Skip to content

aws.cloudtrail: improve CloudTrail user identity processing #15601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+147 −63
Open

aws.cloudtrail: improve CloudTrail user identity processing #15601

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
75fe167
Normalize user fields
chemamartinez Oct 8, 2025
9c1ea52
Update changelog
chemamartinez Oct 8, 2025
6f4b104
Update how user is treated for AssumedRole events
chemamartinez Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/aws/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "4.4.0"
changes:
- description: Normalize user fields for AWS CloudTrail events.
type: enhancement
link: https://github.com/elastic/integrations/pull/15601
- version: "4.3.0"
changes:
- description: Improve documentation to align with new guidelines.
Expand Down
22 changes: 14 additions & 8 deletions ...ges/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,6 @@
"session_issuer": {
"account_id": "111111111111",
"arn": "arn:aws:iam::111111111111:role/JohnRole1",
"principal_id": "AROAIN5ATK5U7KEXAMPLE",
"type": "Role"
}
},
Expand Down Expand Up @@ -112,8 +111,9 @@
"arn:aws:iam::111111111111:role/JohnRole2"
],
"user": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"JohnDoe"
"AROAIN5ATK5U7KEXAMPLE",
"JohnDoe",
"JohnRole1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems odd to me to map a role as a user.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This come from this conversation with the trade team, where they need to treat the IAM user name and the role name as the user.name for the AWS SIEM rules.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@efd6 A lot of our cloud based detection rules are anomaly based, so doing it this way allows us to track the overall behavior of a role across many different temporary sessions in the same way that we track a user's behavior over time. Here is an example rule that uses the user.name field to determine the first time a User or a Role updates an existing AssumeRole Policy, which could be a privilege escalation attempt. We want to examine the history of the Role's behavior in the same way we would an IAMUser identity.

]
},
"source": {
Expand Down Expand Up @@ -144,7 +144,10 @@
}
},
"user": {
"id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"changes": {
"name": "JohnRole1"
},
"id": "AROAIN5ATK5U7KEXAMPLE",
"name": "JohnDoe"
},
"user_agent": {
Expand Down Expand Up @@ -234,7 +237,6 @@
"session_issuer": {
"account_id": "111111111111",
"arn": "arn:aws:iam::111111111111:role/JohnRole1",
"principal_id": "AROAIN5ATK5U7KEXAMPLE",
"type": "Role"
}
},
Expand Down Expand Up @@ -277,8 +279,9 @@
"arn:aws:iam::111111111111:role/JohnRole2"
],
"user": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"JohnDoe"
"AROAIN5ATK5U7KEXAMPLE",
"JohnDoe",
"JohnRole1"
]
},
"source": {
Expand Down Expand Up @@ -309,7 +312,10 @@
}
},
"user": {
"id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"changes": {
"name": "JohnRole1"
},
"id": "AROAIN5ATK5U7KEXAMPLE",
"name": "JohnDoe"
},
"user_agent": {
Expand Down
11 changes: 7 additions & 4 deletions .../data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@
"session_issuer": {
"account_id": "000000000",
"arn": "arn:aws:iam::000000000:role/ec2-instance-role",
"principal_id": "PRINCIPALID",
"type": "Role"
}
},
Expand Down Expand Up @@ -77,8 +76,9 @@
],
"user": [
"pwncloud-backdoor-user",
"PRINCIPALID:i-06815aa7cf7d21f8f",
"ec2-instance-role"
"PRINCIPALID",
"ec2-instance-role",
"i-06815aa7cf7d21f8f"
]
},
"source": {
Expand Down Expand Up @@ -121,7 +121,10 @@
"version_protocol": "tls"
},
"user": {
"id": "PRINCIPALID:i-06815aa7cf7d21f8f",
"changes": {
"name": "i-06815aa7cf7d21f8f"
},
"id": "PRINCIPALID",
"name": "ec2-instance-role",
"target": {
"name": "pwncloud-backdoor-user"
Expand Down
11 changes: 7 additions & 4 deletions ...cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,6 @@
"session_issuer": {
"account_id": "000000000",
"arn": "arn:aws:iam::000000000:role/ec2-instance-role",
"principal_id": "PRINCIPALID",
"type": "Role"
}
},
Expand Down Expand Up @@ -107,8 +106,9 @@
"sg-038ccc3a1f7b05f42"
],
"user": [
"PRINCIPALID:i-06815aa7cf7d21f8f",
"ec2-instance-role"
"PRINCIPALID",
"ec2-instance-role",
"i-06815aa7cf7d21f8f"
]
},
"source": {
Expand Down Expand Up @@ -151,7 +151,10 @@
"version_protocol": "tls"
},
"user": {
"id": "PRINCIPALID:i-06815aa7cf7d21f8f",
"changes": {
"name": "i-06815aa7cf7d21f8f"
},
"id": "PRINCIPALID",
"name": "ec2-instance-role"
},
"user_agent": {
Expand Down
11 changes: 7 additions & 4 deletions ...s/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,6 @@
"session_issuer": {
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"principal_id": "AROAIDPPEZS35WEXAMPLE",
"type": "Role"
}
},
Expand Down Expand Up @@ -311,8 +310,9 @@
"RoleToBeAssumed"
],
"user": [
"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"RoleToBeAssumed"
"AROAIDPPEZS35WEXAMPLE",
"RoleToBeAssumed",
"MySessionName"
]
},
"source": {
Expand Down Expand Up @@ -342,7 +342,10 @@
"actor_target_mapping"
],
"user": {
"id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"changes": {
"name": "MySessionName"
},
"id": "AROAIDPPEZS35WEXAMPLE",
"name": "RoleToBeAssumed"
},
"user_agent": {
Expand Down
11 changes: 7 additions & 4 deletions packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@
"session_issuer": {
"account_id": "00000000000",
"arn": "arn:aws:iam::00000000000:role/private-ec2-instance-role",
"principal_id": "PRINCIPALID",
"type": "Role"
}
},
Expand Down Expand Up @@ -70,8 +69,9 @@
"arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae"
],
"user": [
"PRINCIPALID:i-03cd6b2a7eb4bf3ae",
"private-ec2-instance-role"
"PRINCIPALID",
"private-ec2-instance-role",
"i-03cd6b2a7eb4bf3ae"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems more odd, since this is a session now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From this same conversation, the goal is to consider the session name as temporary user name, that's why it is being mapped as user.changes.name and therefore included into related.users.

]
},
"source": {
Expand Down Expand Up @@ -113,7 +113,10 @@
"version_protocol": "tls"
},
"user": {
"id": "PRINCIPALID:i-03cd6b2a7eb4bf3ae",
"changes": {
"name": "i-03cd6b2a7eb4bf3ae"
},
"id": "PRINCIPALID",
"name": "private-ec2-instance-role"
},
"user_agent": {
Expand Down
11 changes: 7 additions & 4 deletions ...a_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
"session_issuer": {
"account_id": "00000000000",
"arn": "arn:aws:iam::00000000000:role/bedrock_ec2_role",
"principal_id": "PRINCIPALID",
"type": "Role"
}
},
Expand Down Expand Up @@ -76,8 +75,9 @@
"arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957"
],
"user": [
"PRINCIPALID:i-05e14c76fdb335957",
"bedrock_ec2_role"
"PRINCIPALID",
"bedrock_ec2_role",
"i-05e14c76fdb335957"
]
},
"source": {
Expand Down Expand Up @@ -119,7 +119,10 @@
"version_protocol": "tls"
},
"user": {
"id": "PRINCIPALID:i-05e14c76fdb335957",
"changes": {
"name": "i-05e14c76fdb335957"
},
"id": "PRINCIPALID",
"name": "bedrock_ec2_role"
},
"user_agent": {
Expand Down
6 changes: 6 additions & 0 deletions .../data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,9 @@
"subnet-fee506df",
"subnet-bf6ab5b1",
"subnet-8bdf6bc6"
],
"user": [
"544894e8-80c1-707f-60e3-3ba6510dfac1"
]
},
"source": {
Expand Down Expand Up @@ -207,6 +210,9 @@
"version": "1.3",
"version_protocol": "tls"
},
"user": {
"id": "544894e8-80c1-707f-60e3-3ba6510dfac1"
},
"user_agent": {
"device": {
"name": "Other"
Expand Down
11 changes: 7 additions & 4 deletions ...s/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@
"session_issuer": {
"account_id": "777788889999",
"arn": "arn:aws:iam::777788889999:role/AssumeNothing",
"principal_id": "AIDAQRSTUVWXYZEXAMPLE",
"type": "Role"
}
},
Expand Down Expand Up @@ -71,8 +70,9 @@
"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk"
],
"user": [
"AIDAQRSTUVWXYZEXAMPLE:devdsk",
"AssumeNothing"
"AIDAQRSTUVWXYZEXAMPLE",
"AssumeNothing",
"devdsk"
]
},
"source": {
Expand Down Expand Up @@ -102,7 +102,10 @@
"actor_target_mapping"
],
"user": {
"id": "AIDAQRSTUVWXYZEXAMPLE:devdsk",
"changes": {
"name": "devdsk"
},
"id": "AIDAQRSTUVWXYZEXAMPLE",
"name": "AssumeNothing"
},
"user_agent": {
Expand Down
11 changes: 7 additions & 4 deletions ...s/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@
"session_issuer": {
"account_id": "0000000000",
"arn": "arn:aws:iam::0000000000:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"principal_id": "PRINCIPALID",
"type": "Role"
}
},
Expand Down Expand Up @@ -90,8 +89,9 @@
"ACCESSKEY"
],
"user": [
"PRINCIPALID:AWSConfig-Describe",
"AWSServiceRoleForConfig"
"PRINCIPALID",
"AWSServiceRoleForConfig",
"AWSConfig-Describe"
]
},
"source": {
Expand All @@ -109,7 +109,10 @@
}
},
"user": {
"id": "PRINCIPALID:AWSConfig-Describe",
"changes": {
"name": "AWSConfig-Describe"
},
"id": "PRINCIPALID",
"name": "AWSServiceRoleForConfig"
},
"user_agent": {
Expand Down
11 changes: 7 additions & 4 deletions ...ages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@
"session_issuer": {
"account_id": "00000000000",
"arn": "arn:aws:iam::00000000000:role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9",
"principal_id": "PRINCIPALID",
"type": "Role"
}
},
Expand Down Expand Up @@ -73,8 +72,9 @@
"Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9"
],
"user": [
"PRINCIPALID:i-00486a46a6d8692b9",
"Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9"
"PRINCIPALID",
"Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9",
"i-00486a46a6d8692b9"
]
},
"source": {
Expand Down Expand Up @@ -116,7 +116,10 @@
"version_protocol": "tls"
},
"user": {
"id": "PRINCIPALID:i-00486a46a6d8692b9",
"changes": {
"name": "i-00486a46a6d8692b9"
},
"id": "PRINCIPALID",
"name": "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9"
},
"user_agent": {
Expand Down
11 changes: 7 additions & 4 deletions ...ata_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@
"session_issuer": {
"account_id": "000000000000",
"arn": "arn:aws:iam::000000000000:role/ec2-instance-role",
"principal_id": "PRINCIPALID",
"type": "Role"
}
},
Expand Down Expand Up @@ -86,8 +85,9 @@
"arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585"
],
"user": [
"PRINCIPALID:i-021987ab2dbf04585",
"ec2-instance-role"
"PRINCIPALID",
"ec2-instance-role",
"i-021987ab2dbf04585"
]
},
"source": {
Expand Down Expand Up @@ -126,7 +126,10 @@
}
},
"user": {
"id": "PRINCIPALID:i-021987ab2dbf04585",
"changes": {
"name": "i-021987ab2dbf04585"
},
"id": "PRINCIPALID",
"name": "ec2-instance-role"
},
"user_agent": {
Expand Down
Loading