From 75fe1675721b8d078d38b11be43bd767699356dc Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Wed, 8 Oct 2025 09:32:56 +0200 Subject: [PATCH 1/3] Normalize user fields --- packages/aws/changelog.yml | 5 ++ .../test-assume-role-json.log-expected.json | 22 ++++++--- ...-attach-user-policy-json.log-expected.json | 11 +++-- ...curity-group-egress-json.log-expected.json | 11 +++-- .../test-console-login-json.log-expected.json | 11 +++-- .../test-converse-json.log-expected.json | 11 +++-- ...ate-control-channel-json.log-expected.json | 11 +++-- ...-create-db-instance-json.log-expected.json | 6 +++ .../test-delete-bucket-json.log-expected.json | 11 +++-- ...t-get-bucket-policy-json.log-expected.json | 11 +++-- .../test-get-policy-json.log-expected.json | 11 +++-- ...pen-control-channel-json.log-expected.json | 11 +++-- .../test-publish-json.log-expected.json | 11 +++-- ...st-send-command-all-json.log-expected.json | 11 +++-- ...t-terminate-session-json.log-expected.json | 6 --- .../test-tls-details-json.log-expected.json | 19 +++---- ...test-user-authentication.log-expected.json | 2 + .../elasticsearch/ingest_pipeline/default.yml | 49 ++++++++++++++++--- packages/aws/manifest.yml | 2 +- 19 files changed, 155 insertions(+), 77 deletions(-) diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 75529878a9f..59dbbd6141d 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "4.4.0" + changes: + - description: Normalize user fields for AWS CloudTrail events. + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "4.3.0" changes: - description: Improve documentation to align with new guidelines. diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json index dfdcd585f60..2ae5ec81dc4 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json @@ -68,7 +68,6 @@ "session_issuer": { "account_id": "111111111111", "arn": "arn:aws:iam::111111111111:role/JohnRole1", - "principal_id": "AROAIN5ATK5U7KEXAMPLE", "type": "Role" } }, @@ -112,7 +111,8 @@ "arn:aws:iam::111111111111:role/JohnRole2" ], "user": [ - "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "JohnRole1", + "AROAIN5ATK5U7KEXAMPLE", "JohnDoe" ] }, @@ -144,8 +144,11 @@ } }, "user": { - "id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", - "name": "JohnDoe" + "effective": { + "id": "AROAIN5ATK5U7KEXAMPLE", + "name": "JohnDoe" + }, + "name": "JohnRole1" }, "user_agent": { "device": { @@ -234,7 +237,6 @@ "session_issuer": { "account_id": "111111111111", "arn": "arn:aws:iam::111111111111:role/JohnRole1", - "principal_id": "AROAIN5ATK5U7KEXAMPLE", "type": "Role" } }, @@ -277,7 +279,8 @@ "arn:aws:iam::111111111111:role/JohnRole2" ], "user": [ - "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "JohnRole1", + "AROAIN5ATK5U7KEXAMPLE", "JohnDoe" ] }, @@ -309,8 +312,11 @@ } }, "user": { - "id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", - "name": "JohnDoe" + "effective": { + "id": "AROAIN5ATK5U7KEXAMPLE", + "name": "JohnDoe" + }, + "name": "JohnRole1" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json index c9113d4b2d6..eab51c1fc1b 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json @@ -33,7 +33,6 @@ "session_issuer": { "account_id": "000000000", "arn": "arn:aws:iam::000000000:role/ec2-instance-role", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -77,7 +76,8 @@ ], "user": [ "pwncloud-backdoor-user", - "PRINCIPALID:i-06815aa7cf7d21f8f", + "i-06815aa7cf7d21f8f", + "PRINCIPALID", "ec2-instance-role" ] }, @@ -121,8 +121,11 @@ "version_protocol": "tls" }, "user": { - "id": "PRINCIPALID:i-06815aa7cf7d21f8f", - "name": "ec2-instance-role", + "effective": { + "id": "PRINCIPALID", + "name": "ec2-instance-role" + }, + "name": "i-06815aa7cf7d21f8f", "target": { "name": "pwncloud-backdoor-user" } diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json index d89061181b7..3c5d0682e91 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json @@ -68,7 +68,6 @@ "session_issuer": { "account_id": "000000000", "arn": "arn:aws:iam::000000000:role/ec2-instance-role", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -107,7 +106,8 @@ "sg-038ccc3a1f7b05f42" ], "user": [ - "PRINCIPALID:i-06815aa7cf7d21f8f", + "i-06815aa7cf7d21f8f", + "PRINCIPALID", "ec2-instance-role" ] }, @@ -151,8 +151,11 @@ "version_protocol": "tls" }, "user": { - "id": "PRINCIPALID:i-06815aa7cf7d21f8f", - "name": "ec2-instance-role" + "effective": { + "id": "PRINCIPALID", + "name": "ec2-instance-role" + }, + "name": "i-06815aa7cf7d21f8f" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json index 684cfb65618..448f54c8d7b 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json @@ -271,7 +271,6 @@ "session_issuer": { "account_id": "123456789012", "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed", - "principal_id": "AROAIDPPEZS35WEXAMPLE", "type": "Role" } }, @@ -311,7 +310,8 @@ "RoleToBeAssumed" ], "user": [ - "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", + "MySessionName", + "AROAIDPPEZS35WEXAMPLE", "RoleToBeAssumed" ] }, @@ -342,8 +342,11 @@ "actor_target_mapping" ], "user": { - "id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", - "name": "RoleToBeAssumed" + "effective": { + "id": "AROAIDPPEZS35WEXAMPLE", + "name": "RoleToBeAssumed" + }, + "name": "MySessionName" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json index b606bc22697..0dd25fbf61e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json @@ -32,7 +32,6 @@ "session_issuer": { "account_id": "00000000000", "arn": "arn:aws:iam::00000000000:role/private-ec2-instance-role", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -70,7 +69,8 @@ "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae" ], "user": [ - "PRINCIPALID:i-03cd6b2a7eb4bf3ae", + "i-03cd6b2a7eb4bf3ae", + "PRINCIPALID", "private-ec2-instance-role" ] }, @@ -113,8 +113,11 @@ "version_protocol": "tls" }, "user": { - "id": "PRINCIPALID:i-03cd6b2a7eb4bf3ae", - "name": "private-ec2-instance-role" + "effective": { + "id": "PRINCIPALID", + "name": "private-ec2-instance-role" + }, + "name": "i-03cd6b2a7eb4bf3ae" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json index 124e91d0141..1bfd2bf208a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json @@ -35,7 +35,6 @@ "session_issuer": { "account_id": "00000000000", "arn": "arn:aws:iam::00000000000:role/bedrock_ec2_role", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -76,7 +75,8 @@ "arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957" ], "user": [ - "PRINCIPALID:i-05e14c76fdb335957", + "i-05e14c76fdb335957", + "PRINCIPALID", "bedrock_ec2_role" ] }, @@ -119,8 +119,11 @@ "version_protocol": "tls" }, "user": { - "id": "PRINCIPALID:i-05e14c76fdb335957", - "name": "bedrock_ec2_role" + "effective": { + "id": "PRINCIPALID", + "name": "bedrock_ec2_role" + }, + "name": "i-05e14c76fdb335957" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json index 4c681bead94..6c7d94b647a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json @@ -174,6 +174,9 @@ "subnet-fee506df", "subnet-bf6ab5b1", "subnet-8bdf6bc6" + ], + "user": [ + "544894e8-80c1-707f-60e3-3ba6510dfac1" ] }, "source": { @@ -207,6 +210,9 @@ "version": "1.3", "version_protocol": "tls" }, + "user": { + "id": "544894e8-80c1-707f-60e3-3ba6510dfac1" + }, "user_agent": { "device": { "name": "Other" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json index f8231e1e62b..7622a3eac43 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json @@ -30,7 +30,6 @@ "session_issuer": { "account_id": "777788889999", "arn": "arn:aws:iam::777788889999:role/AssumeNothing", - "principal_id": "AIDAQRSTUVWXYZEXAMPLE", "type": "Role" } }, @@ -71,7 +70,8 @@ "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk" ], "user": [ - "AIDAQRSTUVWXYZEXAMPLE:devdsk", + "devdsk", + "AIDAQRSTUVWXYZEXAMPLE", "AssumeNothing" ] }, @@ -102,8 +102,11 @@ "actor_target_mapping" ], "user": { - "id": "AIDAQRSTUVWXYZEXAMPLE:devdsk", - "name": "AssumeNothing" + "effective": { + "id": "AIDAQRSTUVWXYZEXAMPLE", + "name": "AssumeNothing" + }, + "name": "devdsk" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json index db340cb3b2a..d8c6adfb375 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json @@ -50,7 +50,6 @@ "session_issuer": { "account_id": "0000000000", "arn": "arn:aws:iam::0000000000:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -90,7 +89,8 @@ "ACCESSKEY" ], "user": [ - "PRINCIPALID:AWSConfig-Describe", + "AWSConfig-Describe", + "PRINCIPALID", "AWSServiceRoleForConfig" ] }, @@ -109,8 +109,11 @@ } }, "user": { - "id": "PRINCIPALID:AWSConfig-Describe", - "name": "AWSServiceRoleForConfig" + "effective": { + "id": "PRINCIPALID", + "name": "AWSServiceRoleForConfig" + }, + "name": "AWSConfig-Describe" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json index 1da0fc65891..aabd47baec4 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json @@ -32,7 +32,6 @@ "session_issuer": { "account_id": "00000000000", "arn": "arn:aws:iam::00000000000:role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -73,7 +72,8 @@ "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" ], "user": [ - "PRINCIPALID:i-00486a46a6d8692b9", + "i-00486a46a6d8692b9", + "PRINCIPALID", "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" ] }, @@ -116,8 +116,11 @@ "version_protocol": "tls" }, "user": { - "id": "PRINCIPALID:i-00486a46a6d8692b9", - "name": "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" + "effective": { + "id": "PRINCIPALID", + "name": "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" + }, + "name": "i-00486a46a6d8692b9" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json index 09d8f848286..8630b92b2b6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json @@ -45,7 +45,6 @@ "session_issuer": { "account_id": "000000000000", "arn": "arn:aws:iam::000000000000:role/ec2-instance-role", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -86,7 +85,8 @@ "arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585" ], "user": [ - "PRINCIPALID:i-021987ab2dbf04585", + "i-021987ab2dbf04585", + "PRINCIPALID", "ec2-instance-role" ] }, @@ -126,8 +126,11 @@ } }, "user": { - "id": "PRINCIPALID:i-021987ab2dbf04585", - "name": "ec2-instance-role" + "effective": { + "id": "PRINCIPALID", + "name": "ec2-instance-role" + }, + "name": "i-021987ab2dbf04585" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json index b448c164268..d06d02486c4 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json @@ -44,7 +44,6 @@ "session_issuer": { "account_id": "00000000000", "arn": "arn:aws:iam::00000000000:role/private-ec2-instance-role", - "principal_id": "PRINCIPALID", "type": "Role" } }, @@ -82,7 +81,8 @@ "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" ], "user": [ - "PRINCIPALID:i-0ddf9acf8eeb33959", + "i-0ddf9acf8eeb33959", + "PRINCIPALID", "private-ec2-instance-role" ] }, @@ -125,8 +125,11 @@ "version_protocol": "tls" }, "user": { - "id": "PRINCIPALID:i-0ddf9acf8eeb33959", - "name": "private-ec2-instance-role" + "effective": { + "id": "PRINCIPALID", + "name": "private-ec2-instance-role" + }, + "name": "i-0ddf9acf8eeb33959" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json index 58c06fe008c..338590f1f0f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json @@ -78,7 +78,6 @@ "session_issuer": { "account_id": "00000000000", "arn": "arn:aws:iam::00000000000:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM", - "principal_id": "PRINCIPAL", "type": "Role" } }, @@ -116,7 +115,8 @@ "arn:aws:iam::00000000000:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM" ], "user": [ - "PRINCIPAL:StateManagerService", + "StateManagerService", + "PRINCIPAL", "AWSServiceRoleForAmazonSSM" ] }, @@ -135,8 +135,11 @@ } }, "user": { - "id": "PRINCIPAL:StateManagerService", - "name": "AWSServiceRoleForAmazonSSM" + "effective": { + "id": "PRINCIPAL", + "name": "AWSServiceRoleForAmazonSSM" + }, + "name": "StateManagerService" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json index 2b6cbd5e5cb..948c2914228 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json @@ -67,9 +67,6 @@ "arn:aws:iam::00000000000:root", "ACCESSKEY", "root-5hvouhyykagjjk3f6glxk8o6bu" - ], - "user": [ - "00000000000" ] }, "source": { @@ -110,9 +107,6 @@ "version": "1.2", "version_protocol": "tls" }, - "user": { - "id": "00000000000" - }, "user_agent": { "device": { "name": "Mac" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json index 182a97d80d1..c894071880f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json @@ -180,9 +180,6 @@ "related": { "entity": [ "some.user@example.com" - ], - "user": [ - "some.user@example.com" ] }, "source": { @@ -193,10 +190,6 @@ "preserve_original_event", "actor_target_mapping" ], - "user": { - "email": "some.user@example.com", - "name": "some.user@example.com" - }, "user_agent": { "device": { "name": "Other" @@ -250,7 +243,6 @@ "session_issuer": { "account_id": "001122334455", "arn": "arn:aws:iam::001122334455:role/aws-reserved/sso.amazonaws.com/eu-west-1/Some_AWS_Role", - "principal_id": "REDACTED", "type": "Role" } }, @@ -287,7 +279,8 @@ "arn:aws:sts::001122334455:assumed-role/Some_AWS_Role/some.user@example.com" ], "user": [ - "REDACTED:some.user@example.com", + "some.user@example.com", + "REDACTED", "Some_AWS_Role" ] }, @@ -307,8 +300,12 @@ "version": "1.3" }, "user": { - "id": "REDACTED:some.user@example.com", - "name": "Some_AWS_Role" + "effective": { + "id": "REDACTED", + "name": "Some_AWS_Role" + }, + "email": "some.user@example.com", + "name": "some.user@example.com" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-user-authentication.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-user-authentication.log-expected.json index 247921a3d49..0959e773335 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-user-authentication.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-user-authentication.log-expected.json @@ -58,6 +58,7 @@ "related": { "entity": [], "user": [ + "redacted", "redacted@example.com" ] }, @@ -70,6 +71,7 @@ ], "user": { "email": "redacted@example.com", + "id": "redacted", "name": "redacted@example.com" }, "user_agent": { diff --git a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml index 8ca248a405b..b34f32bf18c 100644 --- a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml @@ -776,15 +776,20 @@ processors: - rename: field: json.userIdentity.type target_field: aws.cloudtrail.user_identity.type - ignore_failure: true + ignore_missing: true + tag: rename_user_identity_type - rename: field: json.userIdentity.userName target_field: user.name - ignore_failure: true + ignore_missing: true + if: ctx.aws?.cloudtrail?.user_identity?.type == 'IAMUser' + tag: rename_user_identity_user_name_iam_user - rename: field: json.userIdentity.principalId target_field: user.id - ignore_failure: true + ignore_missing: true + if: ctx.aws?.cloudtrail?.user_identity?.type == 'IAMUser' + tag: rename_user_identity_principal_id - rename: field: json.userIdentity.arn target_field: aws.cloudtrail.user_identity.arn @@ -814,12 +819,29 @@ processors: # userIdentity.sessionIssuer.userName is only set with assumed roles. - rename: field: json.userIdentity.sessionContext.sessionIssuer.userName - target_field: user.name - ignore_failure: true + target_field: user.effective.name + ignore_missing: true + if: ctx.aws?.cloudtrail?.user_identity?.type == 'AssumedRole' + tag: rename_user_effective_name_assumed_role - rename: field: json.userIdentity.sessionContext.sessionIssuer.principalId - target_field: aws.cloudtrail.user_identity.session_context.session_issuer.principal_id - ignore_failure: true + target_field: user.effective.id + ignore_missing: true + if: ctx.aws?.cloudtrail?.user_identity?.type == 'AssumedRole' + tag: rename_user_effective_id_assumed_role + - grok: + field: aws.cloudtrail.user_identity.arn + patterns: + - "arn:aws:sts:.*/%{GREEDYDATA:user.name}$" + ignore_missing: true + if: ctx.aws?.cloudtrail?.user_identity?.type == 'AssumedRole' && ctx.aws?.cloudtrail?.user_identity?.arn != null + tag: extract_user_name_from_arn + - rename: + field: json.userIdentity.onBehalfOf.userId + target_field: user.id + ignore_missing: true + if: ctx.aws?.cloudtrail?.user_identity?.type == 'IdentityCenterUser' && ctx.user?.id == null + tag: rename_user_id_identity_center_user - rename: field: json.userIdentity.sessionContext.sessionIssuer.arn target_field: aws.cloudtrail.user_identity.session_context.session_issuer.arn @@ -1734,6 +1756,19 @@ processors: allow_duplicates: false ignore_failure: true + - append: + field: related.user + value: '{{{user.effective.id}}}' + if: ctx.user?.effective?.id != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{user.effective.name}}}' + if: ctx.user?.effective?.name != null + allow_duplicates: false + ignore_failure: true + # Remove the fields that the user does not want. # In the case that we did not want the flattened fields our work is already # done, since we did not retain them. Otherwise we remove the relevant fields diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index d204519f21c..0ff01b28a1f 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: aws title: AWS -version: "4.3.0" +version: 4.4.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: From 9c1ea5268adeff1b5b27d46249e91e081b8a00ea Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Wed, 8 Oct 2025 10:48:21 +0200 Subject: [PATCH 2/3] Update changelog --- packages/aws/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 59dbbd6141d..e8ea6e65f24 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Normalize user fields for AWS CloudTrail events. type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/15601 - version: "4.3.0" changes: - description: Improve documentation to align with new guidelines. From 6f4b1045503d2d8938f6ef910905bf0d6b4e5928 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Tue, 21 Oct 2025 17:55:21 +0200 Subject: [PATCH 3/3] Update how user is treated for AssumedRole events --- .../test-assume-role-json.log-expected.json | 24 +++++++++---------- ...-attach-user-policy-json.log-expected.json | 12 +++++----- ...curity-group-egress-json.log-expected.json | 12 +++++----- .../test-console-login-json.log-expected.json | 12 +++++----- .../test-converse-json.log-expected.json | 12 +++++----- ...ate-control-channel-json.log-expected.json | 12 +++++----- .../test-delete-bucket-json.log-expected.json | 12 +++++----- ...t-get-bucket-policy-json.log-expected.json | 12 +++++----- .../test-get-policy-json.log-expected.json | 12 +++++----- ...pen-control-channel-json.log-expected.json | 12 +++++----- .../test-publish-json.log-expected.json | 12 +++++----- ...st-send-command-all-json.log-expected.json | 12 +++++----- ...t-terminate-session-json.log-expected.json | 6 +++++ .../test-tls-details-json.log-expected.json | 20 ++++++++++------ .../elasticsearch/ingest_pipeline/default.yml | 24 +++++++------------ 15 files changed, 106 insertions(+), 100 deletions(-) diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json index 2ae5ec81dc4..0411e1adf34 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json @@ -111,9 +111,9 @@ "arn:aws:iam::111111111111:role/JohnRole2" ], "user": [ - "JohnRole1", "AROAIN5ATK5U7KEXAMPLE", - "JohnDoe" + "JohnDoe", + "JohnRole1" ] }, "source": { @@ -144,11 +144,11 @@ } }, "user": { - "effective": { - "id": "AROAIN5ATK5U7KEXAMPLE", - "name": "JohnDoe" + "changes": { + "name": "JohnRole1" }, - "name": "JohnRole1" + "id": "AROAIN5ATK5U7KEXAMPLE", + "name": "JohnDoe" }, "user_agent": { "device": { @@ -279,9 +279,9 @@ "arn:aws:iam::111111111111:role/JohnRole2" ], "user": [ - "JohnRole1", "AROAIN5ATK5U7KEXAMPLE", - "JohnDoe" + "JohnDoe", + "JohnRole1" ] }, "source": { @@ -312,11 +312,11 @@ } }, "user": { - "effective": { - "id": "AROAIN5ATK5U7KEXAMPLE", - "name": "JohnDoe" + "changes": { + "name": "JohnRole1" }, - "name": "JohnRole1" + "id": "AROAIN5ATK5U7KEXAMPLE", + "name": "JohnDoe" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json index eab51c1fc1b..8850c75c3c6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json @@ -76,9 +76,9 @@ ], "user": [ "pwncloud-backdoor-user", - "i-06815aa7cf7d21f8f", "PRINCIPALID", - "ec2-instance-role" + "ec2-instance-role", + "i-06815aa7cf7d21f8f" ] }, "source": { @@ -121,11 +121,11 @@ "version_protocol": "tls" }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "ec2-instance-role" + "changes": { + "name": "i-06815aa7cf7d21f8f" }, - "name": "i-06815aa7cf7d21f8f", + "id": "PRINCIPALID", + "name": "ec2-instance-role", "target": { "name": "pwncloud-backdoor-user" } diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json index 3c5d0682e91..cbef1667a68 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json @@ -106,9 +106,9 @@ "sg-038ccc3a1f7b05f42" ], "user": [ - "i-06815aa7cf7d21f8f", "PRINCIPALID", - "ec2-instance-role" + "ec2-instance-role", + "i-06815aa7cf7d21f8f" ] }, "source": { @@ -151,11 +151,11 @@ "version_protocol": "tls" }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "ec2-instance-role" + "changes": { + "name": "i-06815aa7cf7d21f8f" }, - "name": "i-06815aa7cf7d21f8f" + "id": "PRINCIPALID", + "name": "ec2-instance-role" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json index 448f54c8d7b..521ee5281d6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json @@ -310,9 +310,9 @@ "RoleToBeAssumed" ], "user": [ - "MySessionName", "AROAIDPPEZS35WEXAMPLE", - "RoleToBeAssumed" + "RoleToBeAssumed", + "MySessionName" ] }, "source": { @@ -342,11 +342,11 @@ "actor_target_mapping" ], "user": { - "effective": { - "id": "AROAIDPPEZS35WEXAMPLE", - "name": "RoleToBeAssumed" + "changes": { + "name": "MySessionName" }, - "name": "MySessionName" + "id": "AROAIDPPEZS35WEXAMPLE", + "name": "RoleToBeAssumed" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json index 0dd25fbf61e..391a9f74e57 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json @@ -69,9 +69,9 @@ "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae" ], "user": [ - "i-03cd6b2a7eb4bf3ae", "PRINCIPALID", - "private-ec2-instance-role" + "private-ec2-instance-role", + "i-03cd6b2a7eb4bf3ae" ] }, "source": { @@ -113,11 +113,11 @@ "version_protocol": "tls" }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "private-ec2-instance-role" + "changes": { + "name": "i-03cd6b2a7eb4bf3ae" }, - "name": "i-03cd6b2a7eb4bf3ae" + "id": "PRINCIPALID", + "name": "private-ec2-instance-role" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json index 1bfd2bf208a..434c568faac 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json @@ -75,9 +75,9 @@ "arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957" ], "user": [ - "i-05e14c76fdb335957", "PRINCIPALID", - "bedrock_ec2_role" + "bedrock_ec2_role", + "i-05e14c76fdb335957" ] }, "source": { @@ -119,11 +119,11 @@ "version_protocol": "tls" }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "bedrock_ec2_role" + "changes": { + "name": "i-05e14c76fdb335957" }, - "name": "i-05e14c76fdb335957" + "id": "PRINCIPALID", + "name": "bedrock_ec2_role" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json index 7622a3eac43..20b79cadda6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json @@ -70,9 +70,9 @@ "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk" ], "user": [ - "devdsk", "AIDAQRSTUVWXYZEXAMPLE", - "AssumeNothing" + "AssumeNothing", + "devdsk" ] }, "source": { @@ -102,11 +102,11 @@ "actor_target_mapping" ], "user": { - "effective": { - "id": "AIDAQRSTUVWXYZEXAMPLE", - "name": "AssumeNothing" + "changes": { + "name": "devdsk" }, - "name": "devdsk" + "id": "AIDAQRSTUVWXYZEXAMPLE", + "name": "AssumeNothing" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json index d8c6adfb375..57f7a033e1c 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json @@ -89,9 +89,9 @@ "ACCESSKEY" ], "user": [ - "AWSConfig-Describe", "PRINCIPALID", - "AWSServiceRoleForConfig" + "AWSServiceRoleForConfig", + "AWSConfig-Describe" ] }, "source": { @@ -109,11 +109,11 @@ } }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "AWSServiceRoleForConfig" + "changes": { + "name": "AWSConfig-Describe" }, - "name": "AWSConfig-Describe" + "id": "PRINCIPALID", + "name": "AWSServiceRoleForConfig" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json index aabd47baec4..285b5ad4e30 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json @@ -72,9 +72,9 @@ "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" ], "user": [ - "i-00486a46a6d8692b9", "PRINCIPALID", - "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" + "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9", + "i-00486a46a6d8692b9" ] }, "source": { @@ -116,11 +116,11 @@ "version_protocol": "tls" }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" + "changes": { + "name": "i-00486a46a6d8692b9" }, - "name": "i-00486a46a6d8692b9" + "id": "PRINCIPALID", + "name": "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json index 8630b92b2b6..8082fea06f5 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json @@ -85,9 +85,9 @@ "arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585" ], "user": [ - "i-021987ab2dbf04585", "PRINCIPALID", - "ec2-instance-role" + "ec2-instance-role", + "i-021987ab2dbf04585" ] }, "source": { @@ -126,11 +126,11 @@ } }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "ec2-instance-role" + "changes": { + "name": "i-021987ab2dbf04585" }, - "name": "i-021987ab2dbf04585" + "id": "PRINCIPALID", + "name": "ec2-instance-role" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json index d06d02486c4..ca057ab4841 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json @@ -81,9 +81,9 @@ "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" ], "user": [ - "i-0ddf9acf8eeb33959", "PRINCIPALID", - "private-ec2-instance-role" + "private-ec2-instance-role", + "i-0ddf9acf8eeb33959" ] }, "source": { @@ -125,11 +125,11 @@ "version_protocol": "tls" }, "user": { - "effective": { - "id": "PRINCIPALID", - "name": "private-ec2-instance-role" + "changes": { + "name": "i-0ddf9acf8eeb33959" }, - "name": "i-0ddf9acf8eeb33959" + "id": "PRINCIPALID", + "name": "private-ec2-instance-role" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json index 338590f1f0f..4921dfc0d5e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json @@ -115,9 +115,9 @@ "arn:aws:iam::00000000000:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM" ], "user": [ - "StateManagerService", "PRINCIPAL", - "AWSServiceRoleForAmazonSSM" + "AWSServiceRoleForAmazonSSM", + "StateManagerService" ] }, "source": { @@ -135,11 +135,11 @@ } }, "user": { - "effective": { - "id": "PRINCIPAL", - "name": "AWSServiceRoleForAmazonSSM" + "changes": { + "name": "StateManagerService" }, - "name": "StateManagerService" + "id": "PRINCIPAL", + "name": "AWSServiceRoleForAmazonSSM" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json index 948c2914228..2b6cbd5e5cb 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json @@ -67,6 +67,9 @@ "arn:aws:iam::00000000000:root", "ACCESSKEY", "root-5hvouhyykagjjk3f6glxk8o6bu" + ], + "user": [ + "00000000000" ] }, "source": { @@ -107,6 +110,9 @@ "version": "1.2", "version_protocol": "tls" }, + "user": { + "id": "00000000000" + }, "user_agent": { "device": { "name": "Mac" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json index c894071880f..d835b824ba2 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json @@ -180,6 +180,9 @@ "related": { "entity": [ "some.user@example.com" + ], + "user": [ + "some.user@example.com" ] }, "source": { @@ -190,6 +193,10 @@ "preserve_original_event", "actor_target_mapping" ], + "user": { + "email": "some.user@example.com", + "name": "some.user@example.com" + }, "user_agent": { "device": { "name": "Other" @@ -279,9 +286,9 @@ "arn:aws:sts::001122334455:assumed-role/Some_AWS_Role/some.user@example.com" ], "user": [ - "some.user@example.com", "REDACTED", - "Some_AWS_Role" + "Some_AWS_Role", + "some.user@example.com" ] }, "source": { @@ -300,12 +307,11 @@ "version": "1.3" }, "user": { - "effective": { - "id": "REDACTED", - "name": "Some_AWS_Role" + "changes": { + "name": "some.user@example.com" }, - "email": "some.user@example.com", - "name": "some.user@example.com" + "id": "REDACTED", + "name": "Some_AWS_Role" }, "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml index b34f32bf18c..0777eeef409 100644 --- a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml @@ -782,13 +782,11 @@ processors: field: json.userIdentity.userName target_field: user.name ignore_missing: true - if: ctx.aws?.cloudtrail?.user_identity?.type == 'IAMUser' tag: rename_user_identity_user_name_iam_user - rename: field: json.userIdentity.principalId target_field: user.id ignore_missing: true - if: ctx.aws?.cloudtrail?.user_identity?.type == 'IAMUser' tag: rename_user_identity_principal_id - rename: field: json.userIdentity.arn @@ -819,20 +817,22 @@ processors: # userIdentity.sessionIssuer.userName is only set with assumed roles. - rename: field: json.userIdentity.sessionContext.sessionIssuer.userName - target_field: user.effective.name + target_field: user.name ignore_missing: true + override: true if: ctx.aws?.cloudtrail?.user_identity?.type == 'AssumedRole' - tag: rename_user_effective_name_assumed_role + tag: rename_user_name_assumed_role - rename: field: json.userIdentity.sessionContext.sessionIssuer.principalId - target_field: user.effective.id + target_field: user.id ignore_missing: true + override: true if: ctx.aws?.cloudtrail?.user_identity?.type == 'AssumedRole' - tag: rename_user_effective_id_assumed_role + tag: rename_user_id_assumed_role - grok: field: aws.cloudtrail.user_identity.arn patterns: - - "arn:aws:sts:.*/%{GREEDYDATA:user.name}$" + - "arn:aws:sts:.*/%{GREEDYDATA:user.changes.name}$" ignore_missing: true if: ctx.aws?.cloudtrail?.user_identity?.type == 'AssumedRole' && ctx.aws?.cloudtrail?.user_identity?.arn != null tag: extract_user_name_from_arn @@ -1758,14 +1758,8 @@ processors: - append: field: related.user - value: '{{{user.effective.id}}}' - if: ctx.user?.effective?.id != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{user.effective.name}}}' - if: ctx.user?.effective?.name != null + value: '{{{user.changes.name}}}' + if: ctx.user?.changes?.name != null allow_duplicates: false ignore_failure: true