Skip to content

aws.cloudtrail: improve CloudTrail user identity processing #15601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

aws.cloudtrail: improve CloudTrail user identity processing #15601

wants to merge 3 commits into from
+147 −63

Conversation

chemamartinez
Copy link
Contributor

@chemamartinez chemamartinez commented Oct 8, 2025
edited
Loading

Proposed commit message

For CloudTrail events, it has been updated how IAM users are handled.

In particular, for the user identity IAMUser type, the user.name and user.id are
populated with the user fields that made the action/request.

For the user identity AssumedRole type, AWS SIEM rules need roles to be treated as IAMUsers in order to work fine. So the role identifies inside sessionIssuer populate user.* fields. Then, the session name is being mapped as user.changes.name as it can be interpreted as the name the user is taking for that particular session, and it's the closest approach in ECS.

References:

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@chemamartinez chemamartinez self-assigned this Oct 8, 2025
@chemamartinez chemamartinez added enhancement New feature or request Integration:aws AWS Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Oct 8, 2025
@chemamartinez chemamartinez marked this pull request as ready for review October 8, 2025 08:48
@chemamartinez chemamartinez requested review from a team as code owners October 8, 2025 08:48
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@chemamartinez chemamartinez force-pushed the 25241-aws_cloudtrail-normalize-user-fields branch from 6b2aa19 to 6f4b104 Compare October 21, 2025 15:56
@chemamartinez chemamartinez requested a review from imays11 October 21, 2025 16:01
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @chemamartinez

Kavindu-Dodan
Kavindu-Dodan reviewed Oct 21, 2025
View reviewed changes
packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml

- append:
field: related.user
value: '{{{user.changes.name}}}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit : Given we extract this from sessionContext arn with following description,

arn
The Amazon Resource Name (ARN) of the principal that made the call. The last section of the arn contains the user or role that made the call.

Wouldn't a name like user.arn.principal better match this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway not a blocker to get this merged

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are trying to stick to current ECS available fields, unfortunately user.arn doesn't exist in ECS.

efd6
efd6 reviewed Oct 21, 2025
View reviewed changes
packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json
"JohnDoe"
"AROAIN5ATK5U7KEXAMPLE",
"JohnDoe",
"JohnRole1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems odd to me to map a role as a user.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This come from this conversation with the trade team, where they need to treat the IAM user name and the role name as the user.name for the AWS SIEM rules.

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json
"private-ec2-instance-role"
"PRINCIPALID",
"private-ec2-instance-role",
"i-03cd6b2a7eb4bf3ae"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems more odd, since this is a session now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From this same conversation, the goal is to consider the session name as temporary user name, that's why it is being mapped as user.changes.name and therefore included into related.users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kavindu-Dodan Kavindu-Dodan Kavindu-Dodan approved these changes

@efd6 efd6 efd6 left review comments

@imays11 imays11 Awaiting requested review from imays11

At least 1 approving review is required to merge this pull request.

Assignees

@chemamartinez chemamartinez

Labels

enhancement New feature or request Integration:aws AWS Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chemamartinez @elasticmachine @Kavindu-Dodan @efd6