responseElements\":{\"allocatedStorage\":20,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"backupRetentionPeriod\":1,\"backupTarget\":\"region\",\"cACertificateIdentifier\":\"rds-ca-rsa2048-g1\",\"certificateDetails\":{\"cAIdentifier\":\"rds-ca-rsa2048-g1\"},\"copyTagsToSnapshot\":false,\"customerOwnedIpEnabled\":false,\"dBInstanceArn\":\"arn:aws:rds:us-east-1:1010101010101:db:test-cloudtrail-event-instance-14340\",\"dBInstanceClass\":\"db.t3.micro\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-14340\",\"dBInstanceStatus\":\"creating\",\"dBParameterGroups\":[{\"dBParameterGroupName\":\"default.mysql8.0\",\"parameterApplyStatus\":\"in-sync\"}],\"dBSecurityGroups\":[],\"dBSubnetGroup\":{\"dBSubnetGroupDescription\":\"default\",\"dBSubnetGroupName\":\"default\",\"subnetGroupStatus\":\"Complete\",\"subnets\":[{\"subnetAvailabilityZone\":{\"name\":\"us-east-1d\"},\"subnetIdentifier\":\"subnet-c4bf5e9b\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1a\"},\"subnetIdentifier\":\"subnet-0a0bee6c\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1e\"},\"subnetIdentifier\":\"subnet-37391109\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1b\"},\"subnetIdentifier\":\"subnet-fee506df\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1f\"},\"subnetIdentifier\":\"subnet-bf6ab5b1\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1c\"},\"subnetIdentifier\":\"subnet-8bdf6bc6\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"}],\"vpcId\":\"vpc-73d2e309\"},\"dbInstancePort\":0,\"dbiResourceId\":\"db-ANY6I3FNUJC7WQKYS5RFPU7ORM\",\"dedicatedLogVolume\":false,\"deletionProtection\":false,\"domainMemberships\":[],\"engine\":\"mysql\",\"engineLifecycleSupport\":\"open-source-rds-extended-support\",\"engineVersion\":\"8.0.35\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"licenseModel\":\"general-public-license\",\"masterUsername\":\"admin\",\"monitoringInterval\":0,\"multiAZ\":false,\"networkType\":\"IPV4\",\"optionGroupMemberships\":[{\"optionGroupName\":\"default:mysql-8-0\",\"status\":\"in-sync\"}],\"pendingModifiedValues\":{\"masterUserPassword\":\"HIDDEN_DUE_TO_SECURITY_REASONS\"},\"performanceInsightsEnabled\":false,\"preferredBackupWindow\":\"09:23-09:53\",\"preferredMaintenanceWindow\":\"sun:06:55-sun:07:25\",\"publiclyAccessible\":true,\"readReplicaDBInstanceIdentifiers\":[],\"storageEncrypted\":false,\"storageThroughput\":0,\"storageType\":\"gp2\",\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/rds.create-db-instance\",\"userIdentity\":{\"accessKeyId\":\"ACCESS_KEY_EXAMPLE\",\"accountId\":\"1010101010101\",\"arn\":\"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"type\":\"IAMUser\",\"userName\":\"testcloudtrail@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "subnet-c4bf5e9b", + "testcloudtrail@elastic.co", + "subnet-0a0bee6c", + "subnet-37391109", + "subnet-bf6ab5b1", + "subnet-8bdf6bc6", + "AIDA2IBR2EZTJMPOR52WV", + "vpc-73d2e309", + "test-cloudtrail-event-instance-14340", + "subnet-fee506df", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co" + ], + "user": [ + "testcloudtrail@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "AIDA2IBR2EZTJMPOR52WV", + "name": "testcloudtrail@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/rds.create-db-instance", + "version": "2.14.5" + } + } + ] +} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json index ac85bed6f03..52f680b093e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json @@ -66,6 +66,11 @@ "name": "TEST-GROUP" }, "related": { + "entity": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] @@ -141,6 +146,11 @@ "name": "TEST-GROUP" }, "related": { + "entity": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json index 3f6e1d74fab..08576a3ceb7 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json @@ -53,6 +53,11 @@ ] }, "related": { + "entity": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log new file mode 100644 index 00000000000..a7570e1d619 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"6642d073-04f9-474f-a31d-5ef412875c07","eventName":"CreateFunction20150331","eventSource":"lambda.amazonaws.com","eventTime":"2024-09-11T09:29:33Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"1ea1d5c8-9cfc-4e18-8256-3dfbcfc43e0b","requestParameters":{"code":{},"environment":{},"functionName":"cloudtrail-events-test","handler":"lambda.handler","publish":false,"role":"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn","runtime":"nodejs20.x"},"responseElements":{"architectures":["x86_64"],"codeSha256":"m2HanyBGXadi+QCt0ct2KqsqHAF4cgUJLO4aS9PcUXo=","codeSize":1018083,"description":"","environment":{},"ephemeralStorage":{"size":512},"functionArn":"arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test","functionName":"cloudtrail-events-test","handler":"lambda.handler","lastModified":"2024-09-11T09:29:33.375+0000","loggingConfig":{"logFormat":"Text","logGroup":"/aws/lambda/cloudtrail-events-test"},"memorySize":128,"packageType":"Zip","revisionId":"729c925e-627c-42b2-abf1-55e7f8f7177c","role":"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn","runtime":"nodejs20.x","runtimeVersionConfig":{"runtimeVersionArn":"arn:aws:lambda:us-east-1::runtime:672d5a3e06f81d120c089c5414b05186d7b4098504797c766bde2459847f38bc"},"snapStart":{"applyOn":"None","optimizationStatus":"Off"},"state":"Pending","stateReason":"The function is being created.","stateReasonCode":"Creating","timeout":3,"tracingConfig":{"mode":"PassThrough"},"version":"$LATEST"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"lambda.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/lambda.create-function","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json new file mode 100644 index 00000000000..b692ec1786f --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json @@ -0,0 +1,147 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-11T09:29:33.000Z", + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "functionName": "cloudtrail-events-test", + "handler": "lambda.handler", + "publish": false, + "role": "arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn", + "runtime": "nodejs20.x" + }, + "response_elements": { + "architectures": [ + "x86_64" + ], + "codeSha256": "m2HanyBGXadi+QCt0ct2KqsqHAF4cgUJLO4aS9PcUXo=", + "codeSize": 1018083, + "ephemeralStorage": { + "size": 512 + }, + "functionArn": "arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test", + "functionName": "cloudtrail-events-test", + "handler": "lambda.handler", + "lastModified": "2024-09-11T09:29:33.375+0000", + "loggingConfig": { + "logFormat": "Text", + "logGroup": "/aws/lambda/cloudtrail-events-test" + }, + "memorySize": 128, + "packageType": "Zip", + "revisionId": "729c925e-627c-42b2-abf1-55e7f8f7177c", + "role": "arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn", + "runtime": "nodejs20.x", + "runtimeVersionConfig": { + "runtimeVersionArn": "arn:aws:lambda:us-east-1::runtime:672d5a3e06f81d120c089c5414b05186d7b4098504797c766bde2459847f38bc" + }, + "snapStart": { + "applyOn": "None", + "optimizationStatus": "Off" + }, + "state": "Pending", + "stateReason": "The function is being created.", + "stateReasonCode": "Creating", + "timeout": 3, + "tracingConfig": { + "mode": "PassThrough" + }, + "version": "$LATEST" + } + }, + "read_only": false, + "recipient_account_id": "1010101010101", + "request_id": "1ea1d5c8-9cfc-4e18-8256-3dfbcfc43e0b", + "request_parameters": "{handler=lambda.handler, role=arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn, functionName=cloudtrail-events-test, publish=false, runtime=nodejs20.x}", + "response_elements": "{architectures=[x86_64], ephemeralStorage={size=512}, handler=lambda.handler, role=arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn, functionName=cloudtrail-events-test, tracingConfig={mode=PassThrough}, runtime=nodejs20.x, stateReasonCode=Creating, runtimeVersionConfig={runtimeVersionArn=arn:aws:lambda:us-east-1::runtime:672d5a3e06f81d120c089c5414b05186d7b4098504797c766bde2459847f38bc}, stateReason=The function is being created., codeSize=1018083, packageType=Zip, version=$LATEST, timeout=3, revisionId=729c925e-627c-42b2-abf1-55e7f8f7177c, codeSha256=m2HanyBGXadi+QCt0ct2KqsqHAF4cgUJLO4aS9PcUXo=, memorySize=128, loggingConfig={logFormat=Text, logGroup=/aws/lambda/cloudtrail-events-test}, snapStart={applyOn=None, optimizationStatus=Off}, lastModified=2024-09-11T09:29:33.375+0000, state=Pending, functionArn=arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test}", + "user_identity": { + "access_key_id": "ACCESS_KEY_EXAMPLE", + "arn": "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "1010101010101" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateFunction20150331", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "6642d073-04f9-474f-a31d-5ef412875c07", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"6642d073-04f9-474f-a31d-5ef412875c07\",\"eventName\":\"CreateFunction20150331\",\"eventSource\":\"lambda.amazonaws.com\",\"eventTime\":\"2024-09-11T09:29:33Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"1010101010101\",\"requestID\":\"1ea1d5c8-9cfc-4e18-8256-3dfbcfc43e0b\",\"requestParameters\":{\"code\":{},\"environment\":{},\"functionName\":\"cloudtrail-events-test\",\"handler\":\"lambda.handler\",\"publish\":false,\"role\":\"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn\",\"runtime\":\"nodejs20.x\"},\"responseElements\":{\"architectures\":[\"x86_64\"],\"codeSha256\":\"m2HanyBGXadi+QCt0ct2KqsqHAF4cgUJLO4aS9PcUXo=\",\"codeSize\":1018083,\"description\":\"\",\"environment\":{},\"ephemeralStorage\":{\"size\":512},\"functionArn\":\"arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test\",\"functionName\":\"cloudtrail-events-test\",\"handler\":\"lambda.handler\",\"lastModified\":\"2024-09-11T09:29:33.375+0000\",\"loggingConfig\":{\"logFormat\":\"Text\",\"logGroup\":\"/aws/lambda/cloudtrail-events-test\"},\"memorySize\":128,\"packageType\":\"Zip\",\"revisionId\":\"729c925e-627c-42b2-abf1-55e7f8f7177c\",\"role\":\"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn\",\"runtime\":\"nodejs20.x\",\"runtimeVersionConfig\":{\"runtimeVersionArn\":\"arn:aws:lambda:us-east-1::runtime:672d5a3e06f81d120c089c5414b05186d7b4098504797c766bde2459847f38bc\"},\"snapStart\":{\"applyOn\":\"None\",\"optimizationStatus\":\"Off\"},\"state\":\"Pending\",\"stateReason\":\"The function is being created.\",\"stateReasonCode\":\"Creating\",\"timeout\":3,\"tracingConfig\":{\"mode\":\"PassThrough\"},\"version\":\"$LATEST\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"lambda.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/lambda.create-function\",\"userIdentity\":{\"accessKeyId\":\"ACCESS_KEY_EXAMPLE\",\"accountId\":\"1010101010101\",\"arn\":\"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"type\":\"IAMUser\",\"userName\":\"testcloudtrail@elastic.co\"}}", + "outcome": "success", + "provider": "lambda.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test", + "testcloudtrail@elastic.co", + "arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "cloudtrail-events-test" + ], + "user": [ + "testcloudtrail@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "lambda.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "AIDA2IBR2EZTJMPOR52WV", + "name": "testcloudtrail@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/lambda.create-function", + "version": "2.14.5" + } + } + ] +} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json index b39e1ecb901..9a91f38afb8 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json @@ -64,6 +64,14 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "TEST-trail", + "Alice", + "TEST-cloudtrail-bucket", + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json index 2139a0d0fd7..e903c492c8a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json @@ -53,6 +53,13 @@ ] }, "related": { + "entity": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Bob", + "arn:aws:iam::123456789012:user/Bob", + "Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json index 12544c46bd8..f42e9f59638 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json @@ -58,6 +58,11 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json index 2e817388ddb..d073c1ab332 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json @@ -53,6 +53,11 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json index aee22039446..f5ac6e6afcd 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json @@ -53,6 +53,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json index f5f17cb8b81..1e5a0737899 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json @@ -55,6 +55,15 @@ "deletion" ] }, + "related": { + "entity": [ + "my-test-bucket-cross-account", + "arn:aws:iam::777788889999:role/AssumeNothing", + "AssumeNothing", + "AIDAQRSTUVWXYZEXAMPLE:devdsk", + "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk" + ] + }, "source": { "address": "89.160.20.156", "as": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json index 5bcfd5d63e5..ba269547a8e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json @@ -55,6 +55,11 @@ "name": "TEST-GROUP" }, "related": { + "entity": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] @@ -130,6 +135,11 @@ "name": "TEST-GROUP" }, "related": { + "entity": [ + "EXAMPLE_PRINCIPLE", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json index b4aa347f5ce..19a3c395d1a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json @@ -53,6 +53,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json index 874388fddba..64199e12323 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json @@ -44,6 +44,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice", + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json index a2c6c8d036f..e4c517eb40f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json @@ -52,6 +52,12 @@ ] }, "related": { + "entity": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Bob", + "Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json index d5f78f023e2..f4224168591 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json @@ -52,6 +52,11 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log new file mode 100644 index 00000000000..1b56c492090 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"4a3864f4-8562-48e6-a0e5-795d63095b63","eventName":"DisableKey","eventSource":"kms.amazonaws.com","eventTime":"2024-09-11T09:29:16Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"1010101010101","requestID":"d537e26e-ff2a-4242-b3af-62cb56cac99b","requestParameters":{"keyId":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f"},"resources":[{"ARN":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f","accountId":"1010101010101","type":"AWS::KMS::Key"}],"responseElements":{"keyId":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_256_GCM_SHA384","clientProvidedHostHeader":"kms.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/kms.disable-key","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json new file mode 100644 index 00000000000..1e37c2575c9 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json @@ -0,0 +1,113 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-11T09:29:16.000Z", + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "keyId": "arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f" + }, + "response_elements": { + "keyId": "arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f" + } + }, + "read_only": false, + "recipient_account_id": "1010101010101", + "request_id": "d537e26e-ff2a-4242-b3af-62cb56cac99b", + "request_parameters": "{keyId=arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f}", + "resources": [ + { + "account_id": "1010101010101", + "arn": "arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f", + "type": "AWS::KMS::Key" + } + ], + "response_elements": "{keyId=arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f}", + "user_identity": { + "access_key_id": "ACCESS_KEY_EXAMPLE", + "arn": "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "1010101010101" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DisableKey", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "4a3864f4-8562-48e6-a0e5-795d63095b63", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"4a3864f4-8562-48e6-a0e5-795d63095b63\",\"eventName\":\"DisableKey\",\"eventSource\":\"kms.amazonaws.com\",\"eventTime\":\"2024-09-11T09:29:16Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"1010101010101\",\"requestID\":\"d537e26e-ff2a-4242-b3af-62cb56cac99b\",\"requestParameters\":{\"keyId\":\"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f\"},\"resources\":[{\"ARN\":\"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f\",\"accountId\":\"1010101010101\",\"type\":\"AWS::KMS::Key\"}],\"responseElements\":{\"keyId\":\"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_256_GCM_SHA384\",\"clientProvidedHostHeader\":\"kms.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/kms.disable-key\",\"userIdentity\":{\"accessKeyId\":\"ACCESS_KEY_EXAMPLE\",\"accountId\":\"1010101010101\",\"arn\":\"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"type\":\"IAMUser\",\"userName\":\"testcloudtrail@elastic.co\"}}", + "outcome": "success", + "provider": "kms.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f", + "testcloudtrail@elastic.co" + ], + "user": [ + "testcloudtrail@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "client": { + "server_name": "kms.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "AIDA2IBR2EZTJMPOR52WV", + "name": "testcloudtrail@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/kms.disable-key", + "version": "2.14.5" + } + } + ] +} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json index 84625796a4f..42d28d765c3 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json @@ -52,6 +52,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json index 90b0b73e1b8..d216f2b05b9 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json @@ -75,6 +75,9 @@ "info" ] }, + "related": { + "entity": [] + }, "tags": [ "preserve_original_event" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json index 12f5de7c6a0..d9463f5e257 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json @@ -56,6 +56,12 @@ "name": "Admin" }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log new file mode 100644 index 00000000000..9c657391682 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5e1fb8e0-231d-4527-a146-d051e37d0d4f","eventName":"RunInstances","eventSource":"ec2.amazonaws.com","eventTime":"2024-09-11T09:28:29Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"1010101010101","requestID":"ffd44d98-cea5-4b4a-9c38-b2aee9f73489","requestParameters":{"blockDeviceMapping":{},"clientToken":"aeafce9c-025e-47f3-b3cc-7d9292cbadfd","disableApiStop":false,"disableApiTermination":false,"instanceType":"t1.micro","instancesSet":{"items":[{"imageId":"ami-00a4cd63f089232e0","maxCount":1,"minCount":1}]},"monitoring":{"enabled":false},"tagSpecificationSet":{"items":[{"resourceType":"instance","tags":[{"key":"name","value":"cloudtrail-event-test"},{"key":"division","value":"engineering"},{"key":"org","value":"security"},{"key":"team","value":"cloud"},{"key":"project","value":"testproject"}]}]}},"responseElements":{"groupSet":{},"instancesSet":{"items":[{"amiLaunchIndex":0,"architecture":"x86_64","blockDeviceMapping":{},"capacityReservationSpecification":{"capacityReservationPreference":"open"},"clientToken":"aeafce9c-025e-47f3-b3cc-7d9292cbadfd","cpuOptions":{"coreCount":1,"threadsPerCore":1},"currentInstanceBootMode":"legacy-bios","ebsOptimized":false,"enaSupport":true,"enclaveOptions":{"enabled":false},"groupSet":{"items":[{"groupId":"sg-4e483165","groupName":"default"}]},"hypervisor":"xen","imageId":"ami-00a4cd63f089232e0","instanceId":"i-0f2f135de18b555e3","instanceState":{"code":0,"name":"pending"},"instanceType":"t1.micro","launchTime":1726046908000,"maintenanceOptions":{"autoRecovery":"default"},"metadataOptions":{"httpEndpoint":"enabled","httpProtocolIpv4":"enabled","httpProtocolIpv6":"disabled","httpPutResponseHopLimit":1,"httpTokens":"optional","instanceMetadataTags":"disabled","state":"pending"},"monitoring":{"state":"disabled"},"networkInterfaceSet":{"items":[{"attachment":{"attachTime":1726046908000,"attachmentId":"eni-attach-0b039fe5f25fca954","deleteOnTermination":true,"deviceIndex":0,"networkCardIndex":0,"status":"attaching"},"groupSet":{"items":[{"groupId":"sg-4e483165","groupName":"default"}]},"interfaceType":"interface","ipv6AddressesSet":{},"macAddress":"0e:ff:ec:9c:25:65","networkInterfaceId":"eni-043138569d4a31e90","ownerId":"1010101010101","privateDnsName":"ip-172-31-35-48.ec2.internal","privateIpAddress":"172.31.35.48","privateIpAddressesSet":{"item":[{"primary":true,"privateDnsName":"ip-172-31-35-48.ec2.internal","privateIpAddress":"172.31.35.48"}]},"sourceDestCheck":true,"status":"in-use","subnetId":"subnet-c4bf5e9b","tagSet":{},"vpcId":"vpc-73d2e309"}]},"placement":{"availabilityZone":"us-east-1d","tenancy":"default"},"privateDnsName":"ip-172-31-35-48.ec2.internal","privateDnsNameOptions":{"enableResourceNameDnsAAAARecord":false,"enableResourceNameDnsARecord":false,"hostnameType":"ip-name"},"privateIpAddress":"172.31.35.48","productCodes":{},"rootDeviceName":"/dev/xvda","rootDeviceType":"ebs","sourceDestCheck":true,"stateReason":{"code":"pending","message":"pending"},"subnetId":"subnet-c4bf5e9b","tagSet":{"items":[{"key":"team","value":"cloud"},{"key":"division","value":"engineering"},{"key":"org","value":"security"},{"key":"name","value":"cloudtrail-event-test"},{"key":"project","value":"testproject"}]},"virtualizationType":"hvm","vpcId":"vpc-73d2e309"}]},"ownerId":"1010101010101","requestId":"ffd44d98-cea5-4b4a-9c38-b2aee9f73489","reservationId":"r-0dfcd099dcab4e63a"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/ec2.run-instances","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json new file mode 100644 index 00000000000..80fcbfc0ac5 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json @@ -0,0 +1,298 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-11T09:28:29.000Z", + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "clientToken": "aeafce9c-025e-47f3-b3cc-7d9292cbadfd", + "disableApiStop": false, + "disableApiTermination": false, + "instanceType": "t1.micro", + "instancesSet": { + "items": [ + { + "imageId": "ami-00a4cd63f089232e0", + "maxCount": 1, + "minCount": 1 + } + ] + }, + "monitoring": { + "enabled": false + }, + "tagSpecificationSet": { + "items": [ + { + "resourceType": "instance", + "tags": [ + { + "key": "name", + "value": "cloudtrail-event-test" + }, + { + "key": "division", + "value": "engineering" + }, + { + "key": "org", + "value": "security" + }, + { + "key": "team", + "value": "cloud" + }, + { + "key": "project", + "value": "testproject" + } + ] + } + ] + } + }, + "response_elements": { + "instancesSet": { + "items": [ + { + "amiLaunchIndex": 0, + "architecture": "x86_64", + "capacityReservationSpecification": { + "capacityReservationPreference": "open" + }, + "clientToken": "aeafce9c-025e-47f3-b3cc-7d9292cbadfd", + "cpuOptions": { + "coreCount": 1, + "threadsPerCore": 1 + }, + "currentInstanceBootMode": "legacy-bios", + "ebsOptimized": false, + "enaSupport": true, + "enclaveOptions": { + "enabled": false + }, + "groupSet": { + "items": [ + { + "groupId": "sg-4e483165", + "groupName": "default" + } + ] + }, + "hypervisor": "xen", + "imageId": "ami-00a4cd63f089232e0", + "instanceId": "i-0f2f135de18b555e3", + "instanceState": { + "code": 0, + "name": "pending" + }, + "instanceType": "t1.micro", + "launchTime": 1726046908000, + "maintenanceOptions": { + "autoRecovery": "default" + }, + "metadataOptions": { + "httpEndpoint": "enabled", + "httpProtocolIpv4": "enabled", + "httpProtocolIpv6": "disabled", + "httpPutResponseHopLimit": 1, + "httpTokens": "optional", + "instanceMetadataTags": "disabled", + "state": "pending" + }, + "monitoring": { + "state": "disabled" + }, + "networkInterfaceSet": { + "items": [ + { + "attachment": { + "attachTime": 1726046908000, + "attachmentId": "eni-attach-0b039fe5f25fca954", + "deleteOnTermination": true, + "deviceIndex": 0, + "networkCardIndex": 0, + "status": "attaching" + }, + "groupSet": { + "items": [ + { + "groupId": "sg-4e483165", + "groupName": "default" + } + ] + }, + "interfaceType": "interface", + "macAddress": "0e:ff:ec:9c:25:65", + "networkInterfaceId": "eni-043138569d4a31e90", + "ownerId": "1010101010101", + "privateDnsName": "ip-172-31-35-48.ec2.internal", + "privateIpAddress": "172.31.35.48", + "privateIpAddressesSet": { + "item": [ + { + "primary": true, + "privateDnsName": "ip-172-31-35-48.ec2.internal", + "privateIpAddress": "172.31.35.48" + } + ] + }, + "sourceDestCheck": true, + "status": "in-use", + "subnetId": "subnet-c4bf5e9b", + "vpcId": "vpc-73d2e309" + } + ] + }, + "placement": { + "availabilityZone": "us-east-1d", + "tenancy": "default" + }, + "privateDnsName": "ip-172-31-35-48.ec2.internal", + "privateDnsNameOptions": { + "enableResourceNameDnsAAAARecord": false, + "enableResourceNameDnsARecord": false, + "hostnameType": "ip-name" + }, + "privateIpAddress": "172.31.35.48", + "rootDeviceName": "/dev/xvda", + "rootDeviceType": "ebs", + "sourceDestCheck": true, + "stateReason": { + "code": "pending", + "message": "pending" + }, + "subnetId": "subnet-c4bf5e9b", + "tagSet": { + "items": [ + { + "key": "team", + "value": "cloud" + }, + { + "key": "division", + "value": "engineering" + }, + { + "key": "org", + "value": "security" + }, + { + "key": "name", + "value": "cloudtrail-event-test" + }, + { + "key": "project", + "value": "testproject" + } + ] + }, + "virtualizationType": "hvm", + "vpcId": "vpc-73d2e309" + } + ] + }, + "ownerId": "1010101010101", + "requestId": "ffd44d98-cea5-4b4a-9c38-b2aee9f73489", + "reservationId": "r-0dfcd099dcab4e63a" + } + }, + "read_only": false, + "recipient_account_id": "1010101010101", + "request_id": "ffd44d98-cea5-4b4a-9c38-b2aee9f73489", + "request_parameters": "{instancesSet={items=[{imageId=ami-00a4cd63f089232e0, minCount=1, maxCount=1}]}, disableApiTermination=false, tagSpecificationSet={items=[{resourceType=instance, tags=[{value=cloudtrail-event-test, key=name}, {value=engineering, key=division}, {value=security, key=org}, {value=cloud, key=team}, {value=testproject, key=project}]}]}, clientToken=aeafce9c-025e-47f3-b3cc-7d9292cbadfd, instanceType=t1.micro, monitoring={enabled=false}, disableApiStop=false}", + "response_elements": "{instancesSet={items=[{subnetId=subnet-c4bf5e9b, virtualizationType=hvm, capacityReservationSpecification={capacityReservationPreference=open}, amiLaunchIndex=0, enaSupport=true, currentInstanceBootMode=legacy-bios, sourceDestCheck=true, stateReason={code=pending, message=pending}, groupSet={items=[{groupName=default, groupId=sg-4e483165}]}, tagSet={items=[{value=cloud, key=team}, {value=engineering, key=division}, {value=security, key=org}, {value=cloudtrail-event-test, key=name}, {value=testproject, key=project}]}, instanceId=i-0f2f135de18b555e3, instanceState={code=0, name=pending}, maintenanceOptions={autoRecovery=default}, hypervisor=xen, vpcId=vpc-73d2e309, rootDeviceName=/dev/xvda, architecture=x86_64, ebsOptimized=false, imageId=ami-00a4cd63f089232e0, networkInterfaceSet={items=[{networkInterfaceId=eni-043138569d4a31e90, subnetId=subnet-c4bf5e9b, ownerId=1010101010101, sourceDestCheck=true, groupSet={items=[{groupName=default, groupId=sg-4e483165}]}, privateIpAddress=172.31.35.48, interfaceType=interface, macAddress=0e:ff:ec:9c:25:65, attachment={networkCardIndex=0, attachmentId=eni-attach-0b039fe5f25fca954, deleteOnTermination=true, deviceIndex=0, attachTime=1726046908000, status=attaching}, vpcId=vpc-73d2e309, privateDnsName=ip-172-31-35-48.ec2.internal, privateIpAddressesSet={item=[{privateDnsName=ip-172-31-35-48.ec2.internal, privateIpAddress=172.31.35.48, primary=true}]}, status=in-use}]}, clientToken=aeafce9c-025e-47f3-b3cc-7d9292cbadfd, instanceType=t1.micro, cpuOptions={threadsPerCore=1, coreCount=1}, monitoring={state=disabled}, privateIpAddress=172.31.35.48, privateDnsNameOptions={enableResourceNameDnsAAAARecord=false, enableResourceNameDnsARecord=false, hostnameType=ip-name}, rootDeviceType=ebs, enclaveOptions={enabled=false}, launchTime=1726046908000, metadataOptions={instanceMetadataTags=disabled, httpPutResponseHopLimit=1, httpProtocolIpv4=enabled, httpProtocolIpv6=disabled, httpEndpoint=enabled, state=pending, httpTokens=optional}, privateDnsName=ip-172-31-35-48.ec2.internal, placement={tenancy=default, availabilityZone=us-east-1d}}]}, reservationId=r-0dfcd099dcab4e63a, requestId=ffd44d98-cea5-4b4a-9c38-b2aee9f73489, ownerId=1010101010101}", + "user_identity": { + "access_key_id": "ACCESS_KEY_EXAMPLE", + "arn": "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "1010101010101" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "RunInstances", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "5e1fb8e0-231d-4527-a146-d051e37d0d4f", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"5e1fb8e0-231d-4527-a146-d051e37d0d4f\",\"eventName\":\"RunInstances\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-09-11T09:28:29Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"1010101010101\",\"requestID\":\"ffd44d98-cea5-4b4a-9c38-b2aee9f73489\",\"requestParameters\":{\"blockDeviceMapping\":{},\"clientToken\":\"aeafce9c-025e-47f3-b3cc-7d9292cbadfd\",\"disableApiStop\":false,\"disableApiTermination\":false,\"instanceType\":\"t1.micro\",\"instancesSet\":{\"items\":[{\"imageId\":\"ami-00a4cd63f089232e0\",\"maxCount\":1,\"minCount\":1}]},\"monitoring\":{\"enabled\":false},\"tagSpecificationSet\":{\"items\":[{\"resourceType\":\"instance\",\"tags\":[{\"key\":\"name\",\"value\":\"cloudtrail-event-test\"},{\"key\":\"division\",\"value\":\"engineering\"},{\"key\":\"org\",\"value\":\"security\"},{\"key\":\"team\",\"value\":\"cloud\"},{\"key\":\"project\",\"value\":\"testproject\"}]}]}},\"responseElements\":{\"groupSet\":{},\"instancesSet\":{\"items\":[{\"amiLaunchIndex\":0,\"architecture\":\"x86_64\",\"blockDeviceMapping\":{},\"capacityReservationSpecification\":{\"capacityReservationPreference\":\"open\"},\"clientToken\":\"aeafce9c-025e-47f3-b3cc-7d9292cbadfd\",\"cpuOptions\":{\"coreCount\":1,\"threadsPerCore\":1},\"currentInstanceBootMode\":\"legacy-bios\",\"ebsOptimized\":false,\"enaSupport\":true,\"enclaveOptions\":{\"enabled\":false},\"groupSet\":{\"items\":[{\"groupId\":\"sg-4e483165\",\"groupName\":\"default\"}]},\"hypervisor\":\"xen\",\"imageId\":\"ami-00a4cd63f089232e0\",\"instanceId\":\"i-0f2f135de18b555e3\",\"instanceState\":{\"code\":0,\"name\":\"pending\"},\"instanceType\":\"t1.micro\",\"launchTime\":1726046908000,\"maintenanceOptions\":{\"autoRecovery\":\"default\"},\"metadataOptions\":{\"httpEndpoint\":\"enabled\",\"httpProtocolIpv4\":\"enabled\",\"httpProtocolIpv6\":\"disabled\",\"httpPutResponseHopLimit\":1,\"httpTokens\":\"optional\",\"instanceMetadataTags\":\"disabled\",\"state\":\"pending\"},\"monitoring\":{\"state\":\"disabled\"},\"networkInterfaceSet\":{\"items\":[{\"attachment\":{\"attachTime\":1726046908000,\"attachmentId\":\"eni-attach-0b039fe5f25fca954\",\"deleteOnTermination\":true,\"deviceIndex\":0,\"networkCardIndex\":0,\"status\":\"attaching\"},\"groupSet\":{\"items\":[{\"groupId\":\"sg-4e483165\",\"groupName\":\"default\"}]},\"interfaceType\":\"interface\",\"ipv6AddressesSet\":{},\"macAddress\":\"0e:ff:ec:9c:25:65\",\"networkInterfaceId\":\"eni-043138569d4a31e90\",\"ownerId\":\"1010101010101\",\"privateDnsName\":\"ip-172-31-35-48.ec2.internal\",\"privateIpAddress\":\"172.31.35.48\",\"privateIpAddressesSet\":{\"item\":[{\"primary\":true,\"privateDnsName\":\"ip-172-31-35-48.ec2.internal\",\"privateIpAddress\":\"172.31.35.48\"}]},\"sourceDestCheck\":true,\"status\":\"in-use\",\"subnetId\":\"subnet-c4bf5e9b\",\"tagSet\":{},\"vpcId\":\"vpc-73d2e309\"}]},\"placement\":{\"availabilityZone\":\"us-east-1d\",\"tenancy\":\"default\"},\"privateDnsName\":\"ip-172-31-35-48.ec2.internal\",\"privateDnsNameOptions\":{\"enableResourceNameDnsAAAARecord\":false,\"enableResourceNameDnsARecord\":false,\"hostnameType\":\"ip-name\"},\"privateIpAddress\":\"172.31.35.48\",\"productCodes\":{},\"rootDeviceName\":\"/dev/xvda\",\"rootDeviceType\":\"ebs\",\"sourceDestCheck\":true,\"stateReason\":{\"code\":\"pending\",\"message\":\"pending\"},\"subnetId\":\"subnet-c4bf5e9b\",\"tagSet\":{\"items\":[{\"key\":\"team\",\"value\":\"cloud\"},{\"key\":\"division\",\"value\":\"engineering\"},{\"key\":\"org\",\"value\":\"security\"},{\"key\":\"name\",\"value\":\"cloudtrail-event-test\"},{\"key\":\"project\",\"value\":\"testproject\"}]},\"virtualizationType\":\"hvm\",\"vpcId\":\"vpc-73d2e309\"}]},\"ownerId\":\"1010101010101\",\"requestId\":\"ffd44d98-cea5-4b4a-9c38-b2aee9f73489\",\"reservationId\":\"r-0dfcd099dcab4e63a\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/ec2.run-instances\",\"userIdentity\":{\"accessKeyId\":\"ACCESS_KEY_EXAMPLE\",\"accountId\":\"1010101010101\",\"arn\":\"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"type\":\"IAMUser\",\"userName\":\"testcloudtrail@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "AIDA2IBR2EZTJMPOR52WV", + "i-0f2f135de18b555e3", + "sg-4e483165", + "subnet-c4bf5e9b", + "vpc-73d2e309", + "testcloudtrail@elastic.co", + "r-0dfcd099dcab4e63a", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "ami-00a4cd63f089232e0", + "eni-043138569d4a31e90" + ], + "user": [ + "testcloudtrail@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "AIDA2IBR2EZTJMPOR52WV", + "name": "testcloudtrail@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/ec2.run-instances", + "version": "2.14.5" + } + } + ] +} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json index 3e0a4bdcee2..c4b0e3e18d6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json @@ -49,6 +49,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "TEST-trail", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log new file mode 100644 index 00000000000..a2627c33804 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5988b0ec-dbca-4f81-b0f7-12891720f170","eventName":"StopConfigurationRecorder","eventSource":"config.amazonaws.com","eventTime":"2024-09-11T09:29:18Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"2c953b2f-f1cc-48c3-8856-9a6f8bcfb10d","requestParameters":{"configurationRecorderName":"default"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"config.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/configservice.stop-configuration-recorder","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json new file mode 100644 index 00000000000..fdf077c0511 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json @@ -0,0 +1,102 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-11T09:29:18.000Z", + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "configurationRecorderName": "default" + } + }, + "read_only": false, + "recipient_account_id": "1010101010101", + "request_id": "2c953b2f-f1cc-48c3-8856-9a6f8bcfb10d", + "request_parameters": "{configurationRecorderName=default}", + "user_identity": { + "access_key_id": "ACCESS_KEY_EXAMPLE", + "arn": "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "1010101010101" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "StopConfigurationRecorder", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "5988b0ec-dbca-4f81-b0f7-12891720f170", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"5988b0ec-dbca-4f81-b0f7-12891720f170\",\"eventName\":\"StopConfigurationRecorder\",\"eventSource\":\"config.amazonaws.com\",\"eventTime\":\"2024-09-11T09:29:18Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"1010101010101\",\"requestID\":\"2c953b2f-f1cc-48c3-8856-9a6f8bcfb10d\",\"requestParameters\":{\"configurationRecorderName\":\"default\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"config.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/configservice.stop-configuration-recorder\",\"userIdentity\":{\"accessKeyId\":\"ACCESS_KEY_EXAMPLE\",\"accountId\":\"1010101010101\",\"arn\":\"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"type\":\"IAMUser\",\"userName\":\"testcloudtrail@elastic.co\"}}", + "outcome": "success", + "provider": "config.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "AIDA2IBR2EZTJMPOR52WV", + "default", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "testcloudtrail@elastic.co" + ], + "user": [ + "testcloudtrail@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "config.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "AIDA2IBR2EZTJMPOR52WV", + "name": "testcloudtrail@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/configservice.stop-configuration-recorder", + "version": "2.14.5" + } + } + ] +} \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json index bfe46a69d64..be62f563486 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json @@ -49,6 +49,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json index db0467b3d5b..426092479d4 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json @@ -60,6 +60,11 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json index 9854080e05a..6a24cee4af1 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json @@ -54,6 +54,13 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "EXAMPLE_KEY_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json index 3990f94963a..57429c6c028 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json @@ -57,6 +57,11 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json index c7c2d9593aa..db25f58f378 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json @@ -51,6 +51,11 @@ "name": "TEST-GROUP" }, "related": { + "entity": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] @@ -128,6 +133,11 @@ "name": "TEST-GROUP2" }, "related": { + "entity": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json index f8a9bb013e4..511c6111adf 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json @@ -52,6 +52,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json index 1db33a2b229..e083d6e5797 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json @@ -54,6 +54,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" @@ -135,6 +141,12 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Bob", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice", "Bob" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json index ffcf8c91acf..e04e27019e1 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json @@ -45,6 +45,12 @@ ] }, "related": { + "entity": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "myTrail2", + "Alice" + ], "user": [ "Alice" ] @@ -152,6 +158,14 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "TEST-trail", + "Alice", + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", + "arn:aws:iam::0123456789012:user/Alice", + "test-cloudtrail-bucket" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json index 4ba9aa8b8a9..f7f221ebd90 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json @@ -48,6 +48,12 @@ ] }, "related": { + "entity": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Bob", + "Alice" + ], "user": [ "Alice", "Bob", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json index 92bf119519b..03a8485910a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json @@ -60,6 +60,11 @@ ] }, "related": { + "entity": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], "user": [ "Alice" ] diff --git a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml index ff1bf09b859..e18646b112d 100644 --- a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml @@ -47,6 +47,209 @@ processors: return false; } drop(ctx); + # Before renames because some json fields are mutated on the process + - script: + description: Appends any relevant entity to `related.entity` for all events + lang: painless + on_failure: + - set: + description: Add error reason + field: error.message + value: "{{{ _ingest.on_failure_message }}}" + source: | + void addFields(Set entities, String[] fields) { + for (String field : fields) { + addField(entities, field); + } + } + + void addField(Set entities, String fieldName) { + addValue(entities, field(fieldName).get(null)); + } + + boolean addValues(Set entities, String[] values) { + boolean addedAll = true; + for (String value : values) { + addedAll = addedAll && addValue(entities, value); + } + + return addedAll; + } + + boolean addValue(Set entities, String value) { + if (value == null || value == "") { + return false; + } + + return entities.add(value); + } + + // Using tree set to ensure a sorting is kept (testing purposes) + TreeSet entities = new TreeSet(); + + addFields(entities, new String[]{ + "json.userIdentity.arn", + "json.userIdentity.sessionContext.sessionIssuer.arn", + "json.userIdentity.identityProvider", + "json.userIdentity.principalId", + "json.userIdentity.sessionContext.sessionIssuer.userName", + "json.userIdentity.sessionContext.webIdFederationData.federatedProvider", + "json.userIdentity.userName" + }); + + field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(entities, f.ARN)); + + String eventSource = field("json.eventSource").get(null); + + if (eventSource == "sts.amazonaws.com") { + addFields(entities, new String[]{ + "json.requestParameters.roleArn", + "json.sourceIdentity", + "json.additionalEventData.MFAIdentifier", + "json.responseElements.assumedRoleUser.arn", + "json.requestParameters.roleSessionName", + "json.responseElements.accessKeyId" + }); + + } else if (eventSource == "iam.amazonaws.com") { + addFields(entities, new String[]{ + "json.requestParameters.userName", + "json.requestParameters.accessKeyId", + "json.requestParameters.policyArn", + "json.requestParameters.roleName", + "json.requestParameters.policyName", + "json.responseElements.accessKey.userName", + "json.responseElements.accessKey.accessKeyId", + "json.responseElements.user.arn", + "json.responseElements.user.userName", + "json.responseElements.userId", + "json.responseElements.role.arn" + }); + + } else if (eventSource == "ec2.amazonaws.com") { + addFields(entities, new String[]{ + "json.requestParameters.groupId", + "json.requestParameters.groupName", + "json.requestParameters.roleName", + "json.requestParameters.subnetId", + "json.requestParameters.volumeId", + "json.requestParameters.networkInterfaceId", + "json.requestParameters.vpcId", + "json.requestParameters.snapshotId", + "json.responseElements.groupId", + "json.responseElements.reservationId", + "json.responseElements.vpc.vpcId", + "json.responseElements.vpc.dhcpOptionsId", + "json.responseElements.snapshotId", + "json.responseElements.volumeId" + }); + + field("json.responseElements.securityGroupRuleSet.items").get(new ArrayList()).stream().forEach(i -> { + addValues(entities, new String[]{ + i.groupId, + i.referencedGroupInfo?.groupId, + i.securityGroupRuleId + }); + }); + + field("json.responseElements.groupSet.items").get(new ArrayList()).stream().forEach(i -> { + addValue(entities, i.groupId); + }); + + field("json.requestParameters.groupSet.items").get(new ArrayList()).stream().forEach(i -> { + addValue(entities, i.groupId); + }); + + field("json.requestParameters.instancesSet.items").get(new ArrayList()).stream().forEach(i -> { + addValue(entities, i.instanceId); + }); + + field("json.responseElements.instancesSet.items").get(new ArrayList()).stream().forEach(instances -> { + addValues(entities, new String[]{ + instances.subnetId, + instances.vpcId, + instances.instanceId, + instances.imageId, + instances.iamInstanceProfile?.arn + }); + + instances.networkInterfaceSet?.items?.stream().forEach(networks -> { + addValues(entities, new String[]{ + networks.networkInterfaceId, + networks.vpcId, + networks.subnetId + }); + + networks.groupSet?.items?.stream().forEach(group -> { + addValue(entities, group.groupId); + }); + }); + }); + + field("json.requestParameters.revokedSecurityGroupRuleSet.items").get(new ArrayList()).stream().forEach(i -> { + addValues(entities, new String[]{ + i.securityGroupRuleId, + i.groupId + }); + }); + + } else if (eventSource == "s3.amazonaws.com") { + addField(entities, "json.requestParameters.bucketName"); + + } else if (eventSource == "cloudtrail.amazonaws.com") { + addFields(entities, new String[]{ + "json.requestParameters.name", + "json.requestParameters.s3BucketName", + "json.responseElements.cloudWatchLogsLogGroupArn", + "json.responseElements.cloudWatchLogsRoleArn", + "json.responseElements.kmsKeyId", + "json.responseElements.snsTopicARN", + "json.responseElements.trailARN", + "json.responseElements.name" + }); + + } else if (eventSource == "kms.amazonaws.com") { + addFields(entities, new String[]{ + "json.requestParameters.keyId", + "json.responseElements.keyId", + "json.responseElements.keyMetadata.arn", + "json.responseElements.keyMetadata.keyId" + }); + + } else if (eventSource == "config.amazonaws.com") { + addField(entities, "json.requestParameters.configurationRecorderName"); + + } else if (eventSource == "lambda.amazonaws.com") { + addFields(entities, new String[]{ + "json.requestParameters.functionName", + "json.responseElements.functionArn", + "json.responseElements.functionName", + "json.responseElements.role", + "json.responseElements.vpcConfig.securityGroupIds", + "json.responseElements.vpcConfig.subnetIds" + }); + + } else if (eventSource == "rds.amazonaws.com") { + addFields(entities, new String[]{ + "json.requestParameters.dBInstanceIdentifier", + "json.requestParameters.dBInstanceArn", + "json.responseElements.dBInstanceIdentifier", + "json.responseElements.dbInstanceArn", + "json.responseElements.dBSubnetGroup.vpcId", + "json.responseElements.vpcSecurityGroups.vpcSecurityGroupId" + }); + + field("json.responseElements.dBSubnetGroup.subnets").get(new ArrayList()).stream().forEach(i -> { + addValue(entities, i.subnetIdentifier); + }); + + field("json.responseElements.vpcSecurityGroups").get(new ArrayList()).stream().forEach(i -> { + addValue(entities, i.vpcSecurityGroupId); + }); + } + + field("related.entity").set(entities); + - rename: field: json.eventVersion target_field: aws.cloudtrail.event_version diff --git a/packages/aws/data_stream/cloudtrail/fields/fields.yml b/packages/aws/data_stream/cloudtrail/fields/fields.yml index 68fbc0ee8ce..7552b08cfc4 100644 --- a/packages/aws/data_stream/cloudtrail/fields/fields.yml +++ b/packages/aws/data_stream/cloudtrail/fields/fields.yml @@ -187,3 +187,10 @@ type: flattened description: >- Additional insight details. +- name: related.entity + description: | + A collection of all entity identifiers associated with the document. + If the document contains multiple entities, identifiers for each will be included. + Example identifiers include(but not limited to) cloud resource IDs, ARNs, email addresses, + and hostnames. + type: keyword \ No newline at end of file diff --git a/packages/aws/docs/cloudtrail.md b/packages/aws/docs/cloudtrail.md index 6f98e063986..03df3b56e6a 100644 --- a/packages/aws/docs/cloudtrail.md +++ b/packages/aws/docs/cloudtrail.md @@ -133,6 +133,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| related.entity | A collection of all entity identifiers associated with the document. If the document contains multiple entities, identifiers for each will be included. Example identifiers include(but not limited to) cloud resource IDs, ARNs, email addresses, and hostnames. | keyword | An example event for `cloudtrail` looks as following: diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 12145bf7499..cd2fa84844d 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: aws title: AWS -version: 2.25.0 +version: 2.25.0-preview01 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ conditions: elastic: subscription: basic kibana: - version: "^8.14.0" + version: "^8.16.0" screenshots: - src: /img/metricbeat-aws-overview.png title: metricbeat aws overview