diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log new file mode 100644 index 0000000000..7799574a42 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"98675cf5-df23-4169-8411-58429782c464","eventName":"AddPermission20150331v2","eventSource":"lambda.amazonaws.com","eventTime":"2024-10-10T15:07:03Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"84a87304-e9d7-4a99-ae71-dfc74faf5f12","requestParameters":{"action":"lambda:InvokeFunction","functionName":"cloudtrail-events-test","principal":"sns.amazonaws.com","statementId":"sns"},"responseElements":{"statement":"{\"Sid\":\"sns\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\"}"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"lambda.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8ce3f005-c362-4713-912a-4d6f5c122258 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#lambda.add-permission","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log-expected.json new file mode 100644 index 0000000000..f460cf7383 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log-expected.json @@ -0,0 +1,124 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:07:03.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "action": "lambda:InvokeFunction", + "functionName": "cloudtrail-events-test", + "principal": "sns.amazonaws.com", + "statementId": "sns" + }, + "response_elements": { + "statement": "{\"Sid\":\"sns\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\"}" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "84a87304-e9d7-4a99-ae71-dfc74faf5f12", + "request_parameters": "{principal=sns.amazonaws.com, functionName=cloudtrail-events-test, statementId=sns, action=lambda:InvokeFunction}", + "response_elements": "{statement={\"Sid\":\"sns\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\"}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AddPermission20150331v2", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "98675cf5-df23-4169-8411-58429782c464", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"98675cf5-df23-4169-8411-58429782c464\",\"eventName\":\"AddPermission20150331v2\",\"eventSource\":\"lambda.amazonaws.com\",\"eventTime\":\"2024-10-10T15:07:03Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"84a87304-e9d7-4a99-ae71-dfc74faf5f12\",\"requestParameters\":{\"action\":\"lambda:InvokeFunction\",\"functionName\":\"cloudtrail-events-test\",\"principal\":\"sns.amazonaws.com\",\"statementId\":\"sns\"},\"responseElements\":{\"statement\":\"{\\\"Sid\\\":\\\"sns\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":{\\\"Service\\\":\\\"sns.amazonaws.com\\\"},\\\"Action\\\":\\\"lambda:InvokeFunction\\\",\\\"Resource\\\":\\\"arn:aws:lambda:us-east-1:000000000:function:cloudtrail-events-test\\\"}\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"lambda.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8ce3f005-c362-4713-912a-4d6f5c122258 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#lambda.add-permission\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "lambda.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "cloudtrail-events-test" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "cloudtrail-events-test" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "lambda.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8ce3f005-c362-4713-912a-4d6f5c122258 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#lambda.add-permission", + "version": "2.17.60" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json index 5b75b950a1..a1c87a7aed 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2014-03-25T21:08:14.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_version": "1.0", @@ -52,7 +59,6 @@ }, "related": { "entity": [ - "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", "Bob", "EXAMPLE_KEY_ID", @@ -68,7 +74,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EX_PRINCIPAL_ID", @@ -86,4 +93,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json index e01534c450..efc0d0cbac 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2019-10-02T22:12:29.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::111111111111:role/JohnRole1" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -95,7 +102,6 @@ }, "related": { "entity": [ - "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", "Role2WithTags", "AKIAI44QH8DHBEXAMPLE", @@ -123,8 +129,16 @@ "ip": "81.2.69.144" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "arn:aws:iam::111111111111:role/JohnRole2" + ] + } + }, "user": { "id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "name": "JohnDoe" @@ -145,6 +159,13 @@ }, { "@timestamp": "2019-10-02T22:12:29.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::111111111111:role/JohnRole1" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -243,7 +264,6 @@ }, "related": { "entity": [ - "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", "Role2WithTags", "AKIAI44QH8DHBEXAMPLE", @@ -270,8 +290,16 @@ "ip": "81.2.69.144" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "arn:aws:iam::111111111111:role/JohnRole2" + ] + } + }, "user": { "id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "name": "JohnDoe" @@ -291,4 +319,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log new file mode 100644 index 0000000000..ed176bdc12 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"6bf9a009-b248-415d-a8a9-63b7fe5621c0","eventName":"AttachGroupPolicy","eventSource":"iam.amazonaws.com","eventTime":"2024-10-08T14:12:17Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"01d08e9a-35d9-4790-97a7-b41d30aa86bf","requestParameters":{"groupName":"TestGroupPolicy","policyArn":"arn:aws:iam::aws:policy/ReadOnlyAccess"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5bca7082-50b2-4c08-b5e2-1ecf49a48a2b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-group-policy","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log-expected.json new file mode 100644 index 0000000000..72e7338f74 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log-expected.json @@ -0,0 +1,144 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-08T14:12:17.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "groupName": "TestGroupPolicy", + "policyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "01d08e9a-35d9-4790-97a7-b41d30aa86bf", + "request_parameters": "{policyArn=arn:aws:iam::aws:policy/ReadOnlyAccess, groupName=TestGroupPolicy}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AttachGroupPolicy", + "category": [ + "iam" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "6bf9a009-b248-415d-a8a9-63b7fe5621c0", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"6bf9a009-b248-415d-a8a9-63b7fe5621c0\",\"eventName\":\"AttachGroupPolicy\",\"eventSource\":\"iam.amazonaws.com\",\"eventTime\":\"2024-10-08T14:12:17Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"01d08e9a-35d9-4790-97a7-b41d30aa86bf\",\"requestParameters\":{\"groupName\":\"TestGroupPolicy\",\"policyArn\":\"arn:aws:iam::aws:policy/ReadOnlyAccess\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5bca7082-50b2-4c08-b5e2-1ecf49a48a2b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-group-policy\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "group", + "change" + ] + }, + "group": { + "name": "TestGroupPolicy" + }, + "related": { + "entity": [ + "TestGroupPolicy", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "TestGroupPolicy" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5bca7082-50b2-4c08-b5e2-1ecf49a48a2b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-group-policy", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log new file mode 100644 index 0000000000..e2059aa1d6 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"57ce487a-26dc-4ed7-a79a-38730c5b1d4b","eventName":"AttachRolePolicy","eventSource":"iam.amazonaws.com","eventTime":"2024-10-15T08:28:01Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"8a11d75b-c8c9-47a8-9ce7-6a916d2561fa","requestParameters":{"policyArn":"arn:aws:iam::aws:policy/SecurityAudit","roleName":"cloudtrail-role"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-role-policy","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log-expected.json new file mode 100644 index 0000000000..1951aab7a2 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log-expected.json @@ -0,0 +1,122 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T08:28:01.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "policyArn": "arn:aws:iam::aws:policy/SecurityAudit", + "roleName": "cloudtrail-role" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "8a11d75b-c8c9-47a8-9ce7-6a916d2561fa", + "request_parameters": "{policyArn=arn:aws:iam::aws:policy/SecurityAudit, roleName=cloudtrail-role}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AttachRolePolicy", + "category": [ + "iam" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "57ce487a-26dc-4ed7-a79a-38730c5b1d4b", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"57ce487a-26dc-4ed7-a79a-38730c5b1d4b\",\"eventName\":\"AttachRolePolicy\",\"eventSource\":\"iam.amazonaws.com\",\"eventTime\":\"2024-10-15T08:28:01Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"8a11d75b-c8c9-47a8-9ce7-6a916d2561fa\",\"requestParameters\":{\"policyArn\":\"arn:aws:iam::aws:policy/SecurityAudit\",\"roleName\":\"cloudtrail-role\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-role-policy\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "change" + ] + }, + "related": { + "entity": [ + "arn:aws:iam::aws:policy/SecurityAudit", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "cloudtrail-role" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "cloudtrail-role" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-role-policy", + "version": "2.17.60" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log new file mode 100644 index 0000000000..38ba9bd26d --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:i-06815aa7cf7d21f8f","arn":"arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f","accountId":"000000000","accessKeyId":"ACCESSKEY","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::000000000:role/ec2-instance-role","accountId":"000000000","userName":"ec2-instance-role"},"attributes":{"creationDate":"2024-10-30T19:14:35Z","mfaAuthenticated":"false"},"ec2RoleDelivery":"2.0"}},"eventTime":"2024-10-30T20:01:59Z","eventSource":"iam.amazonaws.com","eventName":"AttachUserPolicy","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.attach-user-policy","requestParameters":{"userName":"pwncloud-backdoor-user","policyArn":"arn:aws:iam::aws:policy/AdministratorAccess"},"responseElements":null,"requestID":"15b731e5-03ff-47bc-aa3e-3c34c9398b25","eventID":"48a0efc2-e7b5-48d0-a3d7-38c44cd15525","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json new file mode 100644 index 0000000000..cb34ff0871 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json @@ -0,0 +1,141 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T20:01:59.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess", + "userName": "pwncloud-backdoor-user" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "15b731e5-03ff-47bc-aa3e-3c34c9398b25", + "request_parameters": "{policyArn=arn:aws:iam::aws:policy/AdministratorAccess, userName=pwncloud-backdoor-user}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f", + "session_context": { + "creation_date": "2024-10-30T19:14:35.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "000000000", + "arn": "arn:aws:iam::000000000:role/ec2-instance-role", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AttachUserPolicy", + "category": [ + "iam" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "48a0efc2-e7b5-48d0-a3d7-38c44cd15525", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:i-06815aa7cf7d21f8f\",\"arn\":\"arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f\",\"accountId\":\"000000000\",\"accessKeyId\":\"ACCESSKEY\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::000000000:role/ec2-instance-role\",\"accountId\":\"000000000\",\"userName\":\"ec2-instance-role\"},\"attributes\":{\"creationDate\":\"2024-10-30T19:14:35Z\",\"mfaAuthenticated\":\"false\"},\"ec2RoleDelivery\":\"2.0\"}},\"eventTime\":\"2024-10-30T20:01:59Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"AttachUserPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.attach-user-policy\",\"requestParameters\":{\"userName\":\"pwncloud-backdoor-user\",\"policyArn\":\"arn:aws:iam::aws:policy/AdministratorAccess\"},\"responseElements\":null,\"requestID\":\"15b731e5-03ff-47bc-aa3e-3c34c9398b25\",\"eventID\":\"48a0efc2-e7b5-48d0-a3d7-38c44cd15525\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "user", + "change" + ] + }, + "related": { + "entity": [ + "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f", + "ec2-instance-role", + "pwncloud-backdoor-user", + "ACCESSKEY", + "arn:aws:iam::aws:policy/AdministratorAccess", + "arn:aws:iam::000000000:role/ec2-instance-role" + ], + "user": [ + "pwncloud-backdoor-user" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:iam::aws:policy/AdministratorAccess", + "pwncloud-backdoor-user" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID:i-06815aa7cf7d21f8f", + "name": "ec2-instance-role", + "target": { + "name": "pwncloud-backdoor-user" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.attach-user-policy", + "os": { + "name": "Linux" + }, + "version": "2.18.17" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log new file mode 100644 index 0000000000..8647efc62a --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"235db27d-d82f-41e1-b3e2-342752eca2dc","eventName":"AttachUserPolicy","eventSource":"iam.amazonaws.com","eventTime":"2024-09-27T14:34:49Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"00000000000","requestID":"f2cf7066-cc71-4fe6-89fb-2953b9361186","requestParameters":{"policyArn":"arn:aws:iam::aws:policy/SecurityAudit","userName":"test-cloudtrail"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_bcee6d90-1500-4a81-adfc-64c618d768f3 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-user-policy","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"00000000000","arn":"arn:aws:iam::00000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log-expected.json new file mode 100644 index 0000000000..4ea30f9aa9 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log-expected.json @@ -0,0 +1,128 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-27T14:34:49.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "policyArn": "arn:aws:iam::aws:policy/SecurityAudit", + "userName": "test-cloudtrail" + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "f2cf7066-cc71-4fe6-89fb-2953b9361186", + "request_parameters": "{policyArn=arn:aws:iam::aws:policy/SecurityAudit, userName=test-cloudtrail}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::00000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AttachUserPolicy", + "category": [ + "iam" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "235db27d-d82f-41e1-b3e2-342752eca2dc", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"235db27d-d82f-41e1-b3e2-342752eca2dc\",\"eventName\":\"AttachUserPolicy\",\"eventSource\":\"iam.amazonaws.com\",\"eventTime\":\"2024-09-27T14:34:49Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"00000000000\",\"requestID\":\"f2cf7066-cc71-4fe6-89fb-2953b9361186\",\"requestParameters\":{\"policyArn\":\"arn:aws:iam::aws:policy/SecurityAudit\",\"userName\":\"test-cloudtrail\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_bcee6d90-1500-4a81-adfc-64c618d768f3 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-user-policy\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"00000000000\",\"arn\":\"arn:aws:iam::00000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "user", + "change" + ] + }, + "related": { + "entity": [ + "arn:aws:iam::00000000000:user/test@elastic.co", + "arn:aws:iam::aws:policy/SecurityAudit", + "test@elastic.co", + "ACCESSKEYID", + "test-cloudtrail" + ], + "user": [ + "test@elastic.co", + "test-cloudtrail" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:iam::aws:policy/SecurityAudit", + "test-cloudtrail" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co", + "target": { + "name": "test-cloudtrail" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_bcee6d90-1500-4a81-adfc-64c618d768f3 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.attach-user-policy", + "version": "2.17.60" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log new file mode 100644 index 0000000000..f5fc802a91 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:i-06815aa7cf7d21f8f","arn":"arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f","accountId":"000000000","accessKeyId":"ACCESSKEYID","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::000000000:role/ec2-instance-role","accountId":"000000000","userName":"ec2-instance-role"},"attributes":{"creationDate":"2024-10-30T19:14:35Z","mfaAuthenticated":"false"},"ec2RoleDelivery":"2.0"}},"eventTime":"2024-10-30T19:54:35Z","eventSource":"ec2.amazonaws.com","eventName":"AuthorizeSecurityGroupEgress","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ec2.authorize-security-group-egress","requestParameters":{"groupId":"sg-038ccc3a1f7b05f42","ipPermissions":{"items":[{"ipProtocol":"tcp","fromPort":4444,"toPort":4444,"groups":{},"ipRanges":{"items":[{"cidrIp":"73.21.4.36/32"}]},"ipv6Ranges":{},"prefixListIds":{}}]}},"responseElements":{"requestId":"2f2b863e-24e1-462e-a630-1eb4f9c9071d","_return":true,"securityGroupRuleSet":{"items":[{"groupOwnerId":"000000000","groupId":"sg-038ccc3a1f7b05f42","securityGroupRuleId":"sgr-02bdc373eac599585","isEgress":true,"ipProtocol":"tcp","fromPort":4444,"toPort":4444,"cidrIpv4":"73.21.4.36/32","securityGroupRuleArn":"arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-02bdc373eac599585"}]}},"requestID":"2f2b863e-24e1-462e-a630-1eb4f9c9071d","eventID":"72a37ea2-cbf9-47bf-9ae0-0149d8acbbbc","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json new file mode 100644 index 0000000000..c8ecef8a87 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json @@ -0,0 +1,166 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T19:54:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "groupId": "sg-038ccc3a1f7b05f42", + "ipPermissions": { + "items": [ + { + "fromPort": 4444, + "ipProtocol": "tcp", + "ipRanges": { + "items": [ + { + "cidrIp": "73.21.4.36/32" + } + ] + }, + "toPort": 4444 + } + ] + } + }, + "response_elements": { + "_return": true, + "requestId": "2f2b863e-24e1-462e-a630-1eb4f9c9071d", + "securityGroupRuleSet": { + "items": [ + { + "cidrIpv4": "73.21.4.36/32", + "fromPort": 4444, + "groupId": "sg-038ccc3a1f7b05f42", + "groupOwnerId": "000000000", + "ipProtocol": "tcp", + "isEgress": true, + "securityGroupRuleArn": "arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-02bdc373eac599585", + "securityGroupRuleId": "sgr-02bdc373eac599585", + "toPort": 4444 + } + ] + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "2f2b863e-24e1-462e-a630-1eb4f9c9071d", + "request_parameters": "{groupId=sg-038ccc3a1f7b05f42, ipPermissions={items=[{ipRanges={items=[{cidrIp=73.21.4.36/32}]}, fromPort=4444, toPort=4444, ipProtocol=tcp}]}}", + "response_elements": "{_return=true, requestId=2f2b863e-24e1-462e-a630-1eb4f9c9071d, securityGroupRuleSet={items=[{groupOwnerId=000000000, fromPort=4444, groupId=sg-038ccc3a1f7b05f42, isEgress=true, toPort=4444, cidrIpv4=73.21.4.36/32, ipProtocol=tcp, securityGroupRuleArn=arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-02bdc373eac599585, securityGroupRuleId=sgr-02bdc373eac599585}]}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f", + "session_context": { + "creation_date": "2024-10-30T19:14:35.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "000000000", + "arn": "arn:aws:iam::000000000:role/ec2-instance-role", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AuthorizeSecurityGroupEgress", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "72a37ea2-cbf9-47bf-9ae0-0149d8acbbbc", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:i-06815aa7cf7d21f8f\",\"arn\":\"arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f\",\"accountId\":\"000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::000000000:role/ec2-instance-role\",\"accountId\":\"000000000\",\"userName\":\"ec2-instance-role\"},\"attributes\":{\"creationDate\":\"2024-10-30T19:14:35Z\",\"mfaAuthenticated\":\"false\"},\"ec2RoleDelivery\":\"2.0\"}},\"eventTime\":\"2024-10-30T19:54:35Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"AuthorizeSecurityGroupEgress\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ec2.authorize-security-group-egress\",\"requestParameters\":{\"groupId\":\"sg-038ccc3a1f7b05f42\",\"ipPermissions\":{\"items\":[{\"ipProtocol\":\"tcp\",\"fromPort\":4444,\"toPort\":4444,\"groups\":{},\"ipRanges\":{\"items\":[{\"cidrIp\":\"73.21.4.36/32\"}]},\"ipv6Ranges\":{},\"prefixListIds\":{}}]}},\"responseElements\":{\"requestId\":\"2f2b863e-24e1-462e-a630-1eb4f9c9071d\",\"_return\":true,\"securityGroupRuleSet\":{\"items\":[{\"groupOwnerId\":\"000000000\",\"groupId\":\"sg-038ccc3a1f7b05f42\",\"securityGroupRuleId\":\"sgr-02bdc373eac599585\",\"isEgress\":true,\"ipProtocol\":\"tcp\",\"fromPort\":4444,\"toPort\":4444,\"cidrIpv4\":\"73.21.4.36/32\",\"securityGroupRuleArn\":\"arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-02bdc373eac599585\"}]}},\"requestID\":\"2f2b863e-24e1-462e-a630-1eb4f9c9071d\",\"eventID\":\"72a37ea2-cbf9-47bf-9ae0-0149d8acbbbc\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f", + "sgr-02bdc373eac599585", + "ec2-instance-role", + "ACCESSKEYID", + "arn:aws:iam::000000000:role/ec2-instance-role", + "sg-038ccc3a1f7b05f42" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "sgr-02bdc373eac599585", + "sg-038ccc3a1f7b05f42" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID:i-06815aa7cf7d21f8f", + "name": "ec2-instance-role" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ec2.authorize-security-group-egress", + "os": { + "name": "Linux" + }, + "version": "2.18.17" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log new file mode 100644 index 0000000000..a2bd9f4957 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"c409b898-91e4-44d5-a994-68741a8a0212","eventName":"AuthorizeSecurityGroupIngress","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-14T14:11:38Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"8ee075b1-8c09-4cfc-99f5-3f9bbc2382a7","requestParameters":{"groupId":"sg-0f63fecfa17ef4fee","ipPermissions":{"items":[{"fromPort":22,"groups":{},"ipProtocol":"tcp","ipRanges":{"items":[{"cidrIp":"203.0.113.0/24"}]},"ipv6Ranges":{},"prefixListIds":{},"toPort":22}]}},"responseElements":{"_return":true,"requestId":"8ee075b1-8c09-4cfc-99f5-3f9bbc2382a7","securityGroupRuleSet":{"items":[{"cidrIpv4":"203.0.113.0/24","fromPort":22,"groupId":"sg-0f63fecfa17ef4fee","groupOwnerId":"000000000","ipProtocol":"tcp","isEgress":false,"securityGroupRuleArn":"arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-027eb7c59241731e0","securityGroupRuleId":"sgr-027eb7c59241731e0","toPort":22}]}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e38e3427-7c59-42f2-93e6-4142e9fe9e42 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.authorize-security-group-ingress","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log-expected.json new file mode 100644 index 0000000000..c04e4f6ce3 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log-expected.json @@ -0,0 +1,158 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T14:11:38.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "groupId": "sg-0f63fecfa17ef4fee", + "ipPermissions": { + "items": [ + { + "fromPort": 22, + "ipProtocol": "tcp", + "ipRanges": { + "items": [ + { + "cidrIp": "203.0.113.0/24" + } + ] + }, + "toPort": 22 + } + ] + } + }, + "response_elements": { + "_return": true, + "requestId": "8ee075b1-8c09-4cfc-99f5-3f9bbc2382a7", + "securityGroupRuleSet": { + "items": [ + { + "cidrIpv4": "203.0.113.0/24", + "fromPort": 22, + "groupId": "sg-0f63fecfa17ef4fee", + "groupOwnerId": "000000000", + "ipProtocol": "tcp", + "isEgress": false, + "securityGroupRuleArn": "arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-027eb7c59241731e0", + "securityGroupRuleId": "sgr-027eb7c59241731e0", + "toPort": 22 + } + ] + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "8ee075b1-8c09-4cfc-99f5-3f9bbc2382a7", + "request_parameters": "{groupId=sg-0f63fecfa17ef4fee, ipPermissions={items=[{ipRanges={items=[{cidrIp=203.0.113.0/24}]}, fromPort=22, toPort=22, ipProtocol=tcp}]}}", + "response_elements": "{_return=true, requestId=8ee075b1-8c09-4cfc-99f5-3f9bbc2382a7, securityGroupRuleSet={items=[{groupOwnerId=000000000, fromPort=22, groupId=sg-0f63fecfa17ef4fee, isEgress=false, toPort=22, cidrIpv4=203.0.113.0/24, ipProtocol=tcp, securityGroupRuleArn=arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-027eb7c59241731e0, securityGroupRuleId=sgr-027eb7c59241731e0}]}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AuthorizeSecurityGroupIngress", + "category": [ + "network" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "c409b898-91e4-44d5-a994-68741a8a0212", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"c409b898-91e4-44d5-a994-68741a8a0212\",\"eventName\":\"AuthorizeSecurityGroupIngress\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-14T14:11:38Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"8ee075b1-8c09-4cfc-99f5-3f9bbc2382a7\",\"requestParameters\":{\"groupId\":\"sg-0f63fecfa17ef4fee\",\"ipPermissions\":{\"items\":[{\"fromPort\":22,\"groups\":{},\"ipProtocol\":\"tcp\",\"ipRanges\":{\"items\":[{\"cidrIp\":\"203.0.113.0/24\"}]},\"ipv6Ranges\":{},\"prefixListIds\":{},\"toPort\":22}]}},\"responseElements\":{\"_return\":true,\"requestId\":\"8ee075b1-8c09-4cfc-99f5-3f9bbc2382a7\",\"securityGroupRuleSet\":{\"items\":[{\"cidrIpv4\":\"203.0.113.0/24\",\"fromPort\":22,\"groupId\":\"sg-0f63fecfa17ef4fee\",\"groupOwnerId\":\"000000000\",\"ipProtocol\":\"tcp\",\"isEgress\":false,\"securityGroupRuleArn\":\"arn:aws:ec2:us-east-1:000000000:security-group-rule/sgr-027eb7c59241731e0\",\"securityGroupRuleId\":\"sgr-027eb7c59241731e0\",\"toPort\":22}]}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e38e3427-7c59-42f2-93e6-4142e9fe9e42 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.authorize-security-group-ingress\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "access" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "sg-0f63fecfa17ef4fee", + "sgr-027eb7c59241731e0" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "sg-0f63fecfa17ef4fee", + "sgr-027eb7c59241731e0" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e38e3427-7c59-42f2-93e6-4142e9fe9e42 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.authorize-security-group-ingress", + "version": "2.17.60" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log new file mode 100644 index 0000000000..c7b8349955 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log @@ -0,0 +1 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"283afd25-3625-45e4-b51e-31b0e67963da","eventName":"BatchGetSecretValue","eventSource":"secretsmanager.amazonaws.com","eventTime":"2024-10-11T08:56:05Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":true,"recipientAccountId":"000000000","requestID":"52bd26ff-6fe4-4929-b853-2bda688a84f1","requestParameters":{"secretIdList":["arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj","arn:aws:secretsmanager:us-east-1:000000000:secret:DdApiKeySecret-aUFEgO4SmSGN-xqgqXR"]},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"secretsmanager.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e46e6e5b-f4d8-479c-9f84-ff7598c1ac9e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#secretsmanager.batch-get-secret-value","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log-expected.json new file mode 100644 index 0000000000..55cf47d66a --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log-expected.json @@ -0,0 +1,122 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-11T08:56:05.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "secretIdList": [ + "arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj", + "arn:aws:secretsmanager:us-east-1:000000000:secret:DdApiKeySecret-aUFEgO4SmSGN-xqgqXR" + ] + } + }, + "read_only": true, + "recipient_account_id": "000000000", + "request_id": "52bd26ff-6fe4-4929-b853-2bda688a84f1", + "request_parameters": "{secretIdList=[arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj, arn:aws:secretsmanager:us-east-1:000000000:secret:DdApiKeySecret-aUFEgO4SmSGN-xqgqXR]}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "BatchGetSecretValue", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "283afd25-3625-45e4-b51e-31b0e67963da", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"283afd25-3625-45e4-b51e-31b0e67963da\",\"eventName\":\"BatchGetSecretValue\",\"eventSource\":\"secretsmanager.amazonaws.com\",\"eventTime\":\"2024-10-11T08:56:05Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":true,\"recipientAccountId\":\"000000000\",\"requestID\":\"52bd26ff-6fe4-4929-b853-2bda688a84f1\",\"requestParameters\":{\"secretIdList\":[\"arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj\",\"arn:aws:secretsmanager:us-east-1:000000000:secret:DdApiKeySecret-aUFEgO4SmSGN-xqgqXR\"]},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"secretsmanager.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e46e6e5b-f4d8-479c-9f84-ff7598c1ac9e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#secretsmanager.batch-get-secret-value\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "secretsmanager.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:secretsmanager:us-east-1:000000000:secret:DdApiKeySecret-aUFEgO4SmSGN-xqgqXR", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj", + "arn:aws:secretsmanager:us-east-1:000000000:secret:DdApiKeySecret-aUFEgO4SmSGN-xqgqXR" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "secretsmanager.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e46e6e5b-f4d8-479c-9f84-ff7598c1ac9e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#secretsmanager.batch-get-secret-value", + "version": "2.17.60" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json index 8270777aaf..4e2e1a2ecc 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-09T00:09:33.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "error_code": "AccessDeniedException", @@ -45,7 +52,6 @@ }, "related": { "entity": [ - "0123456789012", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -59,7 +65,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "0123456789012", @@ -76,6 +83,13 @@ }, { "@timestamp": "2020-01-09T00:03:36.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -117,7 +131,6 @@ }, "related": { "entity": [ - "0123456789012", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -131,7 +144,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "0123456789012", @@ -147,4 +161,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json index 282b015687..da3a894ef5 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json @@ -140,14 +140,14 @@ "path": "AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T193649Z.json.gz" }, "related": { - "entity": [], "hash": [ "10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987" ] }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-common-config.yml b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-common-config.yml index be4860babd..3c66dfd812 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-common-config.yml +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-common-config.yml @@ -8,3 +8,4 @@ fields: '@timestamp': '2021-11-11T01:02:03.123456789Z' tags: - preserve_original_event + - actor_target_mapping diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json index 1c40e46d95..965f45cfee 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2014-07-16T15:49:27.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::111122223333:user/JohnDoe" + ] + } + }, "aws": { "cloudtrail": { "additional_eventdata": "{LoginTo=https://console.aws.amazon.com/s3/, MobileVersion=No, MFAUsed=No}", @@ -56,7 +63,6 @@ }, "related": { "entity": [ - "AIDACKCEVSQ6C2EXAMPLE", "JohnDoe", "arn:aws:iam::111122223333:user/JohnDoe" ], @@ -87,7 +93,8 @@ "ip": "89.160.20.156" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "AIDACKCEVSQ6C2EXAMPLE", @@ -104,11 +111,18 @@ "name": "Windows", "version": "7" }, - "version": "24.0." + "version": "24.0" } }, { "@timestamp": "2014-07-08T17:35:27.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::111122223333:user/JaneDoe" + ] + } + }, "aws": { "cloudtrail": { "additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}", @@ -164,7 +178,6 @@ }, "related": { "entity": [ - "AIDACKCEVSQ6C2EXAMPLE", "JaneDoe", "arn:aws:iam::111122223333:user/JaneDoe" ], @@ -195,7 +208,8 @@ "ip": "89.160.20.156" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "AIDACKCEVSQ6C2EXAMPLE", @@ -212,11 +226,18 @@ "name": "Windows", "version": "7" }, - "version": "24.0." + "version": "24.0" } }, { "@timestamp": "2014-07-08T17:35:27.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName" + ] + } + }, "aws": { "cloudtrail": { "additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}", @@ -284,7 +305,6 @@ "entity": [ "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", "arn:aws:iam::123456789012:role/RoleToBeAssumed", - "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", "AKIAIOSFODNN7EXAMPLE", "RoleToBeAssumed" ] @@ -312,7 +332,8 @@ "ip": "89.160.20.156" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", @@ -329,8 +350,8 @@ "name": "Windows", "version": "7" }, - "version": "24.0." + "version": "24.0" } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log new file mode 100644 index 0000000000..4407783791 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:i-03cd6b2a7eb4bf3ae","arn":"arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae","accountId":"00000000000","accessKeyId":"ACCESSKEY","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:role/private-ec2-instance-role","accountId":"00000000000","userName":"private-ec2-instance-role"},"attributes":{"creationDate":"2024-10-29T14:29:03Z","mfaAuthenticated":"false"},"ec2RoleDelivery":"2.0"}},"eventTime":"2024-10-29T15:51:44Z","eventSource":"bedrock.amazonaws.com","eventName":"Converse","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"Boto3/1.35.50 md/Botocore#1.35.50 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.50","requestParameters":{"modelId":"anthropic.claude-3-5-sonnet-20240620-v1:0"},"responseElements":null,"requestID":"aff6f361-1ef0-4460-97af-26528a80b511","eventID":"3d67c35a-eef1-4d64-9620-77af8f372ae7","readOnly":true,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"bedrock-runtime.us-east-1.amazonaws.com"}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json new file mode 100644 index 0000000000..9e44d3cefc --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json @@ -0,0 +1,129 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-29T15:51:44.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "modelId": "anthropic.claude-3-5-sonnet-20240620-v1:0" + } + }, + "read_only": true, + "recipient_account_id": "00000000000", + "request_id": "aff6f361-1ef0-4460-97af-26528a80b511", + "request_parameters": "{modelId=anthropic.claude-3-5-sonnet-20240620-v1:0}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae", + "session_context": { + "creation_date": "2024-10-29T14:29:03.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "00000000000", + "arn": "arn:aws:iam::00000000000:role/private-ec2-instance-role", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Converse", + "category": [ + "api" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "3d67c35a-eef1-4d64-9620-77af8f372ae7", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:i-03cd6b2a7eb4bf3ae\",\"arn\":\"arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:role/private-ec2-instance-role\",\"accountId\":\"00000000000\",\"userName\":\"private-ec2-instance-role\"},\"attributes\":{\"creationDate\":\"2024-10-29T14:29:03Z\",\"mfaAuthenticated\":\"false\"},\"ec2RoleDelivery\":\"2.0\"}},\"eventTime\":\"2024-10-29T15:51:44Z\",\"eventSource\":\"bedrock.amazonaws.com\",\"eventName\":\"Converse\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"Boto3/1.35.50 md/Botocore#1.35.50 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.50\",\"requestParameters\":{\"modelId\":\"anthropic.claude-3-5-sonnet-20240620-v1:0\"},\"responseElements\":null,\"requestID\":\"aff6f361-1ef0-4460-97af-26528a80b511\",\"eventID\":\"3d67c35a-eef1-4d64-9620-77af8f372ae7\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"bedrock-runtime.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "bedrock.amazonaws.com", + "type": [] + }, + "related": { + "entity": [ + "private-ec2-instance-role", + "arn:aws:iam::00000000000:role/private-ec2-instance-role", + "ACCESSKEY", + "anthropic.claude-3-5-sonnet-20240620-v1:0", + "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "anthropic.claude-3-5-sonnet-20240620-v1:0" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "bedrock-runtime.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID:i-03cd6b2a7eb4bf3ae", + "name": "private-ec2-instance-role" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "Boto3", + "original": "Boto3/1.35.50 md/Botocore#1.35.50 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.50", + "os": { + "name": "Linux" + }, + "version": "1.35.50" + } + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log new file mode 100644 index 0000000000..d656cb52ca --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.09","userIdentity":{"type":"IAMUser","principalId":"ACCESSKEYID","arn":"arn:aws:iam::000000000:user/test@elastic.co","accountId":"000000000","accessKeyId":"ACCESSKEYID","userName":"test@elastic.co"},"eventTime":"2024-10-08T12:24:16Z","eventSource":"s3.amazonaws.com","eventName":"CopyObject","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.copy-object]","requestParameters":{"bucketName":"elastic-cspm-cloudtrail-test-bucket","Host":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","x-amz-copy-source":"elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md","key":"test-copy-object/README-copy.md"},"responseElements":{"x-amz-server-side-encryption":"AES256"},"additionalEventData":{"SignatureVersion":"SigV4","CipherSuite":"TLS_AES_128_GCM_SHA256","bytesTransferredIn":0,"SSEApplied":"Default_SSE_S3","AuthenticationMethod":"AuthHeader","x-amz-id-2":"hFhfe14yINVvz+alr1rC5zPFufFU087OGEbVwf5HpD1BYs5D2llscEUSD7DUGjlSYkOEoay+oVk=","bytesTransferredOut":224},"requestID":"62A9N2AH4P4YKG2B","eventID":"0c06e2ff-5e88-44e6-a081-57871bbe770b","readOnly":false,"resources":[{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README-copy.md"},{"accountId":"000000000","type":"AWS::S3::Bucket","ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket"},{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md"}],"eventType":"AwsApiCall","recipientAccountId":"000000000","eventCategory":"Data","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log-expected.json new file mode 100644 index 0000000000..0c0b32551f --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log-expected.json @@ -0,0 +1,172 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-08T12:24:16.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "additional_eventdata": "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=0, SSEApplied=Default_SSE_S3, AuthenticationMethod=AuthHeader, x-amz-id-2=hFhfe14yINVvz+alr1rC5zPFufFU087OGEbVwf5HpD1BYs5D2llscEUSD7DUGjlSYkOEoay+oVk=, bytesTransferredOut=224}", + "event_category": "Data", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "additional_eventdata": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SSEApplied": "Default_SSE_S3", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 0, + "bytesTransferredOut": 224, + "x-amz-id-2": "hFhfe14yINVvz+alr1rC5zPFufFU087OGEbVwf5HpD1BYs5D2llscEUSD7DUGjlSYkOEoay+oVk=" + }, + "request_parameters": { + "Host": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com", + "bucketName": "elastic-cspm-cloudtrail-test-bucket", + "key": "test-copy-object/README-copy.md", + "x-amz-copy-source": "elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md" + }, + "response_elements": { + "x-amz-server-side-encryption": "AES256" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "62A9N2AH4P4YKG2B", + "request_parameters": "{bucketName=elastic-cspm-cloudtrail-test-bucket, Host=elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com, x-amz-copy-source=elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md, key=test-copy-object/README-copy.md}", + "resources": [ + { + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md", + "type": "AWS::S3::Object" + }, + { + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README-copy.md", + "type": "AWS::S3::Object" + }, + { + "account_id": "000000000", + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "type": "AWS::S3::Bucket" + } + ], + "response_elements": "{x-amz-server-side-encryption=AES256}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CopyObject", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "0c06e2ff-5e88-44e6-a081-57871bbe770b", + "kind": "event", + "original": "{\"eventVersion\":\"1.09\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"ACCESSKEYID\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"accountId\":\"000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"userName\":\"test@elastic.co\"},\"eventTime\":\"2024-10-08T12:24:16Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"CopyObject\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.copy-object]\",\"requestParameters\":{\"bucketName\":\"elastic-cspm-cloudtrail-test-bucket\",\"Host\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"x-amz-copy-source\":\"elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md\",\"key\":\"test-copy-object/README-copy.md\"},\"responseElements\":{\"x-amz-server-side-encryption\":\"AES256\"},\"additionalEventData\":{\"SignatureVersion\":\"SigV4\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"bytesTransferredIn\":0,\"SSEApplied\":\"Default_SSE_S3\",\"AuthenticationMethod\":\"AuthHeader\",\"x-amz-id-2\":\"hFhfe14yINVvz+alr1rC5zPFufFU087OGEbVwf5HpD1BYs5D2llscEUSD7DUGjlSYkOEoay+oVk=\",\"bytesTransferredOut\":224},\"requestID\":\"62A9N2AH4P4YKG2B\",\"eventID\":\"0c06e2ff-5e88-44e6-a081-57871bbe770b\",\"readOnly\":false,\"resources\":[{\"type\":\"AWS::S3::Object\",\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README-copy.md\"},{\"accountId\":\"000000000\",\"type\":\"AWS::S3::Bucket\",\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket\"},{\"type\":\"AWS::S3::Object\",\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"000000000\",\"eventCategory\":\"Data\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "s3.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "test@elastic.co", + "elastic-cspm-cloudtrail-test-bucket", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README-copy.md", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README-copy.md", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-copy-object/README.md" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "ACCESSKEYID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.copy-object]", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json index 83be5b2ae3..e64e27d4b6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-08T20:43:06.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -62,11 +69,10 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Bob", - "Alice", "EXAMPLE_KEY_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ @@ -79,8 +85,17 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "Bob", + "EXAMPLE_KEY_ID" + ] + } + }, "user": { "id": "EXAMPLE_ID", "name": "Alice", @@ -97,4 +112,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log new file mode 100644 index 0000000000..c19b863a2f --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:i-05e14c76fdb335957","arn":"arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957","accountId":"00000000000","accessKeyId":"ACCESSKEYID","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:role/bedrock_ec2_role","accountId":"00000000000","userName":"bedrock_ec2_role"},"attributes":{"creationDate":"2024-11-01T13:35:39Z","mfaAuthenticated":"false"},"ec2RoleDelivery":"2.0"}},"eventTime":"2024-11-01T14:10:37Z","eventSource":"ssm.amazonaws.com","eventName":"CreateControlChannel","awsRegion":"us-east-2","sourceIPAddress":"216.160.83.56","userAgent":"Go-http-client/1.1","errorCode":"AccessDenied","errorMessage":"User: arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957 is not authorized to perform: ssmmessages:CreateControlChannel on resource: arn:aws:ec2:us-east-2:00000000000:instance/i-05e14c76fdb335957 because no identity-based policy allows the ssmmessages:CreateControlChannel action","requestParameters":null,"responseElements":null,"requestID":"b2196aab-52aa-43f2-bb93-74a330b623f0","eventID":"65679ba9-4201-4785-a7f9-6cc998e4c2f7","readOnly":false,"resources":[{"accountId":"00000000000","type":"AWS::SSMMessages::ControlChannel","ARN":"arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957"}],"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Data","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssmmessages.us-east-2.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json new file mode 100644 index 0000000000..c450db9f5c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json @@ -0,0 +1,150 @@ +{ + "expected": [ + { + "@timestamp": "2024-11-01T14:10:37.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957" + ] + } + }, + "aws": { + "cloudtrail": { + "error_code": "AccessDenied", + "error_message": "User: arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957 is not authorized to perform: ssmmessages:CreateControlChannel on resource: arn:aws:ec2:us-east-2:00000000000:instance/i-05e14c76fdb335957 because no identity-based policy allows the ssmmessages:CreateControlChannel action", + "event_category": "Data", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": {}, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "b2196aab-52aa-43f2-bb93-74a330b623f0", + "resources": [ + { + "account_id": "00000000000", + "arn": "arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957", + "type": "AWS::SSMMessages::ControlChannel" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957", + "session_context": { + "creation_date": "2024-11-01T13:35:39.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "00000000000", + "arn": "arn:aws:iam::00000000000:role/bedrock_ec2_role", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateControlChannel", + "category": [ + "session" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "65679ba9-4201-4785-a7f9-6cc998e4c2f7", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:i-05e14c76fdb335957\",\"arn\":\"arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:role/bedrock_ec2_role\",\"accountId\":\"00000000000\",\"userName\":\"bedrock_ec2_role\"},\"attributes\":{\"creationDate\":\"2024-11-01T13:35:39Z\",\"mfaAuthenticated\":\"false\"},\"ec2RoleDelivery\":\"2.0\"}},\"eventTime\":\"2024-11-01T14:10:37Z\",\"eventSource\":\"ssm.amazonaws.com\",\"eventName\":\"CreateControlChannel\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"Go-http-client/1.1\",\"errorCode\":\"AccessDenied\",\"errorMessage\":\"User: arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957 is not authorized to perform: ssmmessages:CreateControlChannel on resource: arn:aws:ec2:us-east-2:00000000000:instance/i-05e14c76fdb335957 because no identity-based policy allows the ssmmessages:CreateControlChannel action\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"b2196aab-52aa-43f2-bb93-74a330b623f0\",\"eventID\":\"65679ba9-4201-4785-a7f9-6cc998e4c2f7\",\"readOnly\":false,\"resources\":[{\"accountId\":\"00000000000\",\"type\":\"AWS::SSMMessages::ControlChannel\",\"ARN\":\"arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Data\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"ssmmessages.us-east-2.amazonaws.com\"}}", + "outcome": "failure", + "provider": "ssm.amazonaws.com", + "type": [ + "start" + ] + }, + "related": { + "entity": [ + "ACCESSKEYID", + "arn:aws:sts::00000000000:assumed-role/bedrock_ec2_role/i-05e14c76fdb335957", + "bedrock_ec2_role", + "arn:aws:iam::00000000000:role/bedrock_ec2_role", + "arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:ssmmessages:us-east-2:00000000000:control-channel/i-05e14c76fdb335957" + ] + } + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "client": { + "server_name": "ssmmessages.us-east-2.amazonaws.com" + }, + "version": "1.2", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID:i-05e14c76fdb335957", + "name": "bedrock_ec2_role" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Go-http-client", + "original": "Go-http-client/1.1", + "version": "1.1" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log index 8b19e97a99..f35410759f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log @@ -1 +1,2 @@ -{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"d82a0cd1-6987-459a-b7bc-557a06bf16f2","eventName":"CreateDBInstance","eventSource":"rds.amazonaws.com","eventTime":"2024-09-11T09:29:51Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"b51e7190-610a-40c7-bb1c-a0895e3518f8","requestParameters":{"allocatedStorage":20,"dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-14340","engine":"mysql","masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS","masterUsername":"admin"},"responseElements":{"allocatedStorage":20,"associatedRoles":[],"autoMinorVersionUpgrade":true,"backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"rds-ca-rsa2048-g1","certificateDetails":{"cAIdentifier":"rds-ca-rsa2048-g1"},"copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:1010101010101:db:test-cloudtrail-event-instance-14340","dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-14340","dBInstanceStatus":"creating","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-ANY6I3FNUJC7WQKYS5RFPU7ORM","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.35","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"in-sync"}],"pendingModifiedValues":{"masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS"},"performanceInsightsEnabled":false,"preferredBackupWindow":"09:23-09:53","preferredMaintenanceWindow":"sun:06:55-sun:07:25","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/rds.create-db-instance","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"d82a0cd1-6987-459a-b7bc-557a06bf16f2","eventName":"CreateDBInstance","eventSource":"rds.amazonaws.com","eventTime":"2024-09-11T09:29:51Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"b51e7190-610a-40c7-bb1c-a0895e3518f8","requestParameters":{"allocatedStorage":20,"dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-14340","engine":"mysql","masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS","masterUsername":"admin"},"responseElements":{"allocatedStorage":20,"associatedRoles":[],"autoMinorVersionUpgrade":true,"backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"rds-ca-rsa2048-g1","certificateDetails":{"cAIdentifier":"rds-ca-rsa2048-g1"},"copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:1010101010101:db:test-cloudtrail-event-instance-14340","dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-14340","dBInstanceStatus":"creating","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-ANY6I3FNUJC7WQKYS5RFPU7ORM","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.35","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"in-sync"}],"pendingModifiedValues":{"masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS"},"performanceInsightsEnabled":false,"preferredBackupWindow":"09:23-09:53","preferredMaintenanceWindow":"sun:06:55-sun:07:25","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/rds.create-db-instance","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json index 2b0cca9778..b37a6c6fd5 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2024-09-11T09:29:51.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co" + ] + } + }, "aws": { "cloudtrail": { "event_category": "Management", @@ -167,7 +174,6 @@ "subnet-37391109", "subnet-bf6ab5b1", "subnet-8bdf6bc6", - "AIDA2IBR2EZTJMPOR52WV", "vpc-73d2e309", "test-cloudtrail-event-instance-14340", "ACCESS_KEY_EXAMPLE", @@ -198,7 +204,8 @@ "ip": "216.160.83.56" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "tls": { "cipher": "TLS_AES_128_GCM_SHA256", @@ -220,6 +227,24 @@ "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/rds.create-db-instance", "version": "2.14.5" } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log new file mode 100644 index 0000000000..c626c9ebfd --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5066c6b7-e140-4fc9-96bf-0a2ce3c90687","eventName":"CreateDetector","eventSource":"guardduty.amazonaws.com","eventTime":"2024-09-27T13:39:32Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"00000000000","requestID":"1fc0f718-6358-4cce-aa9b-1dfc09e7a59a","requestParameters":{"clientToken":"7d152911-fcab-4cb5-8bd8-0516d868d0fd","enable":false},"responseElements":{"detectorId":"82c919daa523bc69d203c24868c06849"},"sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c11215cc-0dab-4506-b744-4f477e8062f6 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#guardduty.create-detector","userIdentity":{"accessKeyId":"TESTACCESSKEY","accountId":"00000000000","arn":"arn:aws:iam::00000000000:user/test@elastic.co","principalId":"TESTPRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log-expected.json new file mode 100644 index 0000000000..011e79f343 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log-expected.json @@ -0,0 +1,132 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-27T13:39:32.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "clientToken": "7d152911-fcab-4cb5-8bd8-0516d868d0fd", + "enable": false + }, + "response_elements": { + "detectorId": "82c919daa523bc69d203c24868c06849" + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "1fc0f718-6358-4cce-aa9b-1dfc09e7a59a", + "request_parameters": "{clientToken=7d152911-fcab-4cb5-8bd8-0516d868d0fd, enable=false}", + "response_elements": "{detectorId=82c919daa523bc69d203c24868c06849}", + "user_identity": { + "access_key_id": "TESTACCESSKEY", + "arn": "arn:aws:iam::00000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateDetector", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "5066c6b7-e140-4fc9-96bf-0a2ce3c90687", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"5066c6b7-e140-4fc9-96bf-0a2ce3c90687\",\"eventName\":\"CreateDetector\",\"eventSource\":\"guardduty.amazonaws.com\",\"eventTime\":\"2024-09-27T13:39:32Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"00000000000\",\"requestID\":\"1fc0f718-6358-4cce-aa9b-1dfc09e7a59a\",\"requestParameters\":{\"clientToken\":\"7d152911-fcab-4cb5-8bd8-0516d868d0fd\",\"enable\":false},\"responseElements\":{\"detectorId\":\"82c919daa523bc69d203c24868c06849\"},\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c11215cc-0dab-4506-b744-4f477e8062f6 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#guardduty.create-detector\",\"userIdentity\":{\"accessKeyId\":\"TESTACCESSKEY\",\"accountId\":\"00000000000\",\"arn\":\"arn:aws:iam::00000000000:user/test@elastic.co\",\"principalId\":\"TESTPRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "guardduty.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:iam::00000000000:user/test@elastic.co", + "82c919daa523bc69d203c24868c06849", + "test@elastic.co", + "TESTACCESSKEY" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "82c919daa523bc69d203c24868c06849" + ] + } + }, + "user": { + "id": "TESTPRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c11215cc-0dab-4506-b744-4f477e8062f6 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#guardduty.create-detector", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log new file mode 100644 index 0000000000..3cc55a36f5 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:user/pwncloud-backdoor-user","accountId":"00000000000","accessKeyId":"ACCESSKEY","userName":"pwncloud-backdoor-user"},"eventTime":"2024-10-30T20:30:00Z","eventSource":"ssm.amazonaws.com","eventName":"CreateDocument","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ssm.create-document","requestParameters":{"content":"HIDDEN_DUE_TO_SECURITY_REASONS","name":"EncryptFilesAndUploadRansomNote","documentFormat":"YAML"},"responseElements":{"documentDescription":{"hash":"21000908d6c4f7ec7a1613003be9d48c059628bfd4d5c9814d55baafe83bcbc6","hashType":"Sha256","name":"EncryptFilesAndUploadRansomNote","owner":"00000000000","createdDate":"Oct 30, 2024 8:29:59 PM","status":"Creating","documentVersion":"1","description":"Custom Pwncloud SSM Document to Encrypt S3 Bucket Files, Exfiltrate via SNS and HTTP, and Upload Ransom Note","platformTypes":["Linux","MacOS"],"documentType":"Command","schemaVersion":"2.2","latestVersion":"1","defaultVersion":"1","documentFormat":"YAML","tags":[],"documentId":"091a4f36-2482-4b1e-ba17-b7851b0d422d"}},"requestID":"ad275bc7-b7ef-4ae0-ade5-0d92ac331c40","eventID":"82eb6527-ed28-40a3-b096-a2dc3d225115","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ssm.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log-expected.json new file mode 100644 index 0000000000..72f12bda1d --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log-expected.json @@ -0,0 +1,166 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T20:30:00.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "content": "HIDDEN_DUE_TO_SECURITY_REASONS", + "documentFormat": "YAML", + "name": "EncryptFilesAndUploadRansomNote" + }, + "response_elements": { + "documentDescription": { + "createdDate": "Oct 30, 2024 8:29:59 PM", + "defaultVersion": "1", + "description": "Custom Pwncloud SSM Document to Encrypt S3 Bucket Files, Exfiltrate via SNS and HTTP, and Upload Ransom Note", + "documentFormat": "YAML", + "documentId": "091a4f36-2482-4b1e-ba17-b7851b0d422d", + "documentType": "Command", + "documentVersion": "1", + "hash": "21000908d6c4f7ec7a1613003be9d48c059628bfd4d5c9814d55baafe83bcbc6", + "hashType": "Sha256", + "latestVersion": "1", + "name": "EncryptFilesAndUploadRansomNote", + "owner": "00000000000", + "platformTypes": [ + "Linux", + "MacOS" + ], + "schemaVersion": "2.2", + "status": "Creating" + } + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "ad275bc7-b7ef-4ae0-ade5-0d92ac331c40", + "request_parameters": "{name=EncryptFilesAndUploadRansomNote, documentFormat=YAML, content=HIDDEN_DUE_TO_SECURITY_REASONS}", + "response_elements": "{documentDescription={owner=00000000000, schemaVersion=2.2, documentType=Command, description=Custom Pwncloud SSM Document to Encrypt S3 Bucket Files, Exfiltrate via SNS and HTTP, and Upload Ransom Note, documentVersion=1, createdDate=Oct 30, 2024 8:29:59 PM, latestVersion=1, name=EncryptFilesAndUploadRansomNote, documentId=091a4f36-2482-4b1e-ba17-b7851b0d422d, documentFormat=YAML, hashType=Sha256, hash=21000908d6c4f7ec7a1613003be9d48c059628bfd4d5c9814d55baafe83bcbc6, defaultVersion=1, status=Creating, platformTypes=[Linux, MacOS]}}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:iam::00000000000:user/pwncloud-backdoor-user", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateDocument", + "category": [ + "file" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "82eb6527-ed28-40a3-b096-a2dc3d225115", + "kind": "event", + "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:user/pwncloud-backdoor-user\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"userName\":\"pwncloud-backdoor-user\"},\"eventTime\":\"2024-10-30T20:30:00Z\",\"eventSource\":\"ssm.amazonaws.com\",\"eventName\":\"CreateDocument\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ssm.create-document\",\"requestParameters\":{\"content\":\"HIDDEN_DUE_TO_SECURITY_REASONS\",\"name\":\"EncryptFilesAndUploadRansomNote\",\"documentFormat\":\"YAML\"},\"responseElements\":{\"documentDescription\":{\"hash\":\"21000908d6c4f7ec7a1613003be9d48c059628bfd4d5c9814d55baafe83bcbc6\",\"hashType\":\"Sha256\",\"name\":\"EncryptFilesAndUploadRansomNote\",\"owner\":\"00000000000\",\"createdDate\":\"Oct 30, 2024 8:29:59 PM\",\"status\":\"Creating\",\"documentVersion\":\"1\",\"description\":\"Custom Pwncloud SSM Document to Encrypt S3 Bucket Files, Exfiltrate via SNS and HTTP, and Upload Ransom Note\",\"platformTypes\":[\"Linux\",\"MacOS\"],\"documentType\":\"Command\",\"schemaVersion\":\"2.2\",\"latestVersion\":\"1\",\"defaultVersion\":\"1\",\"documentFormat\":\"YAML\",\"tags\":[],\"documentId\":\"091a4f36-2482-4b1e-ba17-b7851b0d422d\"}},\"requestID\":\"ad275bc7-b7ef-4ae0-ade5-0d92ac331c40\",\"eventID\":\"82eb6527-ed28-40a3-b096-a2dc3d225115\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ssm.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [ + "creation" + ] + }, + "related": { + "entity": [ + "pwncloud-backdoor-user", + "ACCESSKEY", + "EncryptFilesAndUploadRansomNote", + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ], + "user": [ + "pwncloud-backdoor-user" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "EncryptFilesAndUploadRansomNote" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ssm.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "pwncloud-backdoor-user" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ssm.create-document", + "os": { + "name": "Linux" + }, + "version": "2.18.17" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json index e2c3e3094e..4b5b2ee8f6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-09T01:48:44.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -67,7 +74,6 @@ }, "related": { "entity": [ - "0123456789012", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -81,7 +87,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "0123456789012", @@ -97,6 +104,13 @@ }, { "@timestamp": "2020-01-09T02:22:03.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "error_code": "EntityAlreadyExistsException", @@ -148,7 +162,6 @@ }, "related": { "entity": [ - "0123456789012", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -162,7 +175,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "0123456789012", @@ -179,6 +193,13 @@ }, { "@timestamp": "2020-01-09T01:48:44.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -253,7 +274,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user_agent": { "device": { @@ -265,6 +287,13 @@ }, { "@timestamp": "2020-01-09T02:22:03.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "error_code": "EntityAlreadyExistsException", @@ -325,7 +354,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json index 7df29037c6..521c349c6d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2014-03-06T17:10:34.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_version": "1.0", @@ -54,7 +61,6 @@ }, "related": { "entity": [ - "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", "EXAMPLE_KEY_ID", "Alice" @@ -86,7 +92,8 @@ "ip": "89.160.20.156" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EX_PRINCIPAL_ID", @@ -104,4 +111,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log index a7570e1d61..8e9ffb824f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log @@ -1 +1,2 @@ -{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"6642d073-04f9-474f-a31d-5ef412875c07","eventName":"CreateFunction20150331","eventSource":"lambda.amazonaws.com","eventTime":"2024-09-11T09:29:33Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"1ea1d5c8-9cfc-4e18-8256-3dfbcfc43e0b","requestParameters":{"code":{},"environment":{},"functionName":"cloudtrail-events-test","handler":"lambda.handler","publish":false,"role":"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn","runtime":"nodejs20.x"},"responseElements":{"architectures":["x86_64"],"codeSha256":"m2HanyBGXadi+QCt0ct2KqsqHAF4cgUJLO4aS9PcUXo=","codeSize":1018083,"description":"","environment":{},"ephemeralStorage":{"size":512},"functionArn":"arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test","functionName":"cloudtrail-events-test","handler":"lambda.handler","lastModified":"2024-09-11T09:29:33.375+0000","loggingConfig":{"logFormat":"Text","logGroup":"/aws/lambda/cloudtrail-events-test"},"memorySize":128,"packageType":"Zip","revisionId":"729c925e-627c-42b2-abf1-55e7f8f7177c","role":"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn","runtime":"nodejs20.x","runtimeVersionConfig":{"runtimeVersionArn":"arn:aws:lambda:us-east-1::runtime:672d5a3e06f81d120c089c5414b05186d7b4098504797c766bde2459847f38bc"},"snapStart":{"applyOn":"None","optimizationStatus":"Off"},"state":"Pending","stateReason":"The function is being created.","stateReasonCode":"Creating","timeout":3,"tracingConfig":{"mode":"PassThrough"},"version":"$LATEST"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"lambda.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/lambda.create-function","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"6642d073-04f9-474f-a31d-5ef412875c07","eventName":"CreateFunction20150331","eventSource":"lambda.amazonaws.com","eventTime":"2024-09-11T09:29:33Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"1ea1d5c8-9cfc-4e18-8256-3dfbcfc43e0b","requestParameters":{"code":{},"environment":{},"functionName":"cloudtrail-events-test","handler":"lambda.handler","publish":false,"role":"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn","runtime":"nodejs20.x"},"responseElements":{"architectures":["x86_64"],"codeSha256":"m2HanyBGXadi+QCt0ct2KqsqHAF4cgUJLO4aS9PcUXo=","codeSize":1018083,"description":"","environment":{},"ephemeralStorage":{"size":512},"functionArn":"arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test","functionName":"cloudtrail-events-test","handler":"lambda.handler","lastModified":"2024-09-11T09:29:33.375+0000","loggingConfig":{"logFormat":"Text","logGroup":"/aws/lambda/cloudtrail-events-test"},"memorySize":128,"packageType":"Zip","revisionId":"729c925e-627c-42b2-abf1-55e7f8f7177c","role":"arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn","runtime":"nodejs20.x","runtimeVersionConfig":{"runtimeVersionArn":"arn:aws:lambda:us-east-1::runtime:672d5a3e06f81d120c089c5414b05186d7b4098504797c766bde2459847f38bc"},"snapStart":{"applyOn":"None","optimizationStatus":"Off"},"state":"Pending","stateReason":"The function is being created.","stateReasonCode":"Creating","timeout":3,"tracingConfig":{"mode":"PassThrough"},"version":"$LATEST"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"lambda.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/lambda.create-function","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json index 997ad7fda5..fac95ab313 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2024-09-11T09:29:33.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co" + ] + } + }, "aws": { "cloudtrail": { "event_category": "Management", @@ -89,7 +96,6 @@ }, "related": { "entity": [ - "AIDA2IBR2EZTJMPOR52WV", "arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test", "testcloudtrail@elastic.co", "ACCESS_KEY_EXAMPLE", @@ -121,7 +127,8 @@ "ip": "216.160.83.56" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "tls": { "cipher": "TLS_AES_128_GCM_SHA256", @@ -143,6 +150,24 @@ "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/lambda.create-function", "version": "2.14.5" } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log new file mode 100644 index 0000000000..698aa75a14 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:user/pwncloud-backdoor-user","accountId":"00000000000","accessKeyId":"ACCESSKEY","userName":"pwncloud-backdoor-user"},"eventTime":"2024-10-29T14:43:20Z","eventSource":"iam.amazonaws.com","eventName":"CreatePolicy","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.18.16 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.create-policy","requestParameters":{"policyName":"PwncloudSNSPublishPolicy","policyDocument":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"sns:Publish\",\n \"Resource\": \"*\"\n }\n ]\n }"},"responseElements":{"policy":{"policyName":"PwncloudSNSPublishPolicy","policyId":"ANPA47CRWDCFT7RKX3QNL","arn":"arn:aws:iam::00000000000:policy/PwncloudSNSPublishPolicy","path":"/","defaultVersionId":"v1","attachmentCount":0,"permissionsBoundaryUsageCount":0,"isAttachable":true,"createDate":"Oct 29, 2024 2:43:20 PM","updateDate":"Oct 29, 2024 2:43:20 PM"}},"requestID":"8878effe-e1eb-4ac3-9fcd-e6788c7ea6de","eventID":"4d05177d-9a53-406a-9824-4abb08e3c546","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log-expected.json new file mode 100644 index 0000000000..a6cd48d528 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log-expected.json @@ -0,0 +1,158 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-29T14:43:20.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "policyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"sns:Publish\",\n \"Resource\": \"*\"\n }\n ]\n }", + "policyName": "PwncloudSNSPublishPolicy" + }, + "response_elements": { + "policy": { + "arn": "arn:aws:iam::00000000000:policy/PwncloudSNSPublishPolicy", + "attachmentCount": 0, + "createDate": "Oct 29, 2024 2:43:20 PM", + "defaultVersionId": "v1", + "isAttachable": true, + "path": "/", + "permissionsBoundaryUsageCount": 0, + "policyId": "ANPA47CRWDCFT7RKX3QNL", + "policyName": "PwncloudSNSPublishPolicy", + "updateDate": "Oct 29, 2024 2:43:20 PM" + } + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "8878effe-e1eb-4ac3-9fcd-e6788c7ea6de", + "request_parameters": "{policyDocument={\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"sns:Publish\",\n \"Resource\": \"*\"\n }\n ]\n }, policyName=PwncloudSNSPublishPolicy}", + "response_elements": "{policy={permissionsBoundaryUsageCount=0, path=/, updateDate=Oct 29, 2024 2:43:20 PM, policyId=ANPA47CRWDCFT7RKX3QNL, defaultVersionId=v1, policyName=PwncloudSNSPublishPolicy, isAttachable=true, attachmentCount=0, arn=arn:aws:iam::00000000000:policy/PwncloudSNSPublishPolicy, createDate=Oct 29, 2024 2:43:20 PM}}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:iam::00000000000:user/pwncloud-backdoor-user", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreatePolicy", + "category": [ + "iam" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "4d05177d-9a53-406a-9824-4abb08e3c546", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:user/pwncloud-backdoor-user\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"userName\":\"pwncloud-backdoor-user\"},\"eventTime\":\"2024-10-29T14:43:20Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreatePolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.18.16 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.create-policy\",\"requestParameters\":{\"policyName\":\"PwncloudSNSPublishPolicy\",\"policyDocument\":\"{\\n \\\"Version\\\": \\\"2012-10-17\\\",\\n \\\"Statement\\\": [\\n {\\n \\\"Effect\\\": \\\"Allow\\\",\\n \\\"Action\\\": \\\"sns:Publish\\\",\\n \\\"Resource\\\": \\\"*\\\"\\n }\\n ]\\n }\"},\"responseElements\":{\"policy\":{\"policyName\":\"PwncloudSNSPublishPolicy\",\"policyId\":\"ANPA47CRWDCFT7RKX3QNL\",\"arn\":\"arn:aws:iam::00000000000:policy/PwncloudSNSPublishPolicy\",\"path\":\"/\",\"defaultVersionId\":\"v1\",\"attachmentCount\":0,\"permissionsBoundaryUsageCount\":0,\"isAttachable\":true,\"createDate\":\"Oct 29, 2024 2:43:20 PM\",\"updateDate\":\"Oct 29, 2024 2:43:20 PM\"}},\"requestID\":\"8878effe-e1eb-4ac3-9fcd-e6788c7ea6de\",\"eventID\":\"4d05177d-9a53-406a-9824-4abb08e3c546\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "creation" + ] + }, + "related": { + "entity": [ + "arn:aws:iam::00000000000:policy/PwncloudSNSPublishPolicy", + "pwncloud-backdoor-user", + "ACCESSKEY", + "PwncloudSNSPublishPolicy", + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ], + "user": [ + "pwncloud-backdoor-user" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:policy/PwncloudSNSPublishPolicy" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "pwncloud-backdoor-user" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.16 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.create-policy", + "os": { + "name": "Linux" + }, + "version": "2.18.16" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log new file mode 100644 index 0000000000..f9202d9f56 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"87fa1ad4-7d2b-4157-b808-9280b7977567","eventName":"CreateStack","eventSource":"cloudformation.amazonaws.com","eventTime":"2024-10-11T11:51:06Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"99c2408d-f4cd-482b-a8a9-b4a1d3f0a9b9","requestParameters":{"parameters":[{"parameterKey":"KeyName"},{"parameterKey":"KeyName"}],"stackName":"cloudtrail-stack"},"responseElements":{"stackId":"arn:aws:cloudformation:us-east-1:000000000:stack/cloudtrail-stack/19182870-87c7-11ef-bc78-0e34431d21e9"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"cloudformation.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_f180216f-c8a2-4a1e-8ffc-0e27851dad77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudformation.create-stack","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log-expected.json new file mode 100644 index 0000000000..995096bfb6 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log-expected.json @@ -0,0 +1,147 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-11T11:51:06.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "parameters": [ + { + "parameterKey": "KeyName" + }, + { + "parameterKey": "KeyName" + } + ], + "stackName": "cloudtrail-stack" + }, + "response_elements": { + "stackId": "arn:aws:cloudformation:us-east-1:000000000:stack/cloudtrail-stack/19182870-87c7-11ef-bc78-0e34431d21e9" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "99c2408d-f4cd-482b-a8a9-b4a1d3f0a9b9", + "request_parameters": "{stackName=cloudtrail-stack, parameters=[{parameterKey=KeyName}, {parameterKey=KeyName}]}", + "response_elements": "{stackId=arn:aws:cloudformation:us-east-1:000000000:stack/cloudtrail-stack/19182870-87c7-11ef-bc78-0e34431d21e9}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateStack", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "87fa1ad4-7d2b-4157-b808-9280b7977567", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"87fa1ad4-7d2b-4157-b808-9280b7977567\",\"eventName\":\"CreateStack\",\"eventSource\":\"cloudformation.amazonaws.com\",\"eventTime\":\"2024-10-11T11:51:06Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"99c2408d-f4cd-482b-a8a9-b4a1d3f0a9b9\",\"requestParameters\":{\"parameters\":[{\"parameterKey\":\"KeyName\"},{\"parameterKey\":\"KeyName\"}],\"stackName\":\"cloudtrail-stack\"},\"responseElements\":{\"stackId\":\"arn:aws:cloudformation:us-east-1:000000000:stack/cloudtrail-stack/19182870-87c7-11ef-bc78-0e34431d21e9\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"cloudformation.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_f180216f-c8a2-4a1e-8ffc-0e27851dad77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudformation.create-stack\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "cloudformation.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:cloudformation:us-east-1:000000000:stack/cloudtrail-stack/19182870-87c7-11ef-bc78-0e34431d21e9", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:cloudformation:us-east-1:000000000:stack/cloudtrail-stack/19182870-87c7-11ef-bc78-0e34431d21e9" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "cloudformation.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_f180216f-c8a2-4a1e-8ffc-0e27851dad77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudformation.create-stack", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log new file mode 100644 index 0000000000..9fa8c3368c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"7bc9ae49-e471-4d00-9098-f3044976d922","eventName":"CreateStackSet","eventSource":"cloudformation.amazonaws.com","eventTime":"2024-10-11T11:49:39Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"4e6d1c3b-2cb1-41a7-b8f1-8b102dead4c6","requestParameters":{"clientRequestToken":"852dd863-404e-4cdf-8eb2-f7aa8a905895","stackSetName":"cloudtrail-stack-set"},"responseElements":{"stackSetId":"cloudtrail-stack-set:11c4915f-65ac-46d9-a173-17c8e89d8718"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"cloudformation.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_f180216f-c8a2-4a1e-8ffc-0e27851dad77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudformation.create-stack-set","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log-expected.json new file mode 100644 index 0000000000..8ac7072fd3 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log-expected.json @@ -0,0 +1,140 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-11T11:49:39.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "clientRequestToken": "852dd863-404e-4cdf-8eb2-f7aa8a905895", + "stackSetName": "cloudtrail-stack-set" + }, + "response_elements": { + "stackSetId": "cloudtrail-stack-set:11c4915f-65ac-46d9-a173-17c8e89d8718" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "4e6d1c3b-2cb1-41a7-b8f1-8b102dead4c6", + "request_parameters": "{clientRequestToken=852dd863-404e-4cdf-8eb2-f7aa8a905895, stackSetName=cloudtrail-stack-set}", + "response_elements": "{stackSetId=cloudtrail-stack-set:11c4915f-65ac-46d9-a173-17c8e89d8718}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateStackSet", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "7bc9ae49-e471-4d00-9098-f3044976d922", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"7bc9ae49-e471-4d00-9098-f3044976d922\",\"eventName\":\"CreateStackSet\",\"eventSource\":\"cloudformation.amazonaws.com\",\"eventTime\":\"2024-10-11T11:49:39Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"4e6d1c3b-2cb1-41a7-b8f1-8b102dead4c6\",\"requestParameters\":{\"clientRequestToken\":\"852dd863-404e-4cdf-8eb2-f7aa8a905895\",\"stackSetName\":\"cloudtrail-stack-set\"},\"responseElements\":{\"stackSetId\":\"cloudtrail-stack-set:11c4915f-65ac-46d9-a173-17c8e89d8718\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"cloudformation.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_f180216f-c8a2-4a1e-8ffc-0e27851dad77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudformation.create-stack-set\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "cloudformation.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "cloudtrail-stack-set:11c4915f-65ac-46d9-a173-17c8e89d8718" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "cloudtrail-stack-set:11c4915f-65ac-46d9-a173-17c8e89d8718" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "cloudformation.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_f180216f-c8a2-4a1e-8ffc-0e27851dad77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudformation.create-stack-set", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log new file mode 100644 index 0000000000..2c5e177831 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:user/pwncloud-backdoor-user","accountId":"00000000000","accessKeyId":"ACCESSKEY","userName":"pwncloud-backdoor-user"},"eventTime":"2024-10-30T20:02:25Z","eventSource":"sns.amazonaws.com","eventName":"CreateTopic","awsRegion":"us-east-1","sourceIPAddress":"000000000","userAgent":"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.create-topic","requestParameters":{"name":"pwncloud-data-exfiltration"},"responseElements":{"topicArn":"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration"},"requestID":"a573235c-465e-5617-b38f-7cc0d54fb5b7","eventID":"4b3cd35b-f37b-41f8-aefa-a006ed1d9946","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"sns.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log-expected.json new file mode 100644 index 0000000000..2a8bee5965 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log-expected.json @@ -0,0 +1,129 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T20:02:25.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "name": "pwncloud-data-exfiltration" + }, + "response_elements": { + "topicArn": "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "a573235c-465e-5617-b38f-7cc0d54fb5b7", + "request_parameters": "{name=pwncloud-data-exfiltration}", + "response_elements": "{topicArn=arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:iam::00000000000:user/pwncloud-backdoor-user", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateTopic", + "category": [ + "configuration" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "4b3cd35b-f37b-41f8-aefa-a006ed1d9946", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:user/pwncloud-backdoor-user\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"userName\":\"pwncloud-backdoor-user\"},\"eventTime\":\"2024-10-30T20:02:25Z\",\"eventSource\":\"sns.amazonaws.com\",\"eventName\":\"CreateTopic\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"000000000\",\"userAgent\":\"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.create-topic\",\"requestParameters\":{\"name\":\"pwncloud-data-exfiltration\"},\"responseElements\":{\"topicArn\":\"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration\"},\"requestID\":\"a573235c-465e-5617-b38f-7cc0d54fb5b7\",\"eventID\":\"4b3cd35b-f37b-41f8-aefa-a006ed1d9946\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"sns.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "sns.amazonaws.com", + "type": [ + "creation" + ] + }, + "related": { + "entity": [ + "pwncloud-backdoor-user", + "ACCESSKEY", + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user", + "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + ], + "user": [ + "pwncloud-backdoor-user" + ] + }, + "source": { + "address": "000000000" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "sns.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "pwncloud-backdoor-user" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.create-topic", + "os": { + "name": "Linux" + }, + "version": "2.18.17" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log new file mode 100644 index 0000000000..a3eb07aea3 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"b1063f01-fc27-4ccf-8e43-678fff057a7c","eventName":"CreateTrafficMirrorFilter","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-14T09:10:41Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"7314a288-a8d9-43ca-a9ba-c5e327a597bb","requestParameters":{"CreateTrafficMirrorFilterRequest":{"ClientToken":"b231a81b-d596-4740-ada6-de0d6e483ca7","Description":"Cloudtrail test TCP Filter"}},"responseElements":{"CreateTrafficMirrorFilterResponse":{"clientToken":"b231a81b-d596-4740-ada6-de0d6e483ca7","requestId":"7314a288-a8d9-43ca-a9ba-c5e327a597bb","trafficMirrorFilter":{"description":"Cloudtrail test TCP Filter","egressFilterRuleSet":"","ingressFilterRuleSet":"","networkServiceSet":"","tagSet":"","trafficMirrorFilterId":"tmf-01bee5a4ef310ec1b"},"xmlns":"http://ec2.amazonaws.com/doc/2016-11-15/"}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-filter","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log-expected.json new file mode 100644 index 0000000000..fff202e9b4 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log-expected.json @@ -0,0 +1,150 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T09:10:41.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "CreateTrafficMirrorFilterRequest": { + "ClientToken": "b231a81b-d596-4740-ada6-de0d6e483ca7", + "Description": "Cloudtrail test TCP Filter" + } + }, + "response_elements": { + "CreateTrafficMirrorFilterResponse": { + "clientToken": "b231a81b-d596-4740-ada6-de0d6e483ca7", + "requestId": "7314a288-a8d9-43ca-a9ba-c5e327a597bb", + "trafficMirrorFilter": { + "description": "Cloudtrail test TCP Filter", + "trafficMirrorFilterId": "tmf-01bee5a4ef310ec1b" + }, + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "7314a288-a8d9-43ca-a9ba-c5e327a597bb", + "request_parameters": "{CreateTrafficMirrorFilterRequest={Description=Cloudtrail test TCP Filter, ClientToken=b231a81b-d596-4740-ada6-de0d6e483ca7}}", + "response_elements": "{CreateTrafficMirrorFilterResponse={trafficMirrorFilter={description=Cloudtrail test TCP Filter, trafficMirrorFilterId=tmf-01bee5a4ef310ec1b}, xmlns=http://ec2.amazonaws.com/doc/2016-11-15/, clientToken=b231a81b-d596-4740-ada6-de0d6e483ca7, requestId=7314a288-a8d9-43ca-a9ba-c5e327a597bb}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateTrafficMirrorFilter", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "b1063f01-fc27-4ccf-8e43-678fff057a7c", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"b1063f01-fc27-4ccf-8e43-678fff057a7c\",\"eventName\":\"CreateTrafficMirrorFilter\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-14T09:10:41Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"7314a288-a8d9-43ca-a9ba-c5e327a597bb\",\"requestParameters\":{\"CreateTrafficMirrorFilterRequest\":{\"ClientToken\":\"b231a81b-d596-4740-ada6-de0d6e483ca7\",\"Description\":\"Cloudtrail test TCP Filter\"}},\"responseElements\":{\"CreateTrafficMirrorFilterResponse\":{\"clientToken\":\"b231a81b-d596-4740-ada6-de0d6e483ca7\",\"requestId\":\"7314a288-a8d9-43ca-a9ba-c5e327a597bb\",\"trafficMirrorFilter\":{\"description\":\"Cloudtrail test TCP Filter\",\"egressFilterRuleSet\":\"\",\"ingressFilterRuleSet\":\"\",\"networkServiceSet\":\"\",\"tagSet\":\"\",\"trafficMirrorFilterId\":\"tmf-01bee5a4ef310ec1b\"},\"xmlns\":\"http://ec2.amazonaws.com/doc/2016-11-15/\"}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-filter\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "tmf-01bee5a4ef310ec1b" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "tmf-01bee5a4ef310ec1b" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-filter", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log new file mode 100644 index 0000000000..153a23aecb --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5775ad41-17e7-41ce-b06d-ea8daf088c0f","eventName":"CreateTrafficMirrorFilterRule","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-14T09:12:02Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"cedef09d-3cf8-4b44-8ced-64d8ddf5887a","requestParameters":{"CreateTrafficMirrorFilterRuleRequest":{"ClientToken":"24a99dd1-6f25-45db-9566-f4e2021edf42","Description":"TCP Rule","DestinationCidrBlock":"0.0.0.0/0","Protocol":6,"RuleAction":"accept","RuleNumber":1,"SourceCidrBlock":"0.0.0.0/0","TrafficDirection":"ingress","TrafficMirrorFilterId":"tmf-01bee5a4ef310ec1b"}},"responseElements":{"CreateTrafficMirrorFilterRuleResponse":{"clientToken":"24a99dd1-6f25-45db-9566-f4e2021edf42","requestId":"cedef09d-3cf8-4b44-8ced-64d8ddf5887a","trafficMirrorFilterRule":{"description":"TCP Rule","destinationCidrBlock":"0.0.0.0/0","protocol":6,"ruleAction":"accept","ruleNumber":1,"sourceCidrBlock":"0.0.0.0/0","trafficDirection":"ingress","trafficMirrorFilterId":"tmf-01bee5a4ef310ec1b","trafficMirrorFilterRuleId":"tmfr-0e6de11dee1a9c690"},"xmlns":"http://ec2.amazonaws.com/doc/2016-11-15/"}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-filter-rule","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log-expected.json new file mode 100644 index 0000000000..af29e8be80 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log-expected.json @@ -0,0 +1,164 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T09:12:02.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "CreateTrafficMirrorFilterRuleRequest": { + "ClientToken": "24a99dd1-6f25-45db-9566-f4e2021edf42", + "Description": "TCP Rule", + "DestinationCidrBlock": "0.0.0.0/0", + "Protocol": 6, + "RuleAction": "accept", + "RuleNumber": 1, + "SourceCidrBlock": "0.0.0.0/0", + "TrafficDirection": "ingress", + "TrafficMirrorFilterId": "tmf-01bee5a4ef310ec1b" + } + }, + "response_elements": { + "CreateTrafficMirrorFilterRuleResponse": { + "clientToken": "24a99dd1-6f25-45db-9566-f4e2021edf42", + "requestId": "cedef09d-3cf8-4b44-8ced-64d8ddf5887a", + "trafficMirrorFilterRule": { + "description": "TCP Rule", + "destinationCidrBlock": "0.0.0.0/0", + "protocol": 6, + "ruleAction": "accept", + "ruleNumber": 1, + "sourceCidrBlock": "0.0.0.0/0", + "trafficDirection": "ingress", + "trafficMirrorFilterId": "tmf-01bee5a4ef310ec1b", + "trafficMirrorFilterRuleId": "tmfr-0e6de11dee1a9c690" + }, + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "cedef09d-3cf8-4b44-8ced-64d8ddf5887a", + "request_parameters": "{CreateTrafficMirrorFilterRuleRequest={Description=TCP Rule, RuleAction=accept, SourceCidrBlock=0.0.0.0/0, RuleNumber=1, DestinationCidrBlock=0.0.0.0/0, ClientToken=24a99dd1-6f25-45db-9566-f4e2021edf42, Protocol=6, TrafficDirection=ingress, TrafficMirrorFilterId=tmf-01bee5a4ef310ec1b}}", + "response_elements": "{CreateTrafficMirrorFilterRuleResponse={xmlns=http://ec2.amazonaws.com/doc/2016-11-15/, clientToken=24a99dd1-6f25-45db-9566-f4e2021edf42, requestId=cedef09d-3cf8-4b44-8ced-64d8ddf5887a, trafficMirrorFilterRule={destinationCidrBlock=0.0.0.0/0, ruleAction=accept, protocol=6, ruleNumber=1, description=TCP Rule, sourceCidrBlock=0.0.0.0/0, trafficDirection=ingress, trafficMirrorFilterId=tmf-01bee5a4ef310ec1b, trafficMirrorFilterRuleId=tmfr-0e6de11dee1a9c690}}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateTrafficMirrorFilterRule", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "5775ad41-17e7-41ce-b06d-ea8daf088c0f", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"5775ad41-17e7-41ce-b06d-ea8daf088c0f\",\"eventName\":\"CreateTrafficMirrorFilterRule\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-14T09:12:02Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"cedef09d-3cf8-4b44-8ced-64d8ddf5887a\",\"requestParameters\":{\"CreateTrafficMirrorFilterRuleRequest\":{\"ClientToken\":\"24a99dd1-6f25-45db-9566-f4e2021edf42\",\"Description\":\"TCP Rule\",\"DestinationCidrBlock\":\"0.0.0.0/0\",\"Protocol\":6,\"RuleAction\":\"accept\",\"RuleNumber\":1,\"SourceCidrBlock\":\"0.0.0.0/0\",\"TrafficDirection\":\"ingress\",\"TrafficMirrorFilterId\":\"tmf-01bee5a4ef310ec1b\"}},\"responseElements\":{\"CreateTrafficMirrorFilterRuleResponse\":{\"clientToken\":\"24a99dd1-6f25-45db-9566-f4e2021edf42\",\"requestId\":\"cedef09d-3cf8-4b44-8ced-64d8ddf5887a\",\"trafficMirrorFilterRule\":{\"description\":\"TCP Rule\",\"destinationCidrBlock\":\"0.0.0.0/0\",\"protocol\":6,\"ruleAction\":\"accept\",\"ruleNumber\":1,\"sourceCidrBlock\":\"0.0.0.0/0\",\"trafficDirection\":\"ingress\",\"trafficMirrorFilterId\":\"tmf-01bee5a4ef310ec1b\",\"trafficMirrorFilterRuleId\":\"tmfr-0e6de11dee1a9c690\"},\"xmlns\":\"http://ec2.amazonaws.com/doc/2016-11-15/\"}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-filter-rule\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "tmfr-0e6de11dee1a9c690", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "tmfr-0e6de11dee1a9c690" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-filter-rule", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log new file mode 100644 index 0000000000..29aa05d801 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"035ab7d0-a150-4712-86fc-edffb81d054c","eventName":"CreateTrafficMirrorSession","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-14T12:32:18Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"f4074d64-7d31-472b-8dba-66afc4310e94","requestParameters":{"CreateTrafficMirrorSessionRequest":{"ClientToken":"812f8097-2994-424c-bee1-cf6858e67c75","Description":"example session","NetworkInterfaceId":"eni-0826181775f16c3b2","PacketLength":25,"SessionNumber":1,"TrafficMirrorFilterId":"tmf-01bee5a4ef310ec1b","TrafficMirrorTargetId":"tmt-0c62986bff32556ac"}},"responseElements":{"CreateTrafficMirrorSessionResponse":{"clientToken":"812f8097-2994-424c-bee1-cf6858e67c75","requestId":"f4074d64-7d31-472b-8dba-66afc4310e94","trafficMirrorSession":{"description":"example session","networkInterfaceId":"eni-0826181775f16c3b2","ownerId":"000000000","packetLength":25,"sessionNumber":1,"tagSet":"","trafficMirrorFilterId":"tmf-01bee5a4ef310ec1b","trafficMirrorSessionId":"tms-089e55493216df002","trafficMirrorTargetId":"tmt-0c62986bff32556ac","virtualNetworkId":"3272331"},"xmlns":"http://ec2.amazonaws.com/doc/2016-11-15/"}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-session","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json new file mode 100644 index 0000000000..88f5144e0a --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json @@ -0,0 +1,162 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T12:32:18.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "CreateTrafficMirrorSessionRequest": { + "ClientToken": "812f8097-2994-424c-bee1-cf6858e67c75", + "Description": "example session", + "NetworkInterfaceId": "eni-0826181775f16c3b2", + "PacketLength": 25, + "SessionNumber": 1, + "TrafficMirrorFilterId": "tmf-01bee5a4ef310ec1b", + "TrafficMirrorTargetId": "tmt-0c62986bff32556ac" + } + }, + "response_elements": { + "CreateTrafficMirrorSessionResponse": { + "clientToken": "812f8097-2994-424c-bee1-cf6858e67c75", + "requestId": "f4074d64-7d31-472b-8dba-66afc4310e94", + "trafficMirrorSession": { + "description": "example session", + "networkInterfaceId": "eni-0826181775f16c3b2", + "ownerId": "000000000", + "packetLength": 25, + "sessionNumber": 1, + "trafficMirrorFilterId": "tmf-01bee5a4ef310ec1b", + "trafficMirrorSessionId": "tms-089e55493216df002", + "trafficMirrorTargetId": "tmt-0c62986bff32556ac", + "virtualNetworkId": "3272331" + }, + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "f4074d64-7d31-472b-8dba-66afc4310e94", + "request_parameters": "{CreateTrafficMirrorSessionRequest={TrafficMirrorTargetId=tmt-0c62986bff32556ac, Description=example session, SessionNumber=1, PacketLength=25, ClientToken=812f8097-2994-424c-bee1-cf6858e67c75, NetworkInterfaceId=eni-0826181775f16c3b2, TrafficMirrorFilterId=tmf-01bee5a4ef310ec1b}}", + "response_elements": "{CreateTrafficMirrorSessionResponse={trafficMirrorSession={networkInterfaceId=eni-0826181775f16c3b2, trafficMirrorSessionId=tms-089e55493216df002, packetLength=25, sessionNumber=1, description=example session, virtualNetworkId=3272331, ownerId=000000000, trafficMirrorFilterId=tmf-01bee5a4ef310ec1b, trafficMirrorTargetId=tmt-0c62986bff32556ac}, xmlns=http://ec2.amazonaws.com/doc/2016-11-15/, clientToken=812f8097-2994-424c-bee1-cf6858e67c75, requestId=f4074d64-7d31-472b-8dba-66afc4310e94}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateTrafficMirrorSession", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "035ab7d0-a150-4712-86fc-edffb81d054c", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"035ab7d0-a150-4712-86fc-edffb81d054c\",\"eventName\":\"CreateTrafficMirrorSession\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-14T12:32:18Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"f4074d64-7d31-472b-8dba-66afc4310e94\",\"requestParameters\":{\"CreateTrafficMirrorSessionRequest\":{\"ClientToken\":\"812f8097-2994-424c-bee1-cf6858e67c75\",\"Description\":\"example session\",\"NetworkInterfaceId\":\"eni-0826181775f16c3b2\",\"PacketLength\":25,\"SessionNumber\":1,\"TrafficMirrorFilterId\":\"tmf-01bee5a4ef310ec1b\",\"TrafficMirrorTargetId\":\"tmt-0c62986bff32556ac\"}},\"responseElements\":{\"CreateTrafficMirrorSessionResponse\":{\"clientToken\":\"812f8097-2994-424c-bee1-cf6858e67c75\",\"requestId\":\"f4074d64-7d31-472b-8dba-66afc4310e94\",\"trafficMirrorSession\":{\"description\":\"example session\",\"networkInterfaceId\":\"eni-0826181775f16c3b2\",\"ownerId\":\"000000000\",\"packetLength\":25,\"sessionNumber\":1,\"tagSet\":\"\",\"trafficMirrorFilterId\":\"tmf-01bee5a4ef310ec1b\",\"trafficMirrorSessionId\":\"tms-089e55493216df002\",\"trafficMirrorTargetId\":\"tmt-0c62986bff32556ac\",\"virtualNetworkId\":\"3272331\"},\"xmlns\":\"http://ec2.amazonaws.com/doc/2016-11-15/\"}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-session\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "tms-089e55493216df002" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "tms-089e55493216df002" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-session", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log new file mode 100644 index 0000000000..e13db5ec32 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"aaca878c-a8a2-4947-b7d7-4b710ec63189","eventName":"CreateTrafficMirrorTarget","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-14T09:29:18Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"ee4a1c85-23c9-40c8-ae2b-af566fdd098f","requestParameters":{"CreateTrafficMirrorTargetRequest":{"ClientToken":"f910fa2f-5ae9-4a88-ac6d-ef98845d845e","Description":"Example Network Load Balancer Target","NetworkLoadBalancerArn":"arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a"}},"responseElements":{"CreateTrafficMirrorTargetResponse":{"clientToken":"f910fa2f-5ae9-4a88-ac6d-ef98845d845e","requestId":"ee4a1c85-23c9-40c8-ae2b-af566fdd098f","trafficMirrorTarget":{"description":"Example Network Load Balancer Target","networkLoadBalancerArn":"arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a","ownerId":"000000000","tagSet":"","trafficMirrorTargetId":"tmt-0c62986bff32556ac","type":"network-load-balancer"},"xmlns":"http://ec2.amazonaws.com/doc/2016-11-15/"}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-target","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json new file mode 100644 index 0000000000..8f59299464 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json @@ -0,0 +1,154 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T09:29:18.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "CreateTrafficMirrorTargetRequest": { + "ClientToken": "f910fa2f-5ae9-4a88-ac6d-ef98845d845e", + "Description": "Example Network Load Balancer Target", + "NetworkLoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a" + } + }, + "response_elements": { + "CreateTrafficMirrorTargetResponse": { + "clientToken": "f910fa2f-5ae9-4a88-ac6d-ef98845d845e", + "requestId": "ee4a1c85-23c9-40c8-ae2b-af566fdd098f", + "trafficMirrorTarget": { + "description": "Example Network Load Balancer Target", + "networkLoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a", + "ownerId": "000000000", + "trafficMirrorTargetId": "tmt-0c62986bff32556ac", + "type": "network-load-balancer" + }, + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "ee4a1c85-23c9-40c8-ae2b-af566fdd098f", + "request_parameters": "{CreateTrafficMirrorTargetRequest={NetworkLoadBalancerArn=arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a, Description=Example Network Load Balancer Target, ClientToken=f910fa2f-5ae9-4a88-ac6d-ef98845d845e}}", + "response_elements": "{CreateTrafficMirrorTargetResponse={trafficMirrorTarget={description=Example Network Load Balancer Target, networkLoadBalancerArn=arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a, ownerId=000000000, type=network-load-balancer, trafficMirrorTargetId=tmt-0c62986bff32556ac}, xmlns=http://ec2.amazonaws.com/doc/2016-11-15/, clientToken=f910fa2f-5ae9-4a88-ac6d-ef98845d845e, requestId=ee4a1c85-23c9-40c8-ae2b-af566fdd098f}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateTrafficMirrorTarget", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "aaca878c-a8a2-4947-b7d7-4b710ec63189", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"aaca878c-a8a2-4947-b7d7-4b710ec63189\",\"eventName\":\"CreateTrafficMirrorTarget\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-14T09:29:18Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"ee4a1c85-23c9-40c8-ae2b-af566fdd098f\",\"requestParameters\":{\"CreateTrafficMirrorTargetRequest\":{\"ClientToken\":\"f910fa2f-5ae9-4a88-ac6d-ef98845d845e\",\"Description\":\"Example Network Load Balancer Target\",\"NetworkLoadBalancerArn\":\"arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a\"}},\"responseElements\":{\"CreateTrafficMirrorTargetResponse\":{\"clientToken\":\"f910fa2f-5ae9-4a88-ac6d-ef98845d845e\",\"requestId\":\"ee4a1c85-23c9-40c8-ae2b-af566fdd098f\",\"trafficMirrorTarget\":{\"description\":\"Example Network Load Balancer Target\",\"networkLoadBalancerArn\":\"arn:aws:elasticloadbalancing:us-east-1:000000000:loadbalancer/net/my-network-load-balancer/6e52cfd7d977b43a\",\"ownerId\":\"000000000\",\"tagSet\":\"\",\"trafficMirrorTargetId\":\"tmt-0c62986bff32556ac\",\"type\":\"network-load-balancer\"},\"xmlns\":\"http://ec2.amazonaws.com/doc/2016-11-15/\"}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-target\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "tmt-0c62986bff32556ac" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "tmt-0c62986bff32556ac" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.create-traffic-mirror-target", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json index c15f06ae7d..ac8bc6dfd3 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-08T15:30:25.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -65,7 +72,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "TEST-trail", "EXAMPLE_KEY", "Alice", @@ -82,7 +88,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -97,4 +104,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log new file mode 100644 index 0000000000..b474991aed --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"1500339b-25ba-47fd-a3d4-762328e65de7","eventName":"CreateTrustAnchor","eventSource":"rolesanywhere.amazonaws.com","eventTime":"2024-10-10T12:55:43Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"eca4129e-e13b-4251-9dae-b2d0324eca8f","requestParameters":{"enabled":false,"name":"cloudtrail-test","source":{"sourceData":{"acmPcaArn":"arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4"},"sourceType":"AWS_ACM_PCA"}},"responseElements":{"trustAnchor":{"createdAt":"2024-10-10T12:55:43.023139433Z","enabled":false,"name":"cloudtrail-test","notificationSettings":[{"channel":"ALL","configuredBy":"rolesanywhere.amazonaws.com","enabled":true,"event":"CA_CERTIFICATE_EXPIRY","threshold":45},{"channel":"ALL","configuredBy":"rolesanywhere.amazonaws.com","enabled":true,"event":"END_ENTITY_CERTIFICATE_EXPIRY","threshold":45}],"source":{"sourceData":{"acmPcaArn":"arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4"},"sourceType":"AWS_ACM_PCA"},"trustAnchorArn":"arn:aws:rolesanywhere:us-east-1:000000000:trust-anchor/3a219944-dbbf-4274-a680-880224f97d93","trustAnchorId":"3a219944-dbbf-4274-a680-880224f97d93","updatedAt":"2024-10-10T12:55:43.023139433Z"}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rolesanywhere.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5ee6ac99-1a3a-439c-a8d6-a576883a1e8e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rolesanywhere.create-trust-anchor","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log-expected.json new file mode 100644 index 0000000000..4a96872a0c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log-expected.json @@ -0,0 +1,175 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T12:55:43.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "enabled": false, + "name": "cloudtrail-test", + "source": { + "sourceData": { + "acmPcaArn": "arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4" + }, + "sourceType": "AWS_ACM_PCA" + } + }, + "response_elements": { + "trustAnchor": { + "createdAt": "2024-10-10T12:55:43.023139433Z", + "enabled": false, + "name": "cloudtrail-test", + "notificationSettings": [ + { + "channel": "ALL", + "configuredBy": "rolesanywhere.amazonaws.com", + "enabled": true, + "event": "CA_CERTIFICATE_EXPIRY", + "threshold": 45 + }, + { + "channel": "ALL", + "configuredBy": "rolesanywhere.amazonaws.com", + "enabled": true, + "event": "END_ENTITY_CERTIFICATE_EXPIRY", + "threshold": 45 + } + ], + "source": { + "sourceData": { + "acmPcaArn": "arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4" + }, + "sourceType": "AWS_ACM_PCA" + }, + "trustAnchorArn": "arn:aws:rolesanywhere:us-east-1:000000000:trust-anchor/3a219944-dbbf-4274-a680-880224f97d93", + "trustAnchorId": "3a219944-dbbf-4274-a680-880224f97d93", + "updatedAt": "2024-10-10T12:55:43.023139433Z" + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "eca4129e-e13b-4251-9dae-b2d0324eca8f", + "request_parameters": "{name=cloudtrail-test, source={sourceType=AWS_ACM_PCA, sourceData={acmPcaArn=arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4}}, enabled=false}", + "response_elements": "{trustAnchor={createdAt=2024-10-10T12:55:43.023139433Z, name=cloudtrail-test, source={sourceType=AWS_ACM_PCA, sourceData={acmPcaArn=arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4}}, enabled=false, notificationSettings=[{channel=ALL, threshold=45, configuredBy=rolesanywhere.amazonaws.com, event=CA_CERTIFICATE_EXPIRY, enabled=true}, {channel=ALL, threshold=45, configuredBy=rolesanywhere.amazonaws.com, event=END_ENTITY_CERTIFICATE_EXPIRY, enabled=true}], trustAnchorArn=arn:aws:rolesanywhere:us-east-1:000000000:trust-anchor/3a219944-dbbf-4274-a680-880224f97d93, trustAnchorId=3a219944-dbbf-4274-a680-880224f97d93, updatedAt=2024-10-10T12:55:43.023139433Z}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateTrustAnchor", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "1500339b-25ba-47fd-a3d4-762328e65de7", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"1500339b-25ba-47fd-a3d4-762328e65de7\",\"eventName\":\"CreateTrustAnchor\",\"eventSource\":\"rolesanywhere.amazonaws.com\",\"eventTime\":\"2024-10-10T12:55:43Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"eca4129e-e13b-4251-9dae-b2d0324eca8f\",\"requestParameters\":{\"enabled\":false,\"name\":\"cloudtrail-test\",\"source\":{\"sourceData\":{\"acmPcaArn\":\"arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4\"},\"sourceType\":\"AWS_ACM_PCA\"}},\"responseElements\":{\"trustAnchor\":{\"createdAt\":\"2024-10-10T12:55:43.023139433Z\",\"enabled\":false,\"name\":\"cloudtrail-test\",\"notificationSettings\":[{\"channel\":\"ALL\",\"configuredBy\":\"rolesanywhere.amazonaws.com\",\"enabled\":true,\"event\":\"CA_CERTIFICATE_EXPIRY\",\"threshold\":45},{\"channel\":\"ALL\",\"configuredBy\":\"rolesanywhere.amazonaws.com\",\"enabled\":true,\"event\":\"END_ENTITY_CERTIFICATE_EXPIRY\",\"threshold\":45}],\"source\":{\"sourceData\":{\"acmPcaArn\":\"arn:aws:acm-pca:us-east-1:000000000:certificate-authority/83dcb5a2-4214-4732-bbfb-64d769bfceb4\"},\"sourceType\":\"AWS_ACM_PCA\"},\"trustAnchorArn\":\"arn:aws:rolesanywhere:us-east-1:000000000:trust-anchor/3a219944-dbbf-4274-a680-880224f97d93\",\"trustAnchorId\":\"3a219944-dbbf-4274-a680-880224f97d93\",\"updatedAt\":\"2024-10-10T12:55:43.023139433Z\"}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rolesanywhere.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5ee6ac99-1a3a-439c-a8d6-a576883a1e8e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rolesanywhere.create-trust-anchor\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rolesanywhere.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "arn:aws:rolesanywhere:us-east-1:000000000:trust-anchor/3a219944-dbbf-4274-a680-880224f97d93" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rolesanywhere:us-east-1:000000000:trust-anchor/3a219944-dbbf-4274-a680-880224f97d93" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rolesanywhere.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5ee6ac99-1a3a-439c-a8d6-a576883a1e8e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rolesanywhere.create-trust-anchor", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json index 0ea59e51cf..d97e298d69 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2014-03-24T21:11:59.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_version": "1.0", @@ -58,7 +65,6 @@ "Bob", "arn:aws:iam::123456789012:user/Bob", "Alice", - "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", "EXAMPLE_KEY_ID" ], @@ -72,8 +78,16 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "Bob" + ] + } + }, "user": { "id": "EX_PRINCIPAL_ID", "name": "Alice", @@ -95,4 +109,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json index f4cd8ee0b4..7dbe1e7e42 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2019-11-27T15:10:15.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -59,7 +66,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -73,7 +79,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -88,4 +95,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json index 18284d1e35..3abc1d7eb9 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T00:34:02.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -68,8 +75,16 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "Alice" + ] + } + }, "user": { "id": "EXAMPLE_ID", "name": "Alice", @@ -86,4 +101,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json index f5ac6e6afc..6da8ce1e2d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-08T19:09:36.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -69,7 +76,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -87,4 +95,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log new file mode 100644 index 0000000000..3b5c00feb6 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"04d83590-b8ec-4c1d-affb-25a3034ff0cd","eventName":"DeleteAlarms","eventSource":"monitoring.amazonaws.com","eventTime":"2024-10-09T14:43:35Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"5169576c-6737-4ede-b3f4-7ef6209cac76","requestParameters":{"alarmNames":["cpu-mon"]},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"monitoring.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_2b93b5c6-5303-4575-acec-5e50f4e32a77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudwatch.delete-alarms","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log-expected.json new file mode 100644 index 0000000000..ac2e3eace4 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log-expected.json @@ -0,0 +1,137 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-09T14:43:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "alarmNames": [ + "cpu-mon" + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "5169576c-6737-4ede-b3f4-7ef6209cac76", + "request_parameters": "{alarmNames=[cpu-mon]}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteAlarms", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "04d83590-b8ec-4c1d-affb-25a3034ff0cd", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"04d83590-b8ec-4c1d-affb-25a3034ff0cd\",\"eventName\":\"DeleteAlarms\",\"eventSource\":\"monitoring.amazonaws.com\",\"eventTime\":\"2024-10-09T14:43:35Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"5169576c-6737-4ede-b3f4-7ef6209cac76\",\"requestParameters\":{\"alarmNames\":[\"cpu-mon\"]},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"monitoring.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_2b93b5c6-5303-4575-acec-5e50f4e32a77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudwatch.delete-alarms\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "monitoring.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "cpu-mon", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "cpu-mon" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "monitoring.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_2b93b5c6-5303-4575-acec-5e50f4e32a77 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#cloudwatch.delete-alarms", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json index e6146e0543..5182748b84 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2016-11-14T17:25:45.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -57,7 +64,6 @@ }, "related": { "entity": [ - "AIDAQRSTUVWXYZEXAMPLE:devdsk", "my-test-bucket-cross-account", "arn:aws:iam::777788889999:role/AssumeNothing", "AssumeNothing", @@ -88,7 +94,8 @@ "ip": "89.160.20.156" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "AIDAQRSTUVWXYZEXAMPLE:devdsk", @@ -109,4 +116,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log new file mode 100644 index 0000000000..501e6eddeb --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"b03bcf00-a3ce-46dc-8902-e426f2b33b69","eventName":"DeleteDBCluster","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T15:59:45Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"4d0fde3b-77ca-45e1-855e-0412362e2c41","requestParameters":{"dBClusterIdentifier":"test-cloudtrail-event-instance-31611-cluster","skipFinalSnapshot":true},"responseElements":{"allocatedStorage":1,"associatedRoles":[],"autoMinorVersionUpgrade":true,"automaticRestartTime":"Oct 17, 2024 3:58:15 PM","availabilityZones":["us-east-1d","us-east-1b","us-east-1c"],"backupRetentionPeriod":14,"clusterCreateTime":"Oct 10, 2024 3:18:55 PM","copyTagsToSnapshot":false,"crossAccountClone":false,"dBClusterArn":"arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster","dBClusterIdentifier":"test-cloudtrail-event-instance-31611-cluster","dBClusterMembers":[],"dBClusterParameterGroup":"default.aurora-mysql8.0","dBSubnetGroup":"default","dbClusterResourceId":"cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4","deletionProtection":false,"domainMemberships":[],"earliestRestorableTime":"Oct 10, 2024 3:19:46 PM","endpoint":"test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com","engine":"aurora-mysql","engineMode":"provisioned","engineVersion":"8.0.mysql_aurora.3.07.1","hostedZoneId":"Z2R2ITUGPM61AM","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"latestRestorableTime":"Oct 10, 2024 3:19:46 PM","localWriteForwardingStatus":"disabled","masterUsername":"master","multiAZ":false,"networkType":"IPV4","port":3306,"preferredBackupWindow":"03:14-03:44","preferredMaintenanceWindow":"wed:04:17-wed:04:47","readReplicaIdentifiers":[],"readerEndpoint":"test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com","status":"stopped","storageEncrypted":false,"tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-db-cluster","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log-expected.json new file mode 100644 index 0000000000..67bc3592a4 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log-expected.json @@ -0,0 +1,183 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:59:45.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "dBClusterIdentifier": "test-cloudtrail-event-instance-31611-cluster", + "skipFinalSnapshot": true + }, + "response_elements": { + "allocatedStorage": 1, + "autoMinorVersionUpgrade": true, + "automaticRestartTime": "Oct 17, 2024 3:58:15 PM", + "availabilityZones": [ + "us-east-1d", + "us-east-1b", + "us-east-1c" + ], + "backupRetentionPeriod": 14, + "clusterCreateTime": "Oct 10, 2024 3:18:55 PM", + "copyTagsToSnapshot": false, + "crossAccountClone": false, + "dBClusterArn": "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster", + "dBClusterIdentifier": "test-cloudtrail-event-instance-31611-cluster", + "dBClusterParameterGroup": "default.aurora-mysql8.0", + "dBSubnetGroup": "default", + "dbClusterResourceId": "cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4", + "deletionProtection": false, + "earliestRestorableTime": "Oct 10, 2024 3:19:46 PM", + "endpoint": "test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com", + "engine": "aurora-mysql", + "engineMode": "provisioned", + "engineVersion": "8.0.mysql_aurora.3.07.1", + "hostedZoneId": "Z2R2ITUGPM61AM", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "latestRestorableTime": "Oct 10, 2024 3:19:46 PM", + "localWriteForwardingStatus": "disabled", + "masterUsername": "master", + "multiAZ": false, + "networkType": "IPV4", + "port": 3306, + "preferredBackupWindow": "03:14-03:44", + "preferredMaintenanceWindow": "wed:04:17-wed:04:47", + "readerEndpoint": "test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com", + "status": "stopped", + "storageEncrypted": false, + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "4d0fde3b-77ca-45e1-855e-0412362e2c41", + "request_parameters": "{skipFinalSnapshot=true, dBClusterIdentifier=test-cloudtrail-event-instance-31611-cluster}", + "response_elements": "{crossAccountClone=false, allocatedStorage=1, availabilityZones=[us-east-1d, us-east-1b, us-east-1c], localWriteForwardingStatus=disabled, preferredBackupWindow=03:14-03:44, deletionProtection=false, endpoint=test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com, engineMode=provisioned, engine=aurora-mysql, readerEndpoint=test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com, iAMDatabaseAuthenticationEnabled=false, earliestRestorableTime=Oct 10, 2024 3:19:46 PM, networkType=IPV4, clusterCreateTime=Oct 10, 2024 3:18:55 PM, automaticRestartTime=Oct 17, 2024 3:58:15 PM, engineVersion=8.0.mysql_aurora.3.07.1, masterUsername=master, multiAZ=false, storageEncrypted=false, dBSubnetGroup=default, hostedZoneId=Z2R2ITUGPM61AM, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], port=3306, preferredMaintenanceWindow=wed:04:17-wed:04:47, backupRetentionPeriod=14, dBClusterParameterGroup=default.aurora-mysql8.0, dBClusterIdentifier=test-cloudtrail-event-instance-31611-cluster, dbClusterResourceId=cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false, dBClusterArn=arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster, latestRestorableTime=Oct 10, 2024 3:19:46 PM, status=stopped}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteDBCluster", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "b03bcf00-a3ce-46dc-8902-e426f2b33b69", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"b03bcf00-a3ce-46dc-8902-e426f2b33b69\",\"eventName\":\"DeleteDBCluster\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T15:59:45Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"4d0fde3b-77ca-45e1-855e-0412362e2c41\",\"requestParameters\":{\"dBClusterIdentifier\":\"test-cloudtrail-event-instance-31611-cluster\",\"skipFinalSnapshot\":true},\"responseElements\":{\"allocatedStorage\":1,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"automaticRestartTime\":\"Oct 17, 2024 3:58:15 PM\",\"availabilityZones\":[\"us-east-1d\",\"us-east-1b\",\"us-east-1c\"],\"backupRetentionPeriod\":14,\"clusterCreateTime\":\"Oct 10, 2024 3:18:55 PM\",\"copyTagsToSnapshot\":false,\"crossAccountClone\":false,\"dBClusterArn\":\"arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster\",\"dBClusterIdentifier\":\"test-cloudtrail-event-instance-31611-cluster\",\"dBClusterMembers\":[],\"dBClusterParameterGroup\":\"default.aurora-mysql8.0\",\"dBSubnetGroup\":\"default\",\"dbClusterResourceId\":\"cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4\",\"deletionProtection\":false,\"domainMemberships\":[],\"earliestRestorableTime\":\"Oct 10, 2024 3:19:46 PM\",\"endpoint\":\"test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com\",\"engine\":\"aurora-mysql\",\"engineMode\":\"provisioned\",\"engineVersion\":\"8.0.mysql_aurora.3.07.1\",\"hostedZoneId\":\"Z2R2ITUGPM61AM\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"latestRestorableTime\":\"Oct 10, 2024 3:19:46 PM\",\"localWriteForwardingStatus\":\"disabled\",\"masterUsername\":\"master\",\"multiAZ\":false,\"networkType\":\"IPV4\",\"port\":3306,\"preferredBackupWindow\":\"03:14-03:44\",\"preferredMaintenanceWindow\":\"wed:04:17-wed:04:47\",\"readReplicaIdentifiers\":[],\"readerEndpoint\":\"test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com\",\"status\":\"stopped\",\"storageEncrypted\":false,\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-db-cluster\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-db-cluster", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log new file mode 100644 index 0000000000..b99a83c696 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"02b373b8-8b7b-49a9-8b56-2a6364d01de5","eventName":"DeleteDBInstance","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T15:59:37Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"5cfa3493-7350-4703-8a8e-d98734405624","requestParameters":{"dBInstanceIdentifier":"test-cloudtrail-event-instance-31611-restored","deleteAutomatedBackups":true,"skipFinalSnapshot":true},"responseElements":{"allocatedStorage":20,"associatedRoles":[],"autoMinorVersionUpgrade":true,"availabilityZone":"us-east-1b","backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"","copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored","dBInstanceClass":"db.t3.small","dBInstanceIdentifier":"test-cloudtrail-event-instance-31611-restored","dBInstanceStatus":"deleting","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-VTGGYHG364W76XFDRWWXSUUKJU","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"endpoint":{"address":"test-cloudtrail-event-instance-31611-restored.cputujbhmdty.us-east-1.rds.amazonaws.com","hostedZoneId":"Z2R2ITUGPM61AM","port":3306},"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.32","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"instanceCreateTime":"Oct 10, 2024 3:30:23 PM","latestRestorableTime":"Oct 10, 2024 3:55:00 PM","licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"in-sync"}],"pendingModifiedValues":{},"performanceInsightsEnabled":false,"preferredBackupWindow":"09:50-10:20","preferredMaintenanceWindow":"mon:05:28-mon:05:58","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-db-instance","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log-expected.json new file mode 100644 index 0000000000..9c1f756835 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log-expected.json @@ -0,0 +1,256 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:59:37.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611-restored", + "deleteAutomatedBackups": true, + "skipFinalSnapshot": true + }, + "response_elements": { + "allocatedStorage": 20, + "autoMinorVersionUpgrade": true, + "availabilityZone": "us-east-1b", + "backupRetentionPeriod": 1, + "backupTarget": "region", + "copyTagsToSnapshot": false, + "customerOwnedIpEnabled": false, + "dBInstanceArn": "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored", + "dBInstanceClass": "db.t3.small", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611-restored", + "dBInstanceStatus": "deleting", + "dBParameterGroups": [ + { + "dBParameterGroupName": "default.mysql8.0", + "parameterApplyStatus": "in-sync" + } + ], + "dBSubnetGroup": { + "dBSubnetGroupDescription": "default", + "dBSubnetGroupName": "default", + "subnetGroupStatus": "Complete", + "subnets": [ + { + "subnetAvailabilityZone": { + "name": "us-east-1d" + }, + "subnetIdentifier": "subnet-c4bf5e9b", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1a" + }, + "subnetIdentifier": "subnet-0a0bee6c", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1e" + }, + "subnetIdentifier": "subnet-37391109", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1b" + }, + "subnetIdentifier": "subnet-fee506df", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1f" + }, + "subnetIdentifier": "subnet-bf6ab5b1", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1c" + }, + "subnetIdentifier": "subnet-8bdf6bc6", + "subnetStatus": "Active" + } + ], + "vpcId": "vpc-73d2e309" + }, + "dbInstancePort": 0, + "dbiResourceId": "db-VTGGYHG364W76XFDRWWXSUUKJU", + "dedicatedLogVolume": false, + "deletionProtection": false, + "endpoint": { + "address": "test-cloudtrail-event-instance-31611-restored.cputujbhmdty.us-east-1.rds.amazonaws.com", + "hostedZoneId": "Z2R2ITUGPM61AM", + "port": 3306 + }, + "engine": "mysql", + "engineLifecycleSupport": "open-source-rds-extended-support", + "engineVersion": "8.0.32", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "instanceCreateTime": "Oct 10, 2024 3:30:23 PM", + "latestRestorableTime": "Oct 10, 2024 3:55:00 PM", + "licenseModel": "general-public-license", + "masterUsername": "admin", + "monitoringInterval": 0, + "multiAZ": false, + "networkType": "IPV4", + "optionGroupMemberships": [ + { + "optionGroupName": "default:mysql-8-0", + "status": "in-sync" + } + ], + "performanceInsightsEnabled": false, + "preferredBackupWindow": "09:50-10:20", + "preferredMaintenanceWindow": "mon:05:28-mon:05:58", + "publiclyAccessible": true, + "storageEncrypted": false, + "storageThroughput": 0, + "storageType": "gp2", + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "5cfa3493-7350-4703-8a8e-d98734405624", + "request_parameters": "{dBInstanceIdentifier=test-cloudtrail-event-instance-31611-restored, skipFinalSnapshot=true, deleteAutomatedBackups=true}", + "response_elements": "{allocatedStorage=20, backupTarget=region, dbInstancePort=0, dBParameterGroups=[{dBParameterGroupName=default.mysql8.0, parameterApplyStatus=in-sync}], availabilityZone=us-east-1b, dbiResourceId=db-VTGGYHG364W76XFDRWWXSUUKJU, preferredBackupWindow=09:50-10:20, deletionProtection=false, dBInstanceArn=arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored, dBInstanceIdentifier=test-cloudtrail-event-instance-31611-restored, endpoint={hostedZoneId=Z2R2ITUGPM61AM, address=test-cloudtrail-event-instance-31611-restored.cputujbhmdty.us-east-1.rds.amazonaws.com, port=3306}, engine=mysql, publiclyAccessible=true, iAMDatabaseAuthenticationEnabled=false, networkType=IPV4, engineVersion=8.0.32, performanceInsightsEnabled=false, masterUsername=admin, multiAZ=false, instanceCreateTime=Oct 10, 2024 3:30:23 PM, dBInstanceClass=db.t3.small, storageEncrypted=false, dBSubnetGroup={vpcId=vpc-73d2e309, subnets=[{subnetIdentifier=subnet-c4bf5e9b, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1d}}, {subnetIdentifier=subnet-0a0bee6c, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1a}}, {subnetIdentifier=subnet-37391109, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1e}}, {subnetIdentifier=subnet-fee506df, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1b}}, {subnetIdentifier=subnet-bf6ab5b1, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1f}}, {subnetIdentifier=subnet-8bdf6bc6, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1c}}], subnetGroupStatus=Complete, dBSubnetGroupDescription=default, dBSubnetGroupName=default}, storageThroughput=0, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], customerOwnedIpEnabled=false, licenseModel=general-public-license, monitoringInterval=0, preferredMaintenanceWindow=mon:05:28-mon:05:58, dBInstanceStatus=deleting, backupRetentionPeriod=1, engineLifecycleSupport=open-source-rds-extended-support, storageType=gp2, optionGroupMemberships=[{optionGroupName=default:mysql-8-0, status=in-sync}], dedicatedLogVolume=false, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false, latestRestorableTime=Oct 10, 2024 3:55:00 PM}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteDBInstance", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "02b373b8-8b7b-49a9-8b56-2a6364d01de5", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"02b373b8-8b7b-49a9-8b56-2a6364d01de5\",\"eventName\":\"DeleteDBInstance\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T15:59:37Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"5cfa3493-7350-4703-8a8e-d98734405624\",\"requestParameters\":{\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611-restored\",\"deleteAutomatedBackups\":true,\"skipFinalSnapshot\":true},\"responseElements\":{\"allocatedStorage\":20,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"availabilityZone\":\"us-east-1b\",\"backupRetentionPeriod\":1,\"backupTarget\":\"region\",\"cACertificateIdentifier\":\"\",\"copyTagsToSnapshot\":false,\"customerOwnedIpEnabled\":false,\"dBInstanceArn\":\"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored\",\"dBInstanceClass\":\"db.t3.small\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611-restored\",\"dBInstanceStatus\":\"deleting\",\"dBParameterGroups\":[{\"dBParameterGroupName\":\"default.mysql8.0\",\"parameterApplyStatus\":\"in-sync\"}],\"dBSecurityGroups\":[],\"dBSubnetGroup\":{\"dBSubnetGroupDescription\":\"default\",\"dBSubnetGroupName\":\"default\",\"subnetGroupStatus\":\"Complete\",\"subnets\":[{\"subnetAvailabilityZone\":{\"name\":\"us-east-1d\"},\"subnetIdentifier\":\"subnet-c4bf5e9b\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1a\"},\"subnetIdentifier\":\"subnet-0a0bee6c\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1e\"},\"subnetIdentifier\":\"subnet-37391109\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1b\"},\"subnetIdentifier\":\"subnet-fee506df\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1f\"},\"subnetIdentifier\":\"subnet-bf6ab5b1\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1c\"},\"subnetIdentifier\":\"subnet-8bdf6bc6\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"}],\"vpcId\":\"vpc-73d2e309\"},\"dbInstancePort\":0,\"dbiResourceId\":\"db-VTGGYHG364W76XFDRWWXSUUKJU\",\"dedicatedLogVolume\":false,\"deletionProtection\":false,\"domainMemberships\":[],\"endpoint\":{\"address\":\"test-cloudtrail-event-instance-31611-restored.cputujbhmdty.us-east-1.rds.amazonaws.com\",\"hostedZoneId\":\"Z2R2ITUGPM61AM\",\"port\":3306},\"engine\":\"mysql\",\"engineLifecycleSupport\":\"open-source-rds-extended-support\",\"engineVersion\":\"8.0.32\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"instanceCreateTime\":\"Oct 10, 2024 3:30:23 PM\",\"latestRestorableTime\":\"Oct 10, 2024 3:55:00 PM\",\"licenseModel\":\"general-public-license\",\"masterUsername\":\"admin\",\"monitoringInterval\":0,\"multiAZ\":false,\"networkType\":\"IPV4\",\"optionGroupMemberships\":[{\"optionGroupName\":\"default:mysql-8-0\",\"status\":\"in-sync\"}],\"pendingModifiedValues\":{},\"performanceInsightsEnabled\":false,\"preferredBackupWindow\":\"09:50-10:20\",\"preferredMaintenanceWindow\":\"mon:05:28-mon:05:58\",\"publiclyAccessible\":true,\"readReplicaDBInstanceIdentifiers\":[],\"storageEncrypted\":false,\"storageThroughput\":0,\"storageType\":\"gp2\",\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-db-instance\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "subnet-c4bf5e9b", + "test@elastic.co", + "subnet-0a0bee6c", + "subnet-37391109", + "arn:aws:iam::000000000:user/test@elastic.co", + "subnet-bf6ab5b1", + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored", + "subnet-8bdf6bc6", + "test-cloudtrail-event-instance-31611-restored", + "vpc-73d2e309", + "ACCESSKEYID", + "subnet-fee506df" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-db-instance", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log new file mode 100644 index 0000000000..e5f6ba6550 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"3468e5a5-fdab-4c86-a43e-bc8e1d9bd4f8","eventName":"DeleteDetector","eventSource":"guardduty.amazonaws.com","eventTime":"2024-09-27T13:39:33Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"ae4ec29d-4df9-4a15-a521-dc2ac12ee907","requestParameters":{"detectorId":"82c919daa523bc69d203c24868c06849"},"responseElements":null,"sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c11215cc-0dab-4506-b744-4f477e8062f6 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#guardduty.delete-detector","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log-expected.json new file mode 100644 index 0000000000..e9c25fb3a7 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log-expected.json @@ -0,0 +1,127 @@ +{ + "expected": [ + { + "@timestamp": "2024-09-27T13:39:33.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "detectorId": "82c919daa523bc69d203c24868c06849" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "ae4ec29d-4df9-4a15-a521-dc2ac12ee907", + "request_parameters": "{detectorId=82c919daa523bc69d203c24868c06849}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteDetector", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "3468e5a5-fdab-4c86-a43e-bc8e1d9bd4f8", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"3468e5a5-fdab-4c86-a43e-bc8e1d9bd4f8\",\"eventName\":\"DeleteDetector\",\"eventSource\":\"guardduty.amazonaws.com\",\"eventTime\":\"2024-09-27T13:39:33Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"ae4ec29d-4df9-4a15-a521-dc2ac12ee907\",\"requestParameters\":{\"detectorId\":\"82c919daa523bc69d203c24868c06849\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c11215cc-0dab-4506-b744-4f477e8062f6 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#guardduty.delete-detector\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "guardduty.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "82c919daa523bc69d203c24868c06849", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "82c919daa523bc69d203c24868c06849" + ] + } + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c11215cc-0dab-4506-b744-4f477e8062f6 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#guardduty.delete-detector", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log new file mode 100644 index 0000000000..47adfcf2bb --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log @@ -0,0 +1,2 @@ +{"apiVersion":"2015-02-01","awsRegion":"us-east-1","eventCategory":"Management","eventID":"991febec-e616-4d4f-8d55-46ee07e792c2","eventName":"DeleteFileSystem","eventSource":"elasticfilesystem.amazonaws.com","eventTime":"2024-10-16T11:47:58Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"79734254-9ba0-4c64-9519-e7e11703b57f","requestParameters":{"fileSystemId":"fs-083449b7896389cf9"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"elasticfilesystem.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e3a16eee-dd66-4a3f-8235-e4f21da4c9ae cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#efs.delete-file-system","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log-expected.json new file mode 100644 index 0000000000..b1e29ac433 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log-expected.json @@ -0,0 +1,136 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T11:47:58.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "api_version": "2015-02-01", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "fileSystemId": "fs-083449b7896389cf9" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "79734254-9ba0-4c64-9519-e7e11703b57f", + "request_parameters": "{fileSystemId=fs-083449b7896389cf9}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteFileSystem", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "991febec-e616-4d4f-8d55-46ee07e792c2", + "kind": "event", + "original": "{\"apiVersion\":\"2015-02-01\",\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"991febec-e616-4d4f-8d55-46ee07e792c2\",\"eventName\":\"DeleteFileSystem\",\"eventSource\":\"elasticfilesystem.amazonaws.com\",\"eventTime\":\"2024-10-16T11:47:58Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"79734254-9ba0-4c64-9519-e7e11703b57f\",\"requestParameters\":{\"fileSystemId\":\"fs-083449b7896389cf9\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"elasticfilesystem.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e3a16eee-dd66-4a3f-8235-e4f21da4c9ae cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#efs.delete-file-system\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "elasticfilesystem.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "fs-083449b7896389cf9" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "fs-083449b7896389cf9" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "elasticfilesystem.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e3a16eee-dd66-4a3f-8235-e4f21da4c9ae cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#efs.delete-file-system", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log new file mode 100644 index 0000000000..d55d79a0ec --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"b9203069-9e9f-4521-9d18-91247d5b00c1","eventName":"DeleteFlowLogs","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-08T09:08:34Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"d8c28cc8-d071-480a-a095-45f38e3a16af","requestParameters":{"DeleteFlowLogsRequest":{"FlowLogId":{"content":"fl-07a9b55570fe770b6","tag":1}}},"responseElements":{"DeleteFlowLogsResponse":{"requestId":"d8c28cc8-d071-480a-a095-45f38e3a16af","unsuccessful":"","xmlns":"http://ec2.amazonaws.com/doc/2016-11-15/"}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_75fa5727-bcff-4f66-b724-d4ae63f02450 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-flow-logs","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log-expected.json new file mode 100644 index 0000000000..21a8e0019c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log-expected.json @@ -0,0 +1,147 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-08T09:08:34.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "DeleteFlowLogsRequest": { + "FlowLogId": { + "content": "fl-07a9b55570fe770b6", + "tag": 1 + } + } + }, + "response_elements": { + "DeleteFlowLogsResponse": { + "requestId": "d8c28cc8-d071-480a-a095-45f38e3a16af", + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "d8c28cc8-d071-480a-a095-45f38e3a16af", + "request_parameters": "{DeleteFlowLogsRequest={FlowLogId={tag=1, content=fl-07a9b55570fe770b6}}}", + "response_elements": "{DeleteFlowLogsResponse={xmlns=http://ec2.amazonaws.com/doc/2016-11-15/, requestId=d8c28cc8-d071-480a-a095-45f38e3a16af}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteFlowLogs", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "b9203069-9e9f-4521-9d18-91247d5b00c1", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"b9203069-9e9f-4521-9d18-91247d5b00c1\",\"eventName\":\"DeleteFlowLogs\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-08T09:08:34Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"d8c28cc8-d071-480a-a095-45f38e3a16af\",\"requestParameters\":{\"DeleteFlowLogsRequest\":{\"FlowLogId\":{\"content\":\"fl-07a9b55570fe770b6\",\"tag\":1}}},\"responseElements\":{\"DeleteFlowLogsResponse\":{\"requestId\":\"d8c28cc8-d071-480a-a095-45f38e3a16af\",\"unsuccessful\":\"\",\"xmlns\":\"http://ec2.amazonaws.com/doc/2016-11-15/\"}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_75fa5727-bcff-4f66-b724-d4ae63f02450 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-flow-logs\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "fl-07a9b55570fe770b6" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "fl-07a9b55570fe770b6" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_75fa5727-bcff-4f66-b724-d4ae63f02450 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-flow-logs", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log new file mode 100644 index 0000000000..ea04b7ed4a --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"AIDA2IBR2EZTJMPOR52WV","arn":"arn:aws:iam::0000000000:user/test@elastic.co","accountId":"704479110758","accessKeyId":"ACCESSKEYID","userName":"romulo.farias@elastic.co"},"eventTime":"2024-10-16T12:00:32Z","eventSource":"rds.amazonaws.com","eventName":"DeleteGlobalCluster","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c99460e1-506d-4019-a094-ff9ee18d57a2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-global-cluster","requestParameters":{"globalClusterIdentifier":"myglobalcluster"},"responseElements":{"globalClusterIdentifier":"myglobalcluster","globalClusterResourceId":"cluster-23a4c8770d2a9306","globalClusterArn":"arn:aws:rds::704479110758:global-cluster:myglobalcluster","status":"available","engine":"aurora-mysql","engineVersion":"8.0.mysql_aurora.3.05.2","storageEncrypted":false,"deletionProtection":false,"globalClusterMembers":[],"endpoint":"myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com","tagList":[]},"requestID":"0fa55398-832a-4b9a-ae59-42cd82ce9ddd","eventID":"450f06c5-ece3-4b03-825e-b6791cbb71b8","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"704479110758","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log-expected.json new file mode 100644 index 0000000000..5c7f2a1d65 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log-expected.json @@ -0,0 +1,147 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T12:00:32.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "globalClusterIdentifier": "myglobalcluster" + }, + "response_elements": { + "deletionProtection": false, + "endpoint": "myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com", + "engine": "aurora-mysql", + "engineVersion": "8.0.mysql_aurora.3.05.2", + "globalClusterArn": "arn:aws:rds::704479110758:global-cluster:myglobalcluster", + "globalClusterIdentifier": "myglobalcluster", + "globalClusterResourceId": "cluster-23a4c8770d2a9306", + "status": "available", + "storageEncrypted": false + } + }, + "read_only": false, + "recipient_account_id": "704479110758", + "request_id": "0fa55398-832a-4b9a-ae59-42cd82ce9ddd", + "request_parameters": "{globalClusterIdentifier=myglobalcluster}", + "response_elements": "{engineVersion=8.0.mysql_aurora.3.05.2, globalClusterResourceId=cluster-23a4c8770d2a9306, endpoint=myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com, globalClusterArn=arn:aws:rds::704479110758:global-cluster:myglobalcluster, engine=aurora-mysql, storageEncrypted=false, globalClusterIdentifier=myglobalcluster, status=available, deletionProtection=false}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::0000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "704479110758" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteGlobalCluster", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "450f06c5-ece3-4b03-825e-b6791cbb71b8", + "kind": "event", + "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"arn\":\"arn:aws:iam::0000000000:user/test@elastic.co\",\"accountId\":\"704479110758\",\"accessKeyId\":\"ACCESSKEYID\",\"userName\":\"romulo.farias@elastic.co\"},\"eventTime\":\"2024-10-16T12:00:32Z\",\"eventSource\":\"rds.amazonaws.com\",\"eventName\":\"DeleteGlobalCluster\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c99460e1-506d-4019-a094-ff9ee18d57a2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-global-cluster\",\"requestParameters\":{\"globalClusterIdentifier\":\"myglobalcluster\"},\"responseElements\":{\"globalClusterIdentifier\":\"myglobalcluster\",\"globalClusterResourceId\":\"cluster-23a4c8770d2a9306\",\"globalClusterArn\":\"arn:aws:rds::704479110758:global-cluster:myglobalcluster\",\"status\":\"available\",\"engine\":\"aurora-mysql\",\"engineVersion\":\"8.0.mysql_aurora.3.05.2\",\"storageEncrypted\":false,\"deletionProtection\":false,\"globalClusterMembers\":[],\"endpoint\":\"myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com\",\"tagList\":[]},\"requestID\":\"0fa55398-832a-4b9a-ae59-42cd82ce9ddd\",\"eventID\":\"450f06c5-ece3-4b03-825e-b6791cbb71b8\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"704479110758\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "ACCESSKEYID", + "romulo.farias@elastic.co", + "arn:aws:iam::0000000000:user/test@elastic.co", + "arn:aws:rds::704479110758:global-cluster:myglobalcluster" + ], + "user": [ + "romulo.farias@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds::704479110758:global-cluster:myglobalcluster" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "AIDA2IBR2EZTJMPOR52WV", + "name": "romulo.farias@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c99460e1-506d-4019-a094-ff9ee18d57a2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-global-cluster", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json index d7ba80da30..75221ad2df 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-09T02:25:44.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -56,7 +63,6 @@ }, "related": { "entity": [ - "0123456789012", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -70,7 +76,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "0123456789012", @@ -86,6 +93,13 @@ }, { "@timestamp": "2020-01-09T02:25:11.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "error_code": "DeleteConflictException", @@ -137,7 +151,6 @@ }, "related": { "entity": [ - "EXAMPLE_PRINCIPLE", "EXAMPLE_KEY_ID", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -151,7 +164,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_PRINCIPLE", @@ -167,4 +181,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log new file mode 100644 index 0000000000..0a2ca3a781 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log @@ -0,0 +1,2 @@ +{"apiVersion":"20140328","awsRegion":"us-east-1","eventCategory":"Management","eventID":"008bf6fe-ac0d-4e7c-bf44-8effa3298139","eventName":"DeleteLogGroup","eventSource":"logs.amazonaws.com","eventTime":"2024-10-16T11:52:46Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"b8debffb-797c-4662-84c7-11057f7d81d8","requestParameters":{"logGroupName":"cloudtrail-log-group-test"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"logs.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9e558a51-eb20-4c7a-846a-8778f6272b05 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#logs.delete-log-group","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log-expected.json new file mode 100644 index 0000000000..aaec06daa2 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log-expected.json @@ -0,0 +1,136 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T11:52:46.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "api_version": "20140328", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "logGroupName": "cloudtrail-log-group-test" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "b8debffb-797c-4662-84c7-11057f7d81d8", + "request_parameters": "{logGroupName=cloudtrail-log-group-test}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteLogGroup", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "008bf6fe-ac0d-4e7c-bf44-8effa3298139", + "kind": "event", + "original": "{\"apiVersion\":\"20140328\",\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"008bf6fe-ac0d-4e7c-bf44-8effa3298139\",\"eventName\":\"DeleteLogGroup\",\"eventSource\":\"logs.amazonaws.com\",\"eventTime\":\"2024-10-16T11:52:46Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"b8debffb-797c-4662-84c7-11057f7d81d8\",\"requestParameters\":{\"logGroupName\":\"cloudtrail-log-group-test\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"logs.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9e558a51-eb20-4c7a-846a-8778f6272b05 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#logs.delete-log-group\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "logs.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "cloudtrail-log-group-test", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "cloudtrail-log-group-test" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "logs.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9e558a51-eb20-4c7a-846a-8778f6272b05 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#logs.delete-log-group", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log new file mode 100644 index 0000000000..bfba79e49e --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log @@ -0,0 +1,2 @@ +{"apiVersion":"20140328","awsRegion":"us-east-1","eventCategory":"Management","eventID":"de6a307c-0dd4-4a31-959e-57a8e6086017","eventName":"DeleteLogStream","eventSource":"logs.amazonaws.com","eventTime":"2024-10-16T11:52:35Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"265a46f6-06fd-4821-81db-ff46049df594","requestParameters":{"logGroupName":"cloudtrail-log-group-test","logStreamName":"cloudtrail-log-stream-test"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"logs.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9e558a51-eb20-4c7a-846a-8778f6272b05 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#logs.delete-log-stream","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log-expected.json new file mode 100644 index 0000000000..303436abb4 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log-expected.json @@ -0,0 +1,137 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T11:52:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "api_version": "20140328", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "logGroupName": "cloudtrail-log-group-test", + "logStreamName": "cloudtrail-log-stream-test" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "265a46f6-06fd-4821-81db-ff46049df594", + "request_parameters": "{logGroupName=cloudtrail-log-group-test, logStreamName=cloudtrail-log-stream-test}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteLogStream", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "de6a307c-0dd4-4a31-959e-57a8e6086017", + "kind": "event", + "original": "{\"apiVersion\":\"20140328\",\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"de6a307c-0dd4-4a31-959e-57a8e6086017\",\"eventName\":\"DeleteLogStream\",\"eventSource\":\"logs.amazonaws.com\",\"eventTime\":\"2024-10-16T11:52:35Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"265a46f6-06fd-4821-81db-ff46049df594\",\"requestParameters\":{\"logGroupName\":\"cloudtrail-log-group-test\",\"logStreamName\":\"cloudtrail-log-stream-test\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"logs.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9e558a51-eb20-4c7a-846a-8778f6272b05 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#logs.delete-log-stream\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "logs.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "cloudtrail-log-stream-test", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "cloudtrail-log-stream-test" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "logs.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9e558a51-eb20-4c7a-846a-8778f6272b05 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#logs.delete-log-stream", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log new file mode 100644 index 0000000000..780dd298fe --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log @@ -0,0 +1,2 @@ +{"apiVersion":"2015-02-01","awsRegion":"us-east-1","eventCategory":"Management","eventID":"1a2ccc55-f2da-43ea-97b2-6d9820115cf1","eventName":"DeleteMountTarget","eventSource":"elasticfilesystem.amazonaws.com","eventTime":"2024-10-16T11:47:34Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"e0095e2c-26d2-4826-ae41-3bc0b85968ba","requestParameters":{"mountTargetId":"fsmt-012695c3935f60c2c"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"elasticfilesystem.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e3a16eee-dd66-4a3f-8235-e4f21da4c9ae cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#efs.delete-mount-target","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log-expected.json new file mode 100644 index 0000000000..e8cf440b96 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log-expected.json @@ -0,0 +1,136 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T11:47:34.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "api_version": "2015-02-01", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "mountTargetId": "fsmt-012695c3935f60c2c" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "e0095e2c-26d2-4826-ae41-3bc0b85968ba", + "request_parameters": "{mountTargetId=fsmt-012695c3935f60c2c}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteMountTarget", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "1a2ccc55-f2da-43ea-97b2-6d9820115cf1", + "kind": "event", + "original": "{\"apiVersion\":\"2015-02-01\",\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"1a2ccc55-f2da-43ea-97b2-6d9820115cf1\",\"eventName\":\"DeleteMountTarget\",\"eventSource\":\"elasticfilesystem.amazonaws.com\",\"eventTime\":\"2024-10-16T11:47:34Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"e0095e2c-26d2-4826-ae41-3bc0b85968ba\",\"requestParameters\":{\"mountTargetId\":\"fsmt-012695c3935f60c2c\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"elasticfilesystem.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e3a16eee-dd66-4a3f-8235-e4f21da4c9ae cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#efs.delete-mount-target\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "elasticfilesystem.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "fsmt-012695c3935f60c2c" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "fsmt-012695c3935f60c2c" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "elasticfilesystem.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e3a16eee-dd66-4a3f-8235-e4f21da4c9ae cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#efs.delete-mount-target", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log new file mode 100644 index 0000000000..6692185bbf --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"0b1e6921-5fc4-4946-995e-c4e825701372","eventName":"DeleteNetworkAclEntry","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-14T09:00:16Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"b301e2a5-2f6c-4d7d-b317-5a72661ef911","requestParameters":{"egress":false,"networkAclId":"acl-0af9cb843511d66d4","ruleNumber":100},"responseElements":{"_return":true,"requestId":"b301e2a5-2f6c-4d7d-b317-5a72661ef911"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-network-acl-entry","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log-expected.json new file mode 100644 index 0000000000..2d46a051f6 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log-expected.json @@ -0,0 +1,144 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T09:00:16.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "egress": false, + "networkAclId": "acl-0af9cb843511d66d4", + "ruleNumber": 100 + }, + "response_elements": { + "_return": true, + "requestId": "b301e2a5-2f6c-4d7d-b317-5a72661ef911" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "b301e2a5-2f6c-4d7d-b317-5a72661ef911", + "request_parameters": "{ruleNumber=100, egress=false, networkAclId=acl-0af9cb843511d66d4}", + "response_elements": "{_return=true, requestId=b301e2a5-2f6c-4d7d-b317-5a72661ef911}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteNetworkAclEntry", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "0b1e6921-5fc4-4946-995e-c4e825701372", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"0b1e6921-5fc4-4946-995e-c4e825701372\",\"eventName\":\"DeleteNetworkAclEntry\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-14T09:00:16Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"b301e2a5-2f6c-4d7d-b317-5a72661ef911\",\"requestParameters\":{\"egress\":false,\"networkAclId\":\"acl-0af9cb843511d66d4\",\"ruleNumber\":100},\"responseElements\":{\"_return\":true,\"requestId\":\"b301e2a5-2f6c-4d7d-b317-5a72661ef911\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-network-acl-entry\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "100", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "acl-0af9cb843511d66d4" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "100", + "acl-0af9cb843511d66d4" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-network-acl-entry", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log new file mode 100644 index 0000000000..5752f1d91f --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"fb96d105-4185-4a53-bbb0-97782fa0f1c5","eventName":"DeleteNetworkAcl","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-14T09:00:48Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"bf8ff092-827e-4d59-a191-1b956825767d","requestParameters":{"networkAclId":"acl-0af9cb843511d66d4"},"responseElements":{"_return":true,"requestId":"bf8ff092-827e-4d59-a191-1b956825767d"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-network-acl","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log-expected.json new file mode 100644 index 0000000000..d52eb80789 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log-expected.json @@ -0,0 +1,140 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T09:00:48.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "networkAclId": "acl-0af9cb843511d66d4" + }, + "response_elements": { + "_return": true, + "requestId": "bf8ff092-827e-4d59-a191-1b956825767d" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "bf8ff092-827e-4d59-a191-1b956825767d", + "request_parameters": "{networkAclId=acl-0af9cb843511d66d4}", + "response_elements": "{_return=true, requestId=bf8ff092-827e-4d59-a191-1b956825767d}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteNetworkAcl", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "fb96d105-4185-4a53-bbb0-97782fa0f1c5", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"fb96d105-4185-4a53-bbb0-97782fa0f1c5\",\"eventName\":\"DeleteNetworkAcl\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-14T09:00:48Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"bf8ff092-827e-4d59-a191-1b956825767d\",\"requestParameters\":{\"networkAclId\":\"acl-0af9cb843511d66d4\"},\"responseElements\":{\"_return\":true,\"requestId\":\"bf8ff092-827e-4d59-a191-1b956825767d\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-network-acl\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "acl-0af9cb843511d66d4" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "acl-0af9cb843511d66d4" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_8de3a094-8de4-45be-a488-d6525555d1d0 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.delete-network-acl", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log new file mode 100644 index 0000000000..a3601dd4b7 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"a97d75bb-29a0-4454-9871-afe71c0b0628","eventName":"DeleteResolverQueryLogConfig","eventSource":"route53resolver.amazonaws.com","eventTime":"2024-10-08T12:02:30Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"06ef77d9-c53d-495d-922d-16332cf82162","requestParameters":{"originSequenceNumber":0,"resolverQueryLogConfigId":"rqlc-10e716304cee4d36"},"responseElements":{"resolverQueryLogConfig":{"arn":"arn:aws:route53resolver:us-east-1:000000000:resolver-query-log-config/rqlc-10e716304cee4d36","associationCount":0,"creationTime":"2024-10-08T12:02:29.198327922Z","creatorRequestId":"379f5057-eb2e-4bdb-882a-a0b73d1ae7ef","destinationArn":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-resolver-query-log-config","id":"rqlc-10e716304cee4d36","name":"test-resolver-query-log-config","ownerId":"000000000","shareStatus":"NOT_SHARED","status":"DELETING"}},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"route53resolver.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_bdc2bf1b-79ea-4c15-a36c-8e95ff5b08e5 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#route53resolver.delete-resolver-query-log-config","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log-expected.json new file mode 100644 index 0000000000..e9ff1ad5e0 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log-expected.json @@ -0,0 +1,151 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-08T12:02:30.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "originSequenceNumber": 0, + "resolverQueryLogConfigId": "rqlc-10e716304cee4d36" + }, + "response_elements": { + "resolverQueryLogConfig": { + "arn": "arn:aws:route53resolver:us-east-1:000000000:resolver-query-log-config/rqlc-10e716304cee4d36", + "associationCount": 0, + "creationTime": "2024-10-08T12:02:29.198327922Z", + "creatorRequestId": "379f5057-eb2e-4bdb-882a-a0b73d1ae7ef", + "destinationArn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-resolver-query-log-config", + "id": "rqlc-10e716304cee4d36", + "name": "test-resolver-query-log-config", + "ownerId": "000000000", + "shareStatus": "NOT_SHARED", + "status": "DELETING" + } + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "06ef77d9-c53d-495d-922d-16332cf82162", + "request_parameters": "{originSequenceNumber=0, resolverQueryLogConfigId=rqlc-10e716304cee4d36}", + "response_elements": "{resolverQueryLogConfig={creatorRequestId=379f5057-eb2e-4bdb-882a-a0b73d1ae7ef, creationTime=2024-10-08T12:02:29.198327922Z, destinationArn=arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-resolver-query-log-config, associationCount=0, name=test-resolver-query-log-config, id=rqlc-10e716304cee4d36, arn=arn:aws:route53resolver:us-east-1:000000000:resolver-query-log-config/rqlc-10e716304cee4d36, ownerId=000000000, shareStatus=NOT_SHARED, status=DELETING}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteResolverQueryLogConfig", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "a97d75bb-29a0-4454-9871-afe71c0b0628", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"a97d75bb-29a0-4454-9871-afe71c0b0628\",\"eventName\":\"DeleteResolverQueryLogConfig\",\"eventSource\":\"route53resolver.amazonaws.com\",\"eventTime\":\"2024-10-08T12:02:30Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"06ef77d9-c53d-495d-922d-16332cf82162\",\"requestParameters\":{\"originSequenceNumber\":0,\"resolverQueryLogConfigId\":\"rqlc-10e716304cee4d36\"},\"responseElements\":{\"resolverQueryLogConfig\":{\"arn\":\"arn:aws:route53resolver:us-east-1:000000000:resolver-query-log-config/rqlc-10e716304cee4d36\",\"associationCount\":0,\"creationTime\":\"2024-10-08T12:02:29.198327922Z\",\"creatorRequestId\":\"379f5057-eb2e-4bdb-882a-a0b73d1ae7ef\",\"destinationArn\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test-resolver-query-log-config\",\"id\":\"rqlc-10e716304cee4d36\",\"name\":\"test-resolver-query-log-config\",\"ownerId\":\"000000000\",\"shareStatus\":\"NOT_SHARED\",\"status\":\"DELETING\"}},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"route53resolver.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_bdc2bf1b-79ea-4c15-a36c-8e95ff5b08e5 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#route53resolver.delete-resolver-query-log-config\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "route53resolver.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "arn:aws:route53resolver:us-east-1:000000000:resolver-query-log-config/rqlc-10e716304cee4d36" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:route53resolver:us-east-1:000000000:resolver-query-log-config/rqlc-10e716304cee4d36" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "route53resolver.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_bdc2bf1b-79ea-4c15-a36c-8e95ff5b08e5 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#route53resolver.delete-resolver-query-log-config", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log new file mode 100644 index 0000000000..578aa54044 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::000000000:user/test@elastic.co","accountId":"000000000","accessKeyId":"ACCESSKEYID","userName":"test@elastic.co"},"eventTime":"2024-10-16T12:25:41Z","eventSource":"wafv2.amazonaws.com","eventName":"DeleteRuleGroup","awsRegion":"us-west-2","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5a67476e-bb19-432d-92ed-f359bf72371b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#wafv2.delete-rule-group","requestParameters":{"name":"TestRuleGroup","scope":"REGIONAL","id":"e0e758d9-0c7d-4559-8374-ef0ef1f45a52","lockToken":"3af85fc3-af90-478c-ac9b-677e2c3fc821"},"responseElements":null,"requestID":"748b7ad7-b03c-4706-9d29-ecbf03dac42f","eventID":"798edcf5-1a3f-46f1-b8a5-ab89c3f036a4","readOnly":false,"eventType":"AwsApiCall","apiVersion":"2019-04-23","recipientAccountId":"000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"wafv2.us-west-2.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log-expected.json new file mode 100644 index 0000000000..a9d6298c46 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log-expected.json @@ -0,0 +1,139 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T12:25:41.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "api_version": "2019-04-23", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "id": "e0e758d9-0c7d-4559-8374-ef0ef1f45a52", + "lockToken": "3af85fc3-af90-478c-ac9b-677e2c3fc821", + "name": "TestRuleGroup", + "scope": "REGIONAL" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "748b7ad7-b03c-4706-9d29-ecbf03dac42f", + "request_parameters": "{scope=REGIONAL, name=TestRuleGroup, lockToken=3af85fc3-af90-478c-ac9b-677e2c3fc821, id=e0e758d9-0c7d-4559-8374-ef0ef1f45a52}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-west-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteRuleGroup", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "798edcf5-1a3f-46f1-b8a5-ab89c3f036a4", + "kind": "event", + "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"accountId\":\"000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"userName\":\"test@elastic.co\"},\"eventTime\":\"2024-10-16T12:25:41Z\",\"eventSource\":\"wafv2.amazonaws.com\",\"eventName\":\"DeleteRuleGroup\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5a67476e-bb19-432d-92ed-f359bf72371b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#wafv2.delete-rule-group\",\"requestParameters\":{\"name\":\"TestRuleGroup\",\"scope\":\"REGIONAL\",\"id\":\"e0e758d9-0c7d-4559-8374-ef0ef1f45a52\",\"lockToken\":\"3af85fc3-af90-478c-ac9b-677e2c3fc821\"},\"responseElements\":null,\"requestID\":\"748b7ad7-b03c-4706-9d29-ecbf03dac42f\",\"eventID\":\"798edcf5-1a3f-46f1-b8a5-ab89c3f036a4\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"apiVersion\":\"2019-04-23\",\"recipientAccountId\":\"000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"wafv2.us-west-2.amazonaws.com\"}}", + "outcome": "success", + "provider": "wafv2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "e0e758d9-0c7d-4559-8374-ef0ef1f45a52", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "e0e758d9-0c7d-4559-8374-ef0ef1f45a52" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "wafv2.us-west-2.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_5a67476e-bb19-432d-92ed-f359bf72371b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#wafv2.delete-rule-group", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log new file mode 100644 index 0000000000..ccaca02c8d --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log @@ -0,0 +1,2 @@ +{"apiVersion":"2015-10-07","awsRegion":"us-east-1","eventCategory":"Management","eventID":"17b63f55-a391-41dd-bc1c-a70bb2f0ba43","eventName":"DeleteRule","eventSource":"events.amazonaws.com","eventTime":"2024-10-16T12:18:46Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"db7cae2c-e8df-4b46-99f7-c41f7af67806","requestParameters":{"force":false,"name":"DailyLambdaFunction"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"events.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b419a2ee-9ee1-46e2-b9cf-73fa93c7e971 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#events.delete-rule","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log-expected.json new file mode 100644 index 0000000000..c70af07313 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log-expected.json @@ -0,0 +1,137 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T12:18:46.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "api_version": "2015-10-07", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "force": false, + "name": "DailyLambdaFunction" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "db7cae2c-e8df-4b46-99f7-c41f7af67806", + "request_parameters": "{name=DailyLambdaFunction, force=false}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteRule", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "17b63f55-a391-41dd-bc1c-a70bb2f0ba43", + "kind": "event", + "original": "{\"apiVersion\":\"2015-10-07\",\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"17b63f55-a391-41dd-bc1c-a70bb2f0ba43\",\"eventName\":\"DeleteRule\",\"eventSource\":\"events.amazonaws.com\",\"eventTime\":\"2024-10-16T12:18:46Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"db7cae2c-e8df-4b46-99f7-c41f7af67806\",\"requestParameters\":{\"force\":false,\"name\":\"DailyLambdaFunction\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"events.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b419a2ee-9ee1-46e2-b9cf-73fa93c7e971 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#events.delete-rule\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "events.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "DailyLambdaFunction", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "DailyLambdaFunction" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "events.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b419a2ee-9ee1-46e2-b9cf-73fa93c7e971 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#events.delete-rule", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json index d82ca97bac..8371b21f09 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T16:07:08.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -54,7 +61,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Bob", "Alice", @@ -70,7 +76,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -88,4 +95,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json index e87b9ebb67..370c211d54 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-09T20:09:51.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -33,6 +40,9 @@ }, "event": { "action": "DeleteTrail", + "category": [ + "configuration" + ], "created": "2021-11-11T01:02:03.123456789Z", "id": "EXAMPLE-3f9d-4634-8ff1-EXAMPLE", "kind": "event", @@ -40,12 +50,11 @@ "outcome": "success", "provider": "cloudtrail.amazonaws.com", "type": [ - "info" + "deletion" ] }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice", @@ -60,8 +69,16 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail" + ] + } + }, "user": { "id": "EXAMPLE_ID", "name": "Alice" @@ -76,4 +93,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json index a414ee7550..877f19e6a3 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-03T15:50:52.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -53,7 +60,6 @@ }, "related": { "entity": [ - "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", "Bob", "EXAMPLE_KEY_ID", @@ -69,7 +75,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EX_PRINCIPAL_ID", @@ -87,4 +94,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json index ad9cc21c85..97c724aa5f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T00:34:02.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -53,7 +60,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "arn:aws:iam::0123456789012:mfa/Alice", "EXAMPLE_KEY", "Alice", @@ -68,8 +74,16 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:mfa/Alice" + ] + } + }, "user": { "id": "EXAMPLE_ID", "name": "Alice" @@ -83,4 +97,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log new file mode 100644 index 0000000000..1a3b64ac6b --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::000000000:user/test@elastic.co","accountId":"000000000","accessKeyId":"ACCESSKEYID","userName":"test@elastic.co","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"creationDate":"2024-10-16T09:52:01Z","mfaAuthenticated":"false"}}},"eventTime":"2024-10-16T12:29:24Z","eventSource":"wafv2.amazonaws.com","eventName":"DeleteWebACL","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","requestParameters":{"name":"TestWebAcl","scope":"REGIONAL","id":"a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5","lockToken":"6d67ea01-9048-4ab5-addf-c5da40e9b182"},"responseElements":null,"requestID":"14743001-eef4-4746-b324-92b3d5f294f4","eventID":"630b00c0-475b-43e4-91d2-baec779aaf1d","readOnly":false,"eventType":"AwsApiCall","apiVersion":"2019-04-23","recipientAccountId":"000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"wafv2.us-east-1.amazonaws.com"},"sessionCredentialFromConsole":"true"} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log-expected.json new file mode 100644 index 0000000000..d98deb9023 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log-expected.json @@ -0,0 +1,148 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T12:29:24.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "api_version": "2019-04-23", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "id": "a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5", + "lockToken": "6d67ea01-9048-4ab5-addf-c5da40e9b182", + "name": "TestWebAcl", + "scope": "REGIONAL" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "14743001-eef4-4746-b324-92b3d5f294f4", + "request_parameters": "{scope=REGIONAL, name=TestWebAcl, lockToken=6d67ea01-9048-4ab5-addf-c5da40e9b182, id=a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "session_context": { + "creation_date": "2024-10-16T09:52:01.000Z", + "mfa_authenticated": "false" + }, + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DeleteWebACL", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "630b00c0-475b-43e4-91d2-baec779aaf1d", + "kind": "event", + "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"accountId\":\"000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"userName\":\"test@elastic.co\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2024-10-16T09:52:01Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2024-10-16T12:29:24Z\",\"eventSource\":\"wafv2.amazonaws.com\",\"eventName\":\"DeleteWebACL\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"requestParameters\":{\"name\":\"TestWebAcl\",\"scope\":\"REGIONAL\",\"id\":\"a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5\",\"lockToken\":\"6d67ea01-9048-4ab5-addf-c5da40e9b182\"},\"responseElements\":null,\"requestID\":\"14743001-eef4-4746-b324-92b3d5f294f4\",\"eventID\":\"630b00c0-475b-43e4-91d2-baec779aaf1d\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"apiVersion\":\"2019-04-23\",\"recipientAccountId\":\"000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"wafv2.us-east-1.amazonaws.com\"},\"sessionCredentialFromConsole\":\"true\"}", + "outcome": "success", + "provider": "wafv2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "wafv2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "129.0.0.0" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log index 1b56c49209..07ef9d1ab5 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log @@ -1 +1,2 @@ -{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"4a3864f4-8562-48e6-a0e5-795d63095b63","eventName":"DisableKey","eventSource":"kms.amazonaws.com","eventTime":"2024-09-11T09:29:16Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"1010101010101","requestID":"d537e26e-ff2a-4242-b3af-62cb56cac99b","requestParameters":{"keyId":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f"},"resources":[{"ARN":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f","accountId":"1010101010101","type":"AWS::KMS::Key"}],"responseElements":{"keyId":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_256_GCM_SHA384","clientProvidedHostHeader":"kms.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/kms.disable-key","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"4a3864f4-8562-48e6-a0e5-795d63095b63","eventName":"DisableKey","eventSource":"kms.amazonaws.com","eventTime":"2024-09-11T09:29:16Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"1010101010101","requestID":"d537e26e-ff2a-4242-b3af-62cb56cac99b","requestParameters":{"keyId":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f"},"resources":[{"ARN":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f","accountId":"1010101010101","type":"AWS::KMS::Key"}],"responseElements":{"keyId":"arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_256_GCM_SHA384","clientProvidedHostHeader":"kms.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/kms.disable-key","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json index 2f722171fc..dffd63a69b 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2024-09-11T09:29:16.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co" + ] + } + }, "aws": { "cloudtrail": { "event_category": "Management", @@ -57,7 +64,6 @@ }, "related": { "entity": [ - "AIDA2IBR2EZTJMPOR52WV", "ACCESS_KEY_EXAMPLE", "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", "arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f", @@ -87,8 +93,16 @@ "ip": "216.160.83.56" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f" + ] + } + }, "tls": { "cipher": "TLS_AES_256_GCM_SHA384", "client": { @@ -109,6 +123,24 @@ "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/kms.disable-key", "version": "2.14.5" } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json index 05ca83b450..df9d834f07 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2019-11-27T15:11:09.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -53,11 +60,10 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Bob", - "Alice", "arn:aws:iam::0123456789012:mfa/Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ @@ -70,7 +76,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -88,4 +95,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log new file mode 100644 index 0000000000..4b7e67aec5 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:AWSConfig-Describe","arn":"arn:aws:sts::0000000000:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe","accountId":"0000000000","accessKeyId":"ACCESSKEY","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::0000000000:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig","accountId":"0000000000","userName":"AWSServiceRoleForConfig"},"attributes":{"creationDate":"2024-11-01T14:43:08Z","mfaAuthenticated":"false"}},"invokedBy":"config.amazonaws.com"},"eventTime":"2024-11-01T14:43:10Z","eventSource":"s3.amazonaws.com","eventName":"GetBucketPolicy","awsRegion":"us-east-2","sourceIPAddress":"config.amazonaws.com","userAgent":"config.amazonaws.com","requestParameters":{"bucketName":"threat-scenario-flow-log-bucket-23456","Host":"threat-scenario-flow-log-bucket-23456.s3.us-east-2.amazonaws.com","policy":""},"responseElements":null,"additionalEventData":{"SignatureVersion":"SigV4","CipherSuite":"TLS_AES_128_GCM_SHA256","bytesTransferredIn":0,"AuthenticationMethod":"AuthHeader","x-amz-id-2":"o79Z9Vmav+g4pjpJnrdSi7E0bRxGmRK6ajtnrWM2OWitxuTfVG+ubdQA+2BTjzyfZYOb35SnuAk=","bytesTransferredOut":791},"requestID":"7DRDBED4X4BTGMF3","eventID":"d998d8c4-3191-4a8b-b5dd-d7f4ed6f647d","readOnly":true,"resources":[{"accountId":"0000000000","type":"AWS::S3::Bucket","ARN":"arn:aws:s3:::threat-scenario-flow-log-bucket-23456"}],"eventType":"AwsApiCall","recipientAccountId":"0000000000","vpcEndpointId":"vpce-16a4477f","eventCategory":"Management"} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json new file mode 100644 index 0000000000..b5649a6ec2 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json @@ -0,0 +1,138 @@ +{ + "expected": [ + { + "@timestamp": "2024-11-01T14:43:10.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::0000000000:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe" + ] + } + }, + "aws": { + "cloudtrail": { + "additional_eventdata": "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=0, AuthenticationMethod=AuthHeader, x-amz-id-2=o79Z9Vmav+g4pjpJnrdSi7E0bRxGmRK6ajtnrWM2OWitxuTfVG+ubdQA+2BTjzyfZYOb35SnuAk=, bytesTransferredOut=791}", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "additional_eventdata": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 0, + "bytesTransferredOut": 791, + "x-amz-id-2": "o79Z9Vmav+g4pjpJnrdSi7E0bRxGmRK6ajtnrWM2OWitxuTfVG+ubdQA+2BTjzyfZYOb35SnuAk=" + }, + "request_parameters": { + "Host": "threat-scenario-flow-log-bucket-23456.s3.us-east-2.amazonaws.com", + "bucketName": "threat-scenario-flow-log-bucket-23456" + } + }, + "read_only": true, + "recipient_account_id": "0000000000", + "request_id": "7DRDBED4X4BTGMF3", + "request_parameters": "{bucketName=threat-scenario-flow-log-bucket-23456, Host=threat-scenario-flow-log-bucket-23456.s3.us-east-2.amazonaws.com}", + "resources": [ + { + "account_id": "0000000000", + "arn": "arn:aws:s3:::threat-scenario-flow-log-bucket-23456", + "type": "AWS::S3::Bucket" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:sts::0000000000:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe", + "invoked_by": "config.amazonaws.com", + "session_context": { + "creation_date": "2024-11-01T14:43:08.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "0000000000", + "arn": "arn:aws:iam::0000000000:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + }, + "vpc_endpoint_id": "vpce-16a4477f" + } + }, + "cloud": { + "account": { + "id": "0000000000" + }, + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GetBucketPolicy", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "d998d8c4-3191-4a8b-b5dd-d7f4ed6f647d", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:AWSConfig-Describe\",\"arn\":\"arn:aws:sts::0000000000:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe\",\"accountId\":\"0000000000\",\"accessKeyId\":\"ACCESSKEY\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::0000000000:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig\",\"accountId\":\"0000000000\",\"userName\":\"AWSServiceRoleForConfig\"},\"attributes\":{\"creationDate\":\"2024-11-01T14:43:08Z\",\"mfaAuthenticated\":\"false\"}},\"invokedBy\":\"config.amazonaws.com\"},\"eventTime\":\"2024-11-01T14:43:10Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"GetBucketPolicy\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"config.amazonaws.com\",\"userAgent\":\"config.amazonaws.com\",\"requestParameters\":{\"bucketName\":\"threat-scenario-flow-log-bucket-23456\",\"Host\":\"threat-scenario-flow-log-bucket-23456.s3.us-east-2.amazonaws.com\",\"policy\":\"\"},\"responseElements\":null,\"additionalEventData\":{\"SignatureVersion\":\"SigV4\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"bytesTransferredIn\":0,\"AuthenticationMethod\":\"AuthHeader\",\"x-amz-id-2\":\"o79Z9Vmav+g4pjpJnrdSi7E0bRxGmRK6ajtnrWM2OWitxuTfVG+ubdQA+2BTjzyfZYOb35SnuAk=\",\"bytesTransferredOut\":791},\"requestID\":\"7DRDBED4X4BTGMF3\",\"eventID\":\"d998d8c4-3191-4a8b-b5dd-d7f4ed6f647d\",\"readOnly\":true,\"resources\":[{\"accountId\":\"0000000000\",\"type\":\"AWS::S3::Bucket\",\"ARN\":\"arn:aws:s3:::threat-scenario-flow-log-bucket-23456\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0000000000\",\"vpcEndpointId\":\"vpce-16a4477f\",\"eventCategory\":\"Management\"}", + "outcome": "success", + "provider": "s3.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:s3:::threat-scenario-flow-log-bucket-23456", + "AWSServiceRoleForConfig", + "threat-scenario-flow-log-bucket-23456", + "arn:aws:iam::0000000000:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", + "arn:aws:sts::0000000000:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe", + "ACCESSKEY" + ] + }, + "source": { + "address": "config.amazonaws.com" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:s3:::threat-scenario-flow-log-bucket-23456" + ] + } + }, + "user": { + "id": "PRINCIPALID:AWSConfig-Describe", + "name": "AWSServiceRoleForConfig" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "config.amazonaws.com" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log new file mode 100644 index 0000000000..bb46a5a544 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:user/terraformer","accountId":"00000000000","accessKeyId":"ACCESSKEY","userName":"terraformer"},"eventTime":"2024-11-02T00:20:40Z","eventSource":"sts.amazonaws.com","eventName":"GetCallerIdentity","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-sdk-nodejs/2.1384.0 darwin/v20.16.0 AWS-Toolkit-For-VSCode/3.31.0 Visual-Studio-Code/1.94.2 ClientId/37f8324b-eab7-4264-9abd-4be2e6454726 promise","requestParameters":null,"responseElements":null,"requestID":"12ab45a7-ecba-479c-890e-87c5e40cba71","eventID":"b62fe3ff-ae80-496c-a2e9-32abb2a1281d","readOnly":true,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"sts.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log-expected.json new file mode 100644 index 0000000000..857aa0e995 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log-expected.json @@ -0,0 +1,133 @@ +{ + "expected": [ + { + "@timestamp": "2024-11-02T00:20:40.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/terraformer" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": {}, + "read_only": true, + "recipient_account_id": "00000000000", + "request_id": "12ab45a7-ecba-479c-890e-87c5e40cba71", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:iam::00000000000:user/terraformer", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GetCallerIdentity", + "category": [ + "authentication" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "b62fe3ff-ae80-496c-a2e9-32abb2a1281d", + "kind": "event", + "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:user/terraformer\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"userName\":\"terraformer\"},\"eventTime\":\"2024-11-02T00:20:40Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"GetCallerIdentity\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-sdk-nodejs/2.1384.0 darwin/v20.16.0 AWS-Toolkit-For-VSCode/3.31.0 Visual-Studio-Code/1.94.2 ClientId/37f8324b-eab7-4264-9abd-4be2e6454726 promise\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"12ab45a7-ecba-479c-890e-87c5e40cba71\",\"eventID\":\"b62fe3ff-ae80-496c-a2e9-32abb2a1281d\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"sts.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "sts.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "00000000000", + "arn:aws:iam::00000000000:user/terraformer", + "ACCESSKEY", + "terraformer" + ], + "user": [ + "terraformer" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "00000000000" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "sts.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "terraformer" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-sdk-nodejs", + "original": "aws-sdk-nodejs/2.1384.0 darwin/v20.16.0 AWS-Toolkit-For-VSCode/3.31.0 Visual-Studio-Code/1.94.2 ClientId/37f8324b-eab7-4264-9abd-4be2e6454726 promise", + "version": "2.1384.0" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log new file mode 100644 index 0000000000..1dc7bc797d --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5281404d-2abb-401a-bd97-450c064ebc77","eventName":"GetParameter","eventSource":"ssm.amazonaws.com","eventTime":"2024-10-15T08:55:22Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":true,"recipientAccountId":"000000000","requestID":"d20614d2-0b16-4297-bec5-1cf8fe1204ff","requestParameters":{"name":"/inspector-aws/service/inspector-linux-application-paths"},"resources":[{"ARN":"arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths","accountId":"000000000"}],"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-east-1.amazonaws.com","tlsVersion":"TLSv1.2"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.get-parameter","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log-expected.json new file mode 100644 index 0000000000..b2036f560c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log-expected.json @@ -0,0 +1,141 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T08:55:22.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "name": "/inspector-aws/service/inspector-linux-application-paths" + } + }, + "read_only": true, + "recipient_account_id": "000000000", + "request_id": "d20614d2-0b16-4297-bec5-1cf8fe1204ff", + "request_parameters": "{name=/inspector-aws/service/inspector-linux-application-paths}", + "resources": [ + { + "account_id": "000000000", + "arn": "arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GetParameter", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "5281404d-2abb-401a-bd97-450c064ebc77", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"5281404d-2abb-401a-bd97-450c064ebc77\",\"eventName\":\"GetParameter\",\"eventSource\":\"ssm.amazonaws.com\",\"eventTime\":\"2024-10-15T08:55:22Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":true,\"recipientAccountId\":\"000000000\",\"requestID\":\"d20614d2-0b16-4297-bec5-1cf8fe1204ff\",\"requestParameters\":{\"name\":\"/inspector-aws/service/inspector-linux-application-paths\"},\"resources\":[{\"ARN\":\"arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths\",\"accountId\":\"000000000\"}],\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"ssm.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.2\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.get-parameter\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths" + ] + } + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "client": { + "server_name": "ssm.us-east-1.amazonaws.com" + }, + "version": "1.2", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.get-parameter", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log new file mode 100644 index 0000000000..d11dd0bc33 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"0bf5611f-fa60-46ee-b2bf-42e8c9d7350a","eventName":"GetParameters","eventSource":"ssm.amazonaws.com","eventTime":"2024-10-15T08:55:36Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":true,"recipientAccountId":"000000000","requestID":"c1b53282-e3af-4cf1-b6b5-ad2ebafb5c1b","requestParameters":{"names":["/inspector-aws/service/inspector-linux-application-paths"]},"resources":[{"ARN":"arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths","accountId":"000000000"}],"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-east-1.amazonaws.com","tlsVersion":"TLSv1.2"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.get-parameters","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log-expected.json new file mode 100644 index 0000000000..fee6258258 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log-expected.json @@ -0,0 +1,143 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T08:55:36.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "names": [ + "/inspector-aws/service/inspector-linux-application-paths" + ] + } + }, + "read_only": true, + "recipient_account_id": "000000000", + "request_id": "c1b53282-e3af-4cf1-b6b5-ad2ebafb5c1b", + "request_parameters": "{names=[/inspector-aws/service/inspector-linux-application-paths]}", + "resources": [ + { + "account_id": "000000000", + "arn": "arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GetParameters", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "0bf5611f-fa60-46ee-b2bf-42e8c9d7350a", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"0bf5611f-fa60-46ee-b2bf-42e8c9d7350a\",\"eventName\":\"GetParameters\",\"eventSource\":\"ssm.amazonaws.com\",\"eventTime\":\"2024-10-15T08:55:36Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":true,\"recipientAccountId\":\"000000000\",\"requestID\":\"c1b53282-e3af-4cf1-b6b5-ad2ebafb5c1b\",\"requestParameters\":{\"names\":[\"/inspector-aws/service/inspector-linux-application-paths\"]},\"resources\":[{\"ARN\":\"arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths\",\"accountId\":\"000000000\"}],\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"ssm.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.2\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.get-parameters\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:ssm:us-east-1:000000000:parameter/inspector-aws/service/inspector-linux-application-paths" + ] + } + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "client": { + "server_name": "ssm.us-east-1.amazonaws.com" + }, + "version": "1.2", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.get-parameters", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log new file mode 100644 index 0000000000..7b5594bfc3 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"8e09c825-df0e-43d5-898d-92504bb56c4f","eventName":"GetPasswordData","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-11T12:28:40Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":true,"recipientAccountId":"000000000","requestID":"31e352d1-f0d1-4d6b-a45e-5573c628f958","requestParameters":{"instanceId":"i-003e90a87a9e72f06"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_dfab1909-b107-4e87-a960-7b52fc3394fd cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.get-password-data","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log-expected.json new file mode 100644 index 0000000000..5d1fe83728 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log-expected.json @@ -0,0 +1,135 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-11T12:28:40.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "instanceId": "i-003e90a87a9e72f06" + } + }, + "read_only": true, + "recipient_account_id": "000000000", + "request_id": "31e352d1-f0d1-4d6b-a45e-5573c628f958", + "request_parameters": "{instanceId=i-003e90a87a9e72f06}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GetPasswordData", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "8e09c825-df0e-43d5-898d-92504bb56c4f", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"8e09c825-df0e-43d5-898d-92504bb56c4f\",\"eventName\":\"GetPasswordData\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-11T12:28:40Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":true,\"recipientAccountId\":\"000000000\",\"requestID\":\"31e352d1-f0d1-4d6b-a45e-5573c628f958\",\"requestParameters\":{\"instanceId\":\"i-003e90a87a9e72f06\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_dfab1909-b107-4e87-a960-7b52fc3394fd cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.get-password-data\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "i-003e90a87a9e72f06", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "i-003e90a87a9e72f06" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_dfab1909-b107-4e87-a960-7b52fc3394fd cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.get-password-data", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log new file mode 100644 index 0000000000..0573a39721 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:i-00486a46a6d8692b9","arn":"arn:aws:sts::00000000000:assumed-role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9/i-00486a46a6d8692b9","accountId":"00000000000","accessKeyId":"ACCESSKEYID","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9","accountId":"00000000000","userName":"Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9"},"attributes":{"creationDate":"2024-10-31T19:53:23Z","mfaAuthenticated":"false"},"ec2RoleDelivery":"2.0"}},"eventTime":"2024-10-31T19:55:57Z","eventSource":"iam.amazonaws.com","eventName":"GetPolicy","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"m/E aws-sdk-go-v2/1.30.1 os/linux lang/go#1.22.6 md/GOOS#linux md/GOARCH#arm64 api/iam#1.34.1","requestParameters":{"policyArn":"arn:aws:iam::aws:policy/AWSSupportAccess"},"responseElements":null,"requestID":"efdfdc6c-9299-4d31-aa7b-993ff1dc9d44","eventID":"f4ac5dda-9e60-4c8a-a04e-e0e7fe2907b1","readOnly":true,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json new file mode 100644 index 0000000000..d5bd9afb36 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json @@ -0,0 +1,148 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-31T19:55:57.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::00000000000:assumed-role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9/i-00486a46a6d8692b9" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "policyArn": "arn:aws:iam::aws:policy/AWSSupportAccess" + } + }, + "read_only": true, + "recipient_account_id": "00000000000", + "request_id": "efdfdc6c-9299-4d31-aa7b-993ff1dc9d44", + "request_parameters": "{policyArn=arn:aws:iam::aws:policy/AWSSupportAccess}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:sts::00000000000:assumed-role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9/i-00486a46a6d8692b9", + "session_context": { + "creation_date": "2024-10-31T19:53:23.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "00000000000", + "arn": "arn:aws:iam::00000000000:role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GetPolicy", + "category": [ + "iam" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "f4ac5dda-9e60-4c8a-a04e-e0e7fe2907b1", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:i-00486a46a6d8692b9\",\"arn\":\"arn:aws:sts::00000000000:assumed-role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9/i-00486a46a6d8692b9\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9\",\"accountId\":\"00000000000\",\"userName\":\"Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9\"},\"attributes\":{\"creationDate\":\"2024-10-31T19:53:23Z\",\"mfaAuthenticated\":\"false\"},\"ec2RoleDelivery\":\"2.0\"}},\"eventTime\":\"2024-10-31T19:55:57Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"GetPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"m/E aws-sdk-go-v2/1.30.1 os/linux lang/go#1.22.6 md/GOOS#linux md/GOARCH#arm64 api/iam#1.34.1\",\"requestParameters\":{\"policyArn\":\"arn:aws:iam::aws:policy/AWSSupportAccess\"},\"responseElements\":null,\"requestID\":\"efdfdc6c-9299-4d31-aa7b-993ff1dc9d44\",\"eventID\":\"f4ac5dda-9e60-4c8a-a04e-e0e7fe2907b1\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "ACCESSKEYID", + "arn:aws:iam::00000000000:role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9", + "arn:aws:iam::aws:policy/AWSSupportAccess", + "arn:aws:sts::00000000000:assumed-role/Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9/i-00486a46a6d8692b9", + "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:iam::aws:policy/AWSSupportAccess" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID:i-00486a46a6d8692b9", + "name": "Elastic-Cloud-Security-Posture-Man-ElasticAgentRole-EdUmKXybQxe9" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "m/E aws-sdk-go-v2/1.30.1 os/linux lang/go#1.22.6 md/GOOS#linux md/GOARCH#arm64 api/iam#1.34.1", + "os": { + "name": "Linux" + } + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log new file mode 100644 index 0000000000..0026d1af1c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"f1a49924-6ba3-4340-9d21-bc98f090fc09","eventName":"GetSecretValue","eventSource":"secretsmanager.amazonaws.com","eventTime":"2024-10-11T08:55:23Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":true,"recipientAccountId":"000000000","requestID":"0b0c8a1a-497a-4758-a6fc-c046970dfb58","requestParameters":{"secretId":"arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"secretsmanager.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e46e6e5b-f4d8-479c-9f84-ff7598c1ac9e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#secretsmanager.get-secret-value","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log-expected.json new file mode 100644 index 0000000000..c85ce6c577 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log-expected.json @@ -0,0 +1,135 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-11T08:55:23.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "secretId": "arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj" + } + }, + "read_only": true, + "recipient_account_id": "000000000", + "request_id": "0b0c8a1a-497a-4758-a6fc-c046970dfb58", + "request_parameters": "{secretId=arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GetSecretValue", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "f1a49924-6ba3-4340-9d21-bc98f090fc09", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"f1a49924-6ba3-4340-9d21-bc98f090fc09\",\"eventName\":\"GetSecretValue\",\"eventSource\":\"secretsmanager.amazonaws.com\",\"eventTime\":\"2024-10-11T08:55:23Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":true,\"recipientAccountId\":\"000000000\",\"requestID\":\"0b0c8a1a-497a-4758-a6fc-c046970dfb58\",\"requestParameters\":{\"secretId\":\"arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"secretsmanager.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e46e6e5b-f4d8-479c-9f84-ff7598c1ac9e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#secretsmanager.get-secret-value\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "secretsmanager.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:secretsmanager:us-east-1:000000000:secret:MyTestSecret-nxYStj" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "secretsmanager.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_e46e6e5b-f4d8-479c-9f84-ff7598c1ac9e cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#secretsmanager.get-secret-value", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json index d216f2b05b..e1617d9947 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json @@ -75,12 +75,10 @@ "info" ] }, - "related": { - "entity": [] - }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log new file mode 100644 index 0000000000..ad188754cf --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:user/isai","accountId":"00000000000","accessKeyId":"ACCESSKEYID","userName":"isai"},"eventTime":"2024-10-30T20:57:27Z","eventSource":"iam.amazonaws.com","eventName":"ListAttachedRolePolicies","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"APN/1.0 HashiCorp/1.0 Terraform/1.9.6 (+https://www.terraform.io) terraform-provider-aws/5.73.0 (+https://registry.terraform.io/providers/hashicorp/aws) m/C aws-sdk-go-v2/1.32.2 os/macos lang/go#1.23.2 md/GOOS#darwin md/GOARCH#arm64 api/iam#1.37.2","requestParameters":{"roleName":"ec2-instance-role"},"responseElements":null,"requestID":"d0caa7bf-db57-4c8d-9c0f-e7875bd49187","eventID":"1990da13-89bd-4d1f-8307-3e6dae5a523c","readOnly":true,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log-expected.json new file mode 100644 index 0000000000..6e256fa7ec --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log-expected.json @@ -0,0 +1,137 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T20:57:27.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/isai" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "roleName": "ec2-instance-role" + } + }, + "read_only": true, + "recipient_account_id": "00000000000", + "request_id": "d0caa7bf-db57-4c8d-9c0f-e7875bd49187", + "request_parameters": "{roleName=ec2-instance-role}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::00000000000:user/isai", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ListAttachedRolePolicies", + "category": [ + "iam" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "1990da13-89bd-4d1f-8307-3e6dae5a523c", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:user/isai\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"userName\":\"isai\"},\"eventTime\":\"2024-10-30T20:57:27Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"ListAttachedRolePolicies\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"APN/1.0 HashiCorp/1.0 Terraform/1.9.6 (+https://www.terraform.io) terraform-provider-aws/5.73.0 (+https://registry.terraform.io/providers/hashicorp/aws) m/C aws-sdk-go-v2/1.32.2 os/macos lang/go#1.23.2 md/GOOS#darwin md/GOARCH#arm64 api/iam#1.37.2\",\"requestParameters\":{\"roleName\":\"ec2-instance-role\"},\"responseElements\":null,\"requestID\":\"d0caa7bf-db57-4c8d-9c0f-e7875bd49187\",\"eventID\":\"1990da13-89bd-4d1f-8307-3e6dae5a523c\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "ec2-instance-role", + "ACCESSKEYID", + "isai", + "arn:aws:iam::00000000000:user/isai" + ], + "user": [ + "isai" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "ec2-instance-role" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "isai" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "APN/1.0 HashiCorp/1.0 Terraform/1.9.6 (+https://www.terraform.io) terraform-provider-aws/5.73.0 (+https://registry.terraform.io/providers/hashicorp/aws) m/C aws-sdk-go-v2/1.32.2 os/macos lang/go#1.23.2 md/GOOS#darwin md/GOARCH#arm64 api/iam#1.37.2" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log new file mode 100644 index 0000000000..88703bf92d --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"f029eaf0-a7ff-41d3-86cc-d46742094e1b","eventName":"ModifyDBCluster","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T15:22:35Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"cac7d66d-6c3d-41fc-a842-4dcb6308e20f","requestParameters":{"allowEngineModeChange":false,"allowMajorVersionUpgrade":false,"applyImmediately":true,"backupRetentionPeriod":14,"dBClusterIdentifier":"test-cloudtrail-event-instance-31611-cluster","masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS"},"responseElements":{"allocatedStorage":1,"associatedRoles":[],"autoMinorVersionUpgrade":true,"availabilityZones":["us-east-1d","us-east-1b","us-east-1c"],"backupRetentionPeriod":14,"clusterCreateTime":"Oct 10, 2024 3:18:55 PM","copyTagsToSnapshot":false,"crossAccountClone":false,"dBClusterArn":"arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster","dBClusterIdentifier":"test-cloudtrail-event-instance-31611-cluster","dBClusterMembers":[],"dBClusterParameterGroup":"default.aurora-mysql8.0","dBSubnetGroup":"default","dbClusterResourceId":"cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4","deletionProtection":false,"domainMemberships":[],"earliestRestorableTime":"Oct 10, 2024 3:19:46 PM","endpoint":"test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com","engine":"aurora-mysql","engineMode":"provisioned","engineVersion":"8.0.mysql_aurora.3.07.1","hostedZoneId":"Z2R2ITUGPM61AM","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"latestRestorableTime":"Oct 10, 2024 3:19:46 PM","localWriteForwardingStatus":"disabled","masterUsername":"master","multiAZ":false,"networkType":"IPV4","port":3306,"preferredBackupWindow":"03:14-03:44","preferredMaintenanceWindow":"wed:04:17-wed:04:47","readReplicaIdentifiers":[],"readerEndpoint":"test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com","status":"available","storageEncrypted":false,"tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-cluster","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log-expected.json new file mode 100644 index 0000000000..0ff6cfd53d --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log-expected.json @@ -0,0 +1,186 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:22:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "allowEngineModeChange": false, + "allowMajorVersionUpgrade": false, + "applyImmediately": true, + "backupRetentionPeriod": 14, + "dBClusterIdentifier": "test-cloudtrail-event-instance-31611-cluster", + "masterUserPassword": "HIDDEN_DUE_TO_SECURITY_REASONS" + }, + "response_elements": { + "allocatedStorage": 1, + "autoMinorVersionUpgrade": true, + "availabilityZones": [ + "us-east-1d", + "us-east-1b", + "us-east-1c" + ], + "backupRetentionPeriod": 14, + "clusterCreateTime": "Oct 10, 2024 3:18:55 PM", + "copyTagsToSnapshot": false, + "crossAccountClone": false, + "dBClusterArn": "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster", + "dBClusterIdentifier": "test-cloudtrail-event-instance-31611-cluster", + "dBClusterParameterGroup": "default.aurora-mysql8.0", + "dBSubnetGroup": "default", + "dbClusterResourceId": "cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4", + "deletionProtection": false, + "earliestRestorableTime": "Oct 10, 2024 3:19:46 PM", + "endpoint": "test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com", + "engine": "aurora-mysql", + "engineMode": "provisioned", + "engineVersion": "8.0.mysql_aurora.3.07.1", + "hostedZoneId": "Z2R2ITUGPM61AM", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "latestRestorableTime": "Oct 10, 2024 3:19:46 PM", + "localWriteForwardingStatus": "disabled", + "masterUsername": "master", + "multiAZ": false, + "networkType": "IPV4", + "port": 3306, + "preferredBackupWindow": "03:14-03:44", + "preferredMaintenanceWindow": "wed:04:17-wed:04:47", + "readerEndpoint": "test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com", + "status": "available", + "storageEncrypted": false, + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "cac7d66d-6c3d-41fc-a842-4dcb6308e20f", + "request_parameters": "{allowEngineModeChange=false, allowMajorVersionUpgrade=false, applyImmediately=true, backupRetentionPeriod=14, dBClusterIdentifier=test-cloudtrail-event-instance-31611-cluster, masterUserPassword=HIDDEN_DUE_TO_SECURITY_REASONS}", + "response_elements": "{crossAccountClone=false, allocatedStorage=1, availabilityZones=[us-east-1d, us-east-1b, us-east-1c], localWriteForwardingStatus=disabled, preferredBackupWindow=03:14-03:44, deletionProtection=false, endpoint=test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com, engineMode=provisioned, engine=aurora-mysql, readerEndpoint=test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com, iAMDatabaseAuthenticationEnabled=false, earliestRestorableTime=Oct 10, 2024 3:19:46 PM, networkType=IPV4, clusterCreateTime=Oct 10, 2024 3:18:55 PM, engineVersion=8.0.mysql_aurora.3.07.1, masterUsername=master, multiAZ=false, storageEncrypted=false, dBSubnetGroup=default, hostedZoneId=Z2R2ITUGPM61AM, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], port=3306, preferredMaintenanceWindow=wed:04:17-wed:04:47, backupRetentionPeriod=14, dBClusterParameterGroup=default.aurora-mysql8.0, dBClusterIdentifier=test-cloudtrail-event-instance-31611-cluster, dbClusterResourceId=cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false, dBClusterArn=arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster, latestRestorableTime=Oct 10, 2024 3:19:46 PM, status=available}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ModifyDBCluster", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "f029eaf0-a7ff-41d3-86cc-d46742094e1b", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"f029eaf0-a7ff-41d3-86cc-d46742094e1b\",\"eventName\":\"ModifyDBCluster\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T15:22:35Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"cac7d66d-6c3d-41fc-a842-4dcb6308e20f\",\"requestParameters\":{\"allowEngineModeChange\":false,\"allowMajorVersionUpgrade\":false,\"applyImmediately\":true,\"backupRetentionPeriod\":14,\"dBClusterIdentifier\":\"test-cloudtrail-event-instance-31611-cluster\",\"masterUserPassword\":\"HIDDEN_DUE_TO_SECURITY_REASONS\"},\"responseElements\":{\"allocatedStorage\":1,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"availabilityZones\":[\"us-east-1d\",\"us-east-1b\",\"us-east-1c\"],\"backupRetentionPeriod\":14,\"clusterCreateTime\":\"Oct 10, 2024 3:18:55 PM\",\"copyTagsToSnapshot\":false,\"crossAccountClone\":false,\"dBClusterArn\":\"arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster\",\"dBClusterIdentifier\":\"test-cloudtrail-event-instance-31611-cluster\",\"dBClusterMembers\":[],\"dBClusterParameterGroup\":\"default.aurora-mysql8.0\",\"dBSubnetGroup\":\"default\",\"dbClusterResourceId\":\"cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4\",\"deletionProtection\":false,\"domainMemberships\":[],\"earliestRestorableTime\":\"Oct 10, 2024 3:19:46 PM\",\"endpoint\":\"test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com\",\"engine\":\"aurora-mysql\",\"engineMode\":\"provisioned\",\"engineVersion\":\"8.0.mysql_aurora.3.07.1\",\"hostedZoneId\":\"Z2R2ITUGPM61AM\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"latestRestorableTime\":\"Oct 10, 2024 3:19:46 PM\",\"localWriteForwardingStatus\":\"disabled\",\"masterUsername\":\"master\",\"multiAZ\":false,\"networkType\":\"IPV4\",\"port\":3306,\"preferredBackupWindow\":\"03:14-03:44\",\"preferredMaintenanceWindow\":\"wed:04:17-wed:04:47\",\"readReplicaIdentifiers\":[],\"readerEndpoint\":\"test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com\",\"status\":\"available\",\"storageEncrypted\":false,\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-cluster\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-cluster", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log new file mode 100644 index 0000000000..216fe0135d --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"1ad2c01b-6dc8-4b4f-80a4-823df5fe1145","eventName":"ModifyDBClusterSnapshotAttribute","eventSource":"rds.amazonaws.com","eventTime":"2024-10-09T14:09:46Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"61e5485d-33ba-452b-ae9f-2b04e6fb95eb","requestParameters":{"attributeName":"restore","dBClusterSnapshotIdentifier":"test-cloudtrail-event-instance-29973-cluster-snap","valuesToAdd":["123456789012"]},"responseElements":{"dBClusterSnapshotAttributes":[{"attributeName":"restore","attributeValues":["123456789012"]}],"dBClusterSnapshotIdentifier":"test-cloudtrail-event-instance-29973-cluster-snap"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9ae38b06-260e-4e0c-85d4-e09bcab64318 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-cluster-snapshot-attribute","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log-expected.json new file mode 100644 index 0000000000..3cb37a67f5 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log-expected.json @@ -0,0 +1,151 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-09T14:09:46.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "attributeName": "restore", + "dBClusterSnapshotIdentifier": "test-cloudtrail-event-instance-29973-cluster-snap", + "valuesToAdd": [ + "123456789012" + ] + }, + "response_elements": { + "dBClusterSnapshotAttributes": [ + { + "attributeName": "restore", + "attributeValues": [ + "123456789012" + ] + } + ], + "dBClusterSnapshotIdentifier": "test-cloudtrail-event-instance-29973-cluster-snap" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "61e5485d-33ba-452b-ae9f-2b04e6fb95eb", + "request_parameters": "{valuesToAdd=[123456789012], dBClusterSnapshotIdentifier=test-cloudtrail-event-instance-29973-cluster-snap, attributeName=restore}", + "response_elements": "{dBClusterSnapshotAttributes=[{attributeValues=[123456789012], attributeName=restore}], dBClusterSnapshotIdentifier=test-cloudtrail-event-instance-29973-cluster-snap}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ModifyDBClusterSnapshotAttribute", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "1ad2c01b-6dc8-4b4f-80a4-823df5fe1145", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"1ad2c01b-6dc8-4b4f-80a4-823df5fe1145\",\"eventName\":\"ModifyDBClusterSnapshotAttribute\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-09T14:09:46Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"61e5485d-33ba-452b-ae9f-2b04e6fb95eb\",\"requestParameters\":{\"attributeName\":\"restore\",\"dBClusterSnapshotIdentifier\":\"test-cloudtrail-event-instance-29973-cluster-snap\",\"valuesToAdd\":[\"123456789012\"]},\"responseElements\":{\"dBClusterSnapshotAttributes\":[{\"attributeName\":\"restore\",\"attributeValues\":[\"123456789012\"]}],\"dBClusterSnapshotIdentifier\":\"test-cloudtrail-event-instance-29973-cluster-snap\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9ae38b06-260e-4e0c-85d4-e09bcab64318 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-cluster-snapshot-attribute\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "test-cloudtrail-event-instance-29973-cluster-snap", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "test-cloudtrail-event-instance-29973-cluster-snap" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9ae38b06-260e-4e0c-85d4-e09bcab64318 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-cluster-snapshot-attribute", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log new file mode 100644 index 0000000000..ee166ebbe4 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"47bea7f3-8517-48d3-be30-16de2421ff49","eventName":"ModifyDBInstance","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T15:21:35Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"89216c46-16c8-4527-8d56-f5bf81ad881b","requestParameters":{"allowMajorVersionUpgrade":false,"applyImmediately":true,"dBInstanceIdentifier":"test-cloudtrail-event-instance-31611","publiclyAccessible":true},"responseElements":{"allocatedStorage":20,"associatedRoles":[],"autoMinorVersionUpgrade":true,"availabilityZone":"us-east-1c","backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"rds-ca-rsa2048-g1","certificateDetails":{"cAIdentifier":"rds-ca-rsa2048-g1","validTill":"Oct 10, 2025 3:16:47 PM"},"copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611","dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-31611","dBInstanceStatus":"available","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-2IQHUP3Y6264WPLOECCLFOMN6Y","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"endpoint":{"address":"test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com","hostedZoneId":"Z2R2ITUGPM61AM","port":3306},"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.32","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"instanceCreateTime":"Oct 10, 2024 3:17:35 PM","latestRestorableTime":"Oct 10, 2024 3:20:00 PM","licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"in-sync"}],"pendingModifiedValues":{},"performanceInsightsEnabled":false,"preferredBackupWindow":"09:50-10:20","preferredMaintenanceWindow":"mon:05:28-mon:05:58","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-instance","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log-expected.json new file mode 100644 index 0000000000..292f8014df --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log-expected.json @@ -0,0 +1,262 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:21:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "allowMajorVersionUpgrade": false, + "applyImmediately": true, + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611", + "publiclyAccessible": true + }, + "response_elements": { + "allocatedStorage": 20, + "autoMinorVersionUpgrade": true, + "availabilityZone": "us-east-1c", + "backupRetentionPeriod": 1, + "backupTarget": "region", + "cACertificateIdentifier": "rds-ca-rsa2048-g1", + "certificateDetails": { + "cAIdentifier": "rds-ca-rsa2048-g1", + "validTill": "Oct 10, 2025 3:16:47 PM" + }, + "copyTagsToSnapshot": false, + "customerOwnedIpEnabled": false, + "dBInstanceArn": "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611", + "dBInstanceClass": "db.t3.micro", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611", + "dBInstanceStatus": "available", + "dBParameterGroups": [ + { + "dBParameterGroupName": "default.mysql8.0", + "parameterApplyStatus": "in-sync" + } + ], + "dBSubnetGroup": { + "dBSubnetGroupDescription": "default", + "dBSubnetGroupName": "default", + "subnetGroupStatus": "Complete", + "subnets": [ + { + "subnetAvailabilityZone": { + "name": "us-east-1d" + }, + "subnetIdentifier": "subnet-c4bf5e9b", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1a" + }, + "subnetIdentifier": "subnet-0a0bee6c", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1e" + }, + "subnetIdentifier": "subnet-37391109", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1b" + }, + "subnetIdentifier": "subnet-fee506df", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1f" + }, + "subnetIdentifier": "subnet-bf6ab5b1", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1c" + }, + "subnetIdentifier": "subnet-8bdf6bc6", + "subnetStatus": "Active" + } + ], + "vpcId": "vpc-73d2e309" + }, + "dbInstancePort": 0, + "dbiResourceId": "db-2IQHUP3Y6264WPLOECCLFOMN6Y", + "dedicatedLogVolume": false, + "deletionProtection": false, + "endpoint": { + "address": "test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com", + "hostedZoneId": "Z2R2ITUGPM61AM", + "port": 3306 + }, + "engine": "mysql", + "engineLifecycleSupport": "open-source-rds-extended-support", + "engineVersion": "8.0.32", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "instanceCreateTime": "Oct 10, 2024 3:17:35 PM", + "latestRestorableTime": "Oct 10, 2024 3:20:00 PM", + "licenseModel": "general-public-license", + "masterUsername": "admin", + "monitoringInterval": 0, + "multiAZ": false, + "networkType": "IPV4", + "optionGroupMemberships": [ + { + "optionGroupName": "default:mysql-8-0", + "status": "in-sync" + } + ], + "performanceInsightsEnabled": false, + "preferredBackupWindow": "09:50-10:20", + "preferredMaintenanceWindow": "mon:05:28-mon:05:58", + "publiclyAccessible": true, + "storageEncrypted": false, + "storageThroughput": 0, + "storageType": "gp2", + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "89216c46-16c8-4527-8d56-f5bf81ad881b", + "request_parameters": "{dBInstanceIdentifier=test-cloudtrail-event-instance-31611, allowMajorVersionUpgrade=false, applyImmediately=true, publiclyAccessible=true}", + "response_elements": "{allocatedStorage=20, backupTarget=region, cACertificateIdentifier=rds-ca-rsa2048-g1, dbInstancePort=0, dBParameterGroups=[{dBParameterGroupName=default.mysql8.0, parameterApplyStatus=in-sync}], availabilityZone=us-east-1c, dbiResourceId=db-2IQHUP3Y6264WPLOECCLFOMN6Y, preferredBackupWindow=09:50-10:20, deletionProtection=false, dBInstanceArn=arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611, dBInstanceIdentifier=test-cloudtrail-event-instance-31611, endpoint={hostedZoneId=Z2R2ITUGPM61AM, address=test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com, port=3306}, engine=mysql, publiclyAccessible=true, iAMDatabaseAuthenticationEnabled=false, networkType=IPV4, engineVersion=8.0.32, performanceInsightsEnabled=false, masterUsername=admin, certificateDetails={validTill=Oct 10, 2025 3:16:47 PM, cAIdentifier=rds-ca-rsa2048-g1}, multiAZ=false, instanceCreateTime=Oct 10, 2024 3:17:35 PM, dBInstanceClass=db.t3.micro, storageEncrypted=false, dBSubnetGroup={vpcId=vpc-73d2e309, subnets=[{subnetIdentifier=subnet-c4bf5e9b, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1d}}, {subnetIdentifier=subnet-0a0bee6c, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1a}}, {subnetIdentifier=subnet-37391109, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1e}}, {subnetIdentifier=subnet-fee506df, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1b}}, {subnetIdentifier=subnet-bf6ab5b1, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1f}}, {subnetIdentifier=subnet-8bdf6bc6, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1c}}], subnetGroupStatus=Complete, dBSubnetGroupDescription=default, dBSubnetGroupName=default}, storageThroughput=0, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], customerOwnedIpEnabled=false, licenseModel=general-public-license, monitoringInterval=0, preferredMaintenanceWindow=mon:05:28-mon:05:58, dBInstanceStatus=available, backupRetentionPeriod=1, engineLifecycleSupport=open-source-rds-extended-support, storageType=gp2, optionGroupMemberships=[{optionGroupName=default:mysql-8-0, status=in-sync}], dedicatedLogVolume=false, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false, latestRestorableTime=Oct 10, 2024 3:20:00 PM}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ModifyDBInstance", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "47bea7f3-8517-48d3-be30-16de2421ff49", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"47bea7f3-8517-48d3-be30-16de2421ff49\",\"eventName\":\"ModifyDBInstance\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T15:21:35Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"89216c46-16c8-4527-8d56-f5bf81ad881b\",\"requestParameters\":{\"allowMajorVersionUpgrade\":false,\"applyImmediately\":true,\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611\",\"publiclyAccessible\":true},\"responseElements\":{\"allocatedStorage\":20,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"availabilityZone\":\"us-east-1c\",\"backupRetentionPeriod\":1,\"backupTarget\":\"region\",\"cACertificateIdentifier\":\"rds-ca-rsa2048-g1\",\"certificateDetails\":{\"cAIdentifier\":\"rds-ca-rsa2048-g1\",\"validTill\":\"Oct 10, 2025 3:16:47 PM\"},\"copyTagsToSnapshot\":false,\"customerOwnedIpEnabled\":false,\"dBInstanceArn\":\"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611\",\"dBInstanceClass\":\"db.t3.micro\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611\",\"dBInstanceStatus\":\"available\",\"dBParameterGroups\":[{\"dBParameterGroupName\":\"default.mysql8.0\",\"parameterApplyStatus\":\"in-sync\"}],\"dBSecurityGroups\":[],\"dBSubnetGroup\":{\"dBSubnetGroupDescription\":\"default\",\"dBSubnetGroupName\":\"default\",\"subnetGroupStatus\":\"Complete\",\"subnets\":[{\"subnetAvailabilityZone\":{\"name\":\"us-east-1d\"},\"subnetIdentifier\":\"subnet-c4bf5e9b\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1a\"},\"subnetIdentifier\":\"subnet-0a0bee6c\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1e\"},\"subnetIdentifier\":\"subnet-37391109\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1b\"},\"subnetIdentifier\":\"subnet-fee506df\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1f\"},\"subnetIdentifier\":\"subnet-bf6ab5b1\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1c\"},\"subnetIdentifier\":\"subnet-8bdf6bc6\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"}],\"vpcId\":\"vpc-73d2e309\"},\"dbInstancePort\":0,\"dbiResourceId\":\"db-2IQHUP3Y6264WPLOECCLFOMN6Y\",\"dedicatedLogVolume\":false,\"deletionProtection\":false,\"domainMemberships\":[],\"endpoint\":{\"address\":\"test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com\",\"hostedZoneId\":\"Z2R2ITUGPM61AM\",\"port\":3306},\"engine\":\"mysql\",\"engineLifecycleSupport\":\"open-source-rds-extended-support\",\"engineVersion\":\"8.0.32\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"instanceCreateTime\":\"Oct 10, 2024 3:17:35 PM\",\"latestRestorableTime\":\"Oct 10, 2024 3:20:00 PM\",\"licenseModel\":\"general-public-license\",\"masterUsername\":\"admin\",\"monitoringInterval\":0,\"multiAZ\":false,\"networkType\":\"IPV4\",\"optionGroupMemberships\":[{\"optionGroupName\":\"default:mysql-8-0\",\"status\":\"in-sync\"}],\"pendingModifiedValues\":{},\"performanceInsightsEnabled\":false,\"preferredBackupWindow\":\"09:50-10:20\",\"preferredMaintenanceWindow\":\"mon:05:28-mon:05:58\",\"publiclyAccessible\":true,\"readReplicaDBInstanceIdentifiers\":[],\"storageEncrypted\":false,\"storageThroughput\":0,\"storageType\":\"gp2\",\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-instance\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "subnet-c4bf5e9b", + "test@elastic.co", + "subnet-0a0bee6c", + "subnet-37391109", + "arn:aws:iam::000000000:user/test@elastic.co", + "subnet-bf6ab5b1", + "test-cloudtrail-event-instance-31611", + "subnet-8bdf6bc6", + "vpc-73d2e309", + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611", + "ACCESSKEYID", + "subnet-fee506df" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-instance", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log new file mode 100644 index 0000000000..4118eb9cf9 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"10c9f9e2-cf43-4498-8096-0552cbb174d7","eventName":"ModifyDBSnapshotAttribute","eventSource":"rds.amazonaws.com","eventTime":"2024-10-09T14:18:02Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"ace052fe-433a-4bde-ac51-1c21e3128aac","requestParameters":{"attributeName":"restore","dBSnapshotIdentifier":"test-cloudtrail-event-instance-29973-snap","valuesToRemove":["444455556666"]},"responseElements":{"dBSnapshotAttributes":[{"attributeName":"restore","attributeValues":[]}],"dBSnapshotIdentifier":"test-cloudtrail-event-instance-29973-snap"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9ae38b06-260e-4e0c-85d4-e09bcab64318 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-snapshot-attribute","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log-expected.json new file mode 100644 index 0000000000..afc640489e --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log-expected.json @@ -0,0 +1,148 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-09T14:18:02.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "attributeName": "restore", + "dBSnapshotIdentifier": "test-cloudtrail-event-instance-29973-snap", + "valuesToRemove": [ + "444455556666" + ] + }, + "response_elements": { + "dBSnapshotAttributes": [ + { + "attributeName": "restore" + } + ], + "dBSnapshotIdentifier": "test-cloudtrail-event-instance-29973-snap" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "ace052fe-433a-4bde-ac51-1c21e3128aac", + "request_parameters": "{valuesToRemove=[444455556666], attributeName=restore, dBSnapshotIdentifier=test-cloudtrail-event-instance-29973-snap}", + "response_elements": "{dBSnapshotIdentifier=test-cloudtrail-event-instance-29973-snap, dBSnapshotAttributes=[{attributeName=restore}]}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ModifyDBSnapshotAttribute", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "10c9f9e2-cf43-4498-8096-0552cbb174d7", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"10c9f9e2-cf43-4498-8096-0552cbb174d7\",\"eventName\":\"ModifyDBSnapshotAttribute\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-09T14:18:02Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"ace052fe-433a-4bde-ac51-1c21e3128aac\",\"requestParameters\":{\"attributeName\":\"restore\",\"dBSnapshotIdentifier\":\"test-cloudtrail-event-instance-29973-snap\",\"valuesToRemove\":[\"444455556666\"]},\"responseElements\":{\"dBSnapshotAttributes\":[{\"attributeName\":\"restore\",\"attributeValues\":[]}],\"dBSnapshotIdentifier\":\"test-cloudtrail-event-instance-29973-snap\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9ae38b06-260e-4e0c-85d4-e09bcab64318 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-snapshot-attribute\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "test-cloudtrail-event-instance-29973-snap", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "test-cloudtrail-event-instance-29973-snap" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9ae38b06-260e-4e0c-85d4-e09bcab64318 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.modify-db-snapshot-attribute", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log new file mode 100644 index 0000000000..24fa4dff6f --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"b837800c-c462-4907-86f7-73b02fd4958f","eventName":"ModifyImageAttribute","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-10T14:50:40Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"d58e757d-cc5f-41ae-b9e5-866f663fdd01","requestParameters":{"attributeType":"launchPermission","imageId":"ami-0beb42caf02660314","launchPermission":{"remove":{"items":[{"group":"all"}]}}},"responseElements":{"_return":true,"requestId":"d58e757d-cc5f-41ae-b9e5-866f663fdd01"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_fa97c4ad-10ff-425c-9bc3-5ca17ae2f740 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.modify-image-attribute","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log-expected.json new file mode 100644 index 0000000000..0463e46c17 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log-expected.json @@ -0,0 +1,150 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T14:50:40.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "attributeType": "launchPermission", + "imageId": "ami-0beb42caf02660314", + "launchPermission": { + "remove": { + "items": [ + { + "group": "all" + } + ] + } + } + }, + "response_elements": { + "_return": true, + "requestId": "d58e757d-cc5f-41ae-b9e5-866f663fdd01" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "d58e757d-cc5f-41ae-b9e5-866f663fdd01", + "request_parameters": "{imageId=ami-0beb42caf02660314, attributeType=launchPermission, launchPermission={remove={items=[{group=all}]}}}", + "response_elements": "{_return=true, requestId=d58e757d-cc5f-41ae-b9e5-866f663fdd01}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ModifyImageAttribute", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "b837800c-c462-4907-86f7-73b02fd4958f", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"b837800c-c462-4907-86f7-73b02fd4958f\",\"eventName\":\"ModifyImageAttribute\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-10T14:50:40Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"d58e757d-cc5f-41ae-b9e5-866f663fdd01\",\"requestParameters\":{\"attributeType\":\"launchPermission\",\"imageId\":\"ami-0beb42caf02660314\",\"launchPermission\":{\"remove\":{\"items\":[{\"group\":\"all\"}]}}},\"responseElements\":{\"_return\":true,\"requestId\":\"d58e757d-cc5f-41ae-b9e5-866f663fdd01\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_fa97c4ad-10ff-425c-9bc3-5ca17ae2f740 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.modify-image-attribute\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "ami-0beb42caf02660314", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "ami-0beb42caf02660314" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_fa97c4ad-10ff-425c-9bc3-5ca17ae2f740 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.modify-image-attribute", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log new file mode 100644 index 0000000000..4cfa782768 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5e68a70c-9e8b-49c3-a6c5-63ab2bc2685a","eventName":"ModifySnapshotAttribute","eventSource":"ec2.amazonaws.com","eventTime":"2024-10-15T08:33:45Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"9d0ea279-9a66-4d4c-b6e2-91c9fb291ee1","requestParameters":{"attributeType":"CREATE_VOLUME_PERMISSION","createVolumePermission":{"remove":{"items":[{"group":"all"}]}},"snapshotId":"snap-0a392d80692e2526a"},"responseElements":{"_return":true,"requestId":"9d0ea279-9a66-4d4c-b6e2-91c9fb291ee1"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.modify-snapshot-attribute","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log-expected.json new file mode 100644 index 0000000000..fee16497fc --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log-expected.json @@ -0,0 +1,150 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T08:33:45.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "attributeType": "CREATE_VOLUME_PERMISSION", + "createVolumePermission": { + "remove": { + "items": [ + { + "group": "all" + } + ] + } + }, + "snapshotId": "snap-0a392d80692e2526a" + }, + "response_elements": { + "_return": true, + "requestId": "9d0ea279-9a66-4d4c-b6e2-91c9fb291ee1" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "9d0ea279-9a66-4d4c-b6e2-91c9fb291ee1", + "request_parameters": "{snapshotId=snap-0a392d80692e2526a, attributeType=CREATE_VOLUME_PERMISSION, createVolumePermission={remove={items=[{group=all}]}}}", + "response_elements": "{_return=true, requestId=9d0ea279-9a66-4d4c-b6e2-91c9fb291ee1}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ModifySnapshotAttribute", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "5e68a70c-9e8b-49c3-a6c5-63ab2bc2685a", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"5e68a70c-9e8b-49c3-a6c5-63ab2bc2685a\",\"eventName\":\"ModifySnapshotAttribute\",\"eventSource\":\"ec2.amazonaws.com\",\"eventTime\":\"2024-10-15T08:33:45Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"9d0ea279-9a66-4d4c-b6e2-91c9fb291ee1\",\"requestParameters\":{\"attributeType\":\"CREATE_VOLUME_PERMISSION\",\"createVolumePermission\":{\"remove\":{\"items\":[{\"group\":\"all\"}]}},\"snapshotId\":\"snap-0a392d80692e2526a\"},\"responseElements\":{\"_return\":true,\"requestId\":\"9d0ea279-9a66-4d4c-b6e2-91c9fb291ee1\"},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.modify-snapshot-attribute\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "snap-0a392d80692e2526a", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "snap-0a392d80692e2526a" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2.modify-snapshot-attribute", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log new file mode 100644 index 0000000000..b1c0bdbd6c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:i-021987ab2dbf04585","arn":"arn:aws:sts::000000000000:assumed-role/ec2-instance-role/i-021987ab2dbf04585","accountId":"000000000000","accessKeyId":"ACCESSKEY","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::000000000000:role/ec2-instance-role","accountId":"000000000000","userName":"ec2-instance-role"},"attributes":{"creationDate":"2024-10-30T14:08:29Z","mfaAuthenticated":"false"},"ec2RoleDelivery":"2.0"}},"eventTime":"2024-10-30T14:14:10Z","eventSource":"ssm.amazonaws.com","eventName":"OpenControlChannel","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"Go-http-client/1.1","requestParameters":{"targetId":"i-021987ab2dbf04585","messageSchemaVersion":"1.0","requestId":"872f9a13-e2ca-4c12-b94b-4c5c15850aae","tokenValue":"Value hidden due to security reasons.","agentVersion":"3.3.1142.0","platformType":"linux","requireAcknowledgement":false},"responseElements":null,"requestID":"86e4784b-1322-4aa3-a554-c33175249938","eventID":"1d4a7eb7-10cf-49f3-bf2f-05303f3524e7","readOnly":false,"resources":[{"accountId":"000000000000","type":"AWS::SSMMessages::ControlChannel","ARN":"arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585"}],"eventType":"AwsApiCall","recipientAccountId":"000000000000","eventCategory":"Data","tlsDetails":{"clientProvidedHostHeader":"ssmmessages.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json new file mode 100644 index 0000000000..3bc4b827fd --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json @@ -0,0 +1,156 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T14:14:10.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::000000000000:assumed-role/ec2-instance-role/i-021987ab2dbf04585" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Data", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "agentVersion": "3.3.1142.0", + "messageSchemaVersion": "1.0", + "platformType": "linux", + "requestId": "872f9a13-e2ca-4c12-b94b-4c5c15850aae", + "requireAcknowledgement": false, + "targetId": "i-021987ab2dbf04585", + "tokenValue": "Value hidden due to security reasons." + } + }, + "read_only": false, + "recipient_account_id": "000000000000", + "request_id": "86e4784b-1322-4aa3-a554-c33175249938", + "request_parameters": "{requireAcknowledgement=false, targetId=i-021987ab2dbf04585, requestId=872f9a13-e2ca-4c12-b94b-4c5c15850aae, messageSchemaVersion=1.0, platformType=linux, agentVersion=3.3.1142.0, tokenValue=Value hidden due to security reasons.}", + "resources": [ + { + "account_id": "000000000000", + "arn": "arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585", + "type": "AWS::SSMMessages::ControlChannel" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:sts::000000000000:assumed-role/ec2-instance-role/i-021987ab2dbf04585", + "session_context": { + "creation_date": "2024-10-30T14:08:29.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "000000000000", + "arn": "arn:aws:iam::000000000000:role/ec2-instance-role", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "000000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "OpenControlChannel", + "category": [ + "session" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "1d4a7eb7-10cf-49f3-bf2f-05303f3524e7", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:i-021987ab2dbf04585\",\"arn\":\"arn:aws:sts::000000000000:assumed-role/ec2-instance-role/i-021987ab2dbf04585\",\"accountId\":\"000000000000\",\"accessKeyId\":\"ACCESSKEY\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::000000000000:role/ec2-instance-role\",\"accountId\":\"000000000000\",\"userName\":\"ec2-instance-role\"},\"attributes\":{\"creationDate\":\"2024-10-30T14:08:29Z\",\"mfaAuthenticated\":\"false\"},\"ec2RoleDelivery\":\"2.0\"}},\"eventTime\":\"2024-10-30T14:14:10Z\",\"eventSource\":\"ssm.amazonaws.com\",\"eventName\":\"OpenControlChannel\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"Go-http-client/1.1\",\"requestParameters\":{\"targetId\":\"i-021987ab2dbf04585\",\"messageSchemaVersion\":\"1.0\",\"requestId\":\"872f9a13-e2ca-4c12-b94b-4c5c15850aae\",\"tokenValue\":\"Value hidden due to security reasons.\",\"agentVersion\":\"3.3.1142.0\",\"platformType\":\"linux\",\"requireAcknowledgement\":false},\"responseElements\":null,\"requestID\":\"86e4784b-1322-4aa3-a554-c33175249938\",\"eventID\":\"1d4a7eb7-10cf-49f3-bf2f-05303f3524e7\",\"readOnly\":false,\"resources\":[{\"accountId\":\"000000000000\",\"type\":\"AWS::SSMMessages::ControlChannel\",\"ARN\":\"arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"000000000000\",\"eventCategory\":\"Data\",\"tlsDetails\":{\"clientProvidedHostHeader\":\"ssmmessages.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [ + "start" + ] + }, + "related": { + "entity": [ + "ec2-instance-role", + "ACCESSKEY", + "arn:aws:iam::000000000000:role/ec2-instance-role", + "arn:aws:sts::000000000000:assumed-role/ec2-instance-role/i-021987ab2dbf04585", + "arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:ssmmessages:us-east-1:000000000000:control-channel/i-021987ab2dbf04585" + ] + } + }, + "tls": { + "client": { + "server_name": "ssmmessages.us-east-1.amazonaws.com" + } + }, + "user": { + "id": "PRINCIPALID:i-021987ab2dbf04585", + "name": "ec2-instance-role" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Go-http-client", + "original": "Go-http-client/1.1", + "version": "1.1" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log new file mode 100644 index 0000000000..3fdf3b7542 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPALID:i-0ddf9acf8eeb33959","arn":"arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-0ddf9acf8eeb33959","accountId":"00000000000","accessKeyId":"ACCESSKEY","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:role/private-ec2-instance-role","accountId":"00000000000","userName":"private-ec2-instance-role"},"attributes":{"creationDate":"2024-10-30T20:15:05Z","mfaAuthenticated":"false"},"ec2RoleDelivery":"2.0"}},"eventTime":"2024-10-30T20:41:38Z","eventSource":"sns.amazonaws.com","eventName":"Publish","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.publish","requestParameters":{"topicArn":"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration","message":"HIDDEN_DUE_TO_SECURITY_REASONS"},"responseElements":{"messageId":"1c6ef438-7b64-55a9-bbcd-aba4e7260fe1"},"requestID":"459469ac-b1ae-5731-9dec-36302dec5d79","eventID":"4dfbb87b-9d53-4cbc-a013-b1544cea8c02","readOnly":false,"resources":[{"accountId":"00000000000","type":"AWS::SNS::Topic","ARN":"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration"}],"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Data","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"sns.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json new file mode 100644 index 0000000000..d0bd296e3c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json @@ -0,0 +1,159 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T20:41:38.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-0ddf9acf8eeb33959" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Data", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "message": "HIDDEN_DUE_TO_SECURITY_REASONS", + "topicArn": "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + }, + "response_elements": { + "messageId": "1c6ef438-7b64-55a9-bbcd-aba4e7260fe1" + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "459469ac-b1ae-5731-9dec-36302dec5d79", + "request_parameters": "{message=HIDDEN_DUE_TO_SECURITY_REASONS, topicArn=arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration}", + "resources": [ + { + "account_id": "00000000000", + "arn": "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration", + "type": "AWS::SNS::Topic" + } + ], + "response_elements": "{messageId=1c6ef438-7b64-55a9-bbcd-aba4e7260fe1}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-0ddf9acf8eeb33959", + "session_context": { + "creation_date": "2024-10-30T20:15:05.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "00000000000", + "arn": "arn:aws:iam::00000000000:role/private-ec2-instance-role", + "principal_id": "PRINCIPALID", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Publish", + "category": [ + "api" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "4dfbb87b-9d53-4cbc-a013-b1544cea8c02", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPALID:i-0ddf9acf8eeb33959\",\"arn\":\"arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-0ddf9acf8eeb33959\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:role/private-ec2-instance-role\",\"accountId\":\"00000000000\",\"userName\":\"private-ec2-instance-role\"},\"attributes\":{\"creationDate\":\"2024-10-30T20:15:05Z\",\"mfaAuthenticated\":\"false\"},\"ec2RoleDelivery\":\"2.0\"}},\"eventTime\":\"2024-10-30T20:41:38Z\",\"eventSource\":\"sns.amazonaws.com\",\"eventName\":\"Publish\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.publish\",\"requestParameters\":{\"topicArn\":\"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration\",\"message\":\"HIDDEN_DUE_TO_SECURITY_REASONS\"},\"responseElements\":{\"messageId\":\"1c6ef438-7b64-55a9-bbcd-aba4e7260fe1\"},\"requestID\":\"459469ac-b1ae-5731-9dec-36302dec5d79\",\"eventID\":\"4dfbb87b-9d53-4cbc-a013-b1544cea8c02\",\"readOnly\":false,\"resources\":[{\"accountId\":\"00000000000\",\"type\":\"AWS::SNS::Topic\",\"ARN\":\"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Data\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"sns.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "sns.amazonaws.com", + "type": [] + }, + "related": { + "entity": [ + "private-ec2-instance-role", + "arn:aws:iam::00000000000:role/private-ec2-instance-role", + "ACCESSKEY", + "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-0ddf9acf8eeb33959", + "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "sns.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID:i-0ddf9acf8eeb33959", + "name": "private-ec2-instance-role" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.publish", + "os": { + "name": "Linux" + }, + "version": "2.18.17" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log new file mode 100644 index 0000000000..01629547d7 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log @@ -0,0 +1,2 @@ +{"additionalEventData":{"AuthenticationMethod":"AuthHeader","CipherSuite":"TLS_AES_128_GCM_SHA256","SignatureVersion":"SigV4","bytesTransferredIn":222,"bytesTransferredOut":0,"x-amz-id-2":"epQw55UxlUTgqC7NY6wU6WXHE+bKqlXiom9OQ17qRB5vK7yhNwQGuhOMoSpXLMgo8oEBHDUE+x4="},"awsRegion":"us-east-1","eventCategory":"Management","eventID":"ac1144b3-7859-4ecf-bb15-45262f3cdf65","eventName":"PutBucketLogging","eventSource":"s3.amazonaws.com","eventTime":"2024-10-08T14:21:51Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"AHT6XYSQXRQRQHEW","requestParameters":{"BucketLoggingStatus":{"LoggingEnabled":{"TargetBucket":"elastic-cspm-cloudtrail-test-bucket","TargetPrefix":"Logs/"},"xmlns":"http://s3.amazonaws.com/doc/2006-03-01/"},"Host":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","bucketName":"elastic-cspm-cloudtrail-test-bucket","logging":""},"resources":[{"ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket","accountId":"000000000","type":"AWS::S3::Bucket"}],"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9edb24dd-58f9-44cc-b7c2-6ee66de2acce cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-logging]","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json new file mode 100644 index 0000000000..134f2ca054 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json @@ -0,0 +1,160 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-08T14:21:51.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "additional_eventdata": "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=222, AuthenticationMethod=AuthHeader, x-amz-id-2=epQw55UxlUTgqC7NY6wU6WXHE+bKqlXiom9OQ17qRB5vK7yhNwQGuhOMoSpXLMgo8oEBHDUE+x4=, bytesTransferredOut=0}", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "additional_eventdata": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 222, + "bytesTransferredOut": 0, + "x-amz-id-2": "epQw55UxlUTgqC7NY6wU6WXHE+bKqlXiom9OQ17qRB5vK7yhNwQGuhOMoSpXLMgo8oEBHDUE+x4=" + }, + "request_parameters": { + "BucketLoggingStatus": { + "LoggingEnabled": { + "TargetBucket": "elastic-cspm-cloudtrail-test-bucket", + "TargetPrefix": "Logs/" + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" + }, + "Host": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com", + "bucketName": "elastic-cspm-cloudtrail-test-bucket" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "AHT6XYSQXRQRQHEW", + "request_parameters": "{BucketLoggingStatus={xmlns=http://s3.amazonaws.com/doc/2006-03-01/, LoggingEnabled={TargetPrefix=Logs/, TargetBucket=elastic-cspm-cloudtrail-test-bucket}}, bucketName=elastic-cspm-cloudtrail-test-bucket, Host=elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com}", + "resources": [ + { + "account_id": "000000000", + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "type": "AWS::S3::Bucket" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "PutBucketLogging", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "ac1144b3-7859-4ecf-bb15-45262f3cdf65", + "kind": "event", + "original": "{\"additionalEventData\":{\"AuthenticationMethod\":\"AuthHeader\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"SignatureVersion\":\"SigV4\",\"bytesTransferredIn\":222,\"bytesTransferredOut\":0,\"x-amz-id-2\":\"epQw55UxlUTgqC7NY6wU6WXHE+bKqlXiom9OQ17qRB5vK7yhNwQGuhOMoSpXLMgo8oEBHDUE+x4=\"},\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"ac1144b3-7859-4ecf-bb15-45262f3cdf65\",\"eventName\":\"PutBucketLogging\",\"eventSource\":\"s3.amazonaws.com\",\"eventTime\":\"2024-10-08T14:21:51Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"AHT6XYSQXRQRQHEW\",\"requestParameters\":{\"BucketLoggingStatus\":{\"LoggingEnabled\":{\"TargetBucket\":\"elastic-cspm-cloudtrail-test-bucket\",\"TargetPrefix\":\"Logs/\"},\"xmlns\":\"http://s3.amazonaws.com/doc/2006-03-01/\"},\"Host\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"bucketName\":\"elastic-cspm-cloudtrail-test-bucket\",\"logging\":\"\"},\"resources\":[{\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket\",\"accountId\":\"000000000\",\"type\":\"AWS::S3::Bucket\"}],\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9edb24dd-58f9-44cc-b7c2-6ee66de2acce cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-logging]\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "s3.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "elastic-cspm-cloudtrail-test-bucket" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_9edb24dd-58f9-44cc-b7c2-6ee66de2acce cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-logging]", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log new file mode 100644 index 0000000000..31fecfabb6 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log @@ -0,0 +1,2 @@ +{"additionalEventData":{"AuthenticationMethod":"AuthHeader","CipherSuite":"TLS_AES_128_GCM_SHA256","SignatureVersion":"SigV4","bytesTransferredIn":432,"bytesTransferredOut":0,"x-amz-id-2":"t1ezq3QX/xD76i3a2lwJ2OW4SEldbPcATlix13BdMVohQ/nZfl3xnwAUPbpMEyTkGUD1tZCQZaU="},"awsRegion":"us-east-1","eventCategory":"Management","eventID":"ba921aa0-599b-4136-9fcd-c9c0335c9122","eventName":"PutBucketReplication","eventSource":"s3.amazonaws.com","eventTime":"2024-10-15T08:46:52Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"AJS2J1CPE23EP9Z7","requestParameters":{"Host":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","ReplicationConfiguration":{"Role":"arn:aws:iam::000000000:role/s3-replication-role","Rule":{"DeleteMarkerReplication":{"Status":"Disabled"},"Destination":{"Bucket":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2"},"Filter":{"Prefix":""},"Priority":1,"Status":"Enabled"},"xmlns":"http://s3.amazonaws.com/doc/2006-03-01/"},"bucketName":"elastic-cspm-cloudtrail-test-bucket","replication":""},"resources":[{"ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket","accountId":"000000000","type":"AWS::S3::Bucket"}],"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-replication]","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log-expected.json new file mode 100644 index 0000000000..7ec2519a89 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log-expected.json @@ -0,0 +1,169 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T08:46:52.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "additional_eventdata": "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=432, AuthenticationMethod=AuthHeader, x-amz-id-2=t1ezq3QX/xD76i3a2lwJ2OW4SEldbPcATlix13BdMVohQ/nZfl3xnwAUPbpMEyTkGUD1tZCQZaU=, bytesTransferredOut=0}", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "additional_eventdata": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 432, + "bytesTransferredOut": 0, + "x-amz-id-2": "t1ezq3QX/xD76i3a2lwJ2OW4SEldbPcATlix13BdMVohQ/nZfl3xnwAUPbpMEyTkGUD1tZCQZaU=" + }, + "request_parameters": { + "Host": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com", + "ReplicationConfiguration": { + "Role": "arn:aws:iam::000000000:role/s3-replication-role", + "Rule": { + "DeleteMarkerReplication": { + "Status": "Disabled" + }, + "Destination": { + "Bucket": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2" + }, + "Priority": 1, + "Status": "Enabled" + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" + }, + "bucketName": "elastic-cspm-cloudtrail-test-bucket" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "AJS2J1CPE23EP9Z7", + "request_parameters": "{bucketName=elastic-cspm-cloudtrail-test-bucket, Host=elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com, ReplicationConfiguration={Role=arn:aws:iam::000000000:role/s3-replication-role, xmlns=http://s3.amazonaws.com/doc/2006-03-01/, Rule={Status=Enabled, Destination={Bucket=arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2}, Priority=1, DeleteMarkerReplication={Status=Disabled}}}}", + "resources": [ + { + "account_id": "000000000", + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "type": "AWS::S3::Bucket" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "PutBucketReplication", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "ba921aa0-599b-4136-9fcd-c9c0335c9122", + "kind": "event", + "original": "{\"additionalEventData\":{\"AuthenticationMethod\":\"AuthHeader\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"SignatureVersion\":\"SigV4\",\"bytesTransferredIn\":432,\"bytesTransferredOut\":0,\"x-amz-id-2\":\"t1ezq3QX/xD76i3a2lwJ2OW4SEldbPcATlix13BdMVohQ/nZfl3xnwAUPbpMEyTkGUD1tZCQZaU=\"},\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"ba921aa0-599b-4136-9fcd-c9c0335c9122\",\"eventName\":\"PutBucketReplication\",\"eventSource\":\"s3.amazonaws.com\",\"eventTime\":\"2024-10-15T08:46:52Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"AJS2J1CPE23EP9Z7\",\"requestParameters\":{\"Host\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"ReplicationConfiguration\":{\"Role\":\"arn:aws:iam::000000000:role/s3-replication-role\",\"Rule\":{\"DeleteMarkerReplication\":{\"Status\":\"Disabled\"},\"Destination\":{\"Bucket\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2\"},\"Filter\":{\"Prefix\":\"\"},\"Priority\":1,\"Status\":\"Enabled\"},\"xmlns\":\"http://s3.amazonaws.com/doc/2006-03-01/\"},\"bucketName\":\"elastic-cspm-cloudtrail-test-bucket\",\"replication\":\"\"},\"resources\":[{\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket\",\"accountId\":\"000000000\",\"type\":\"AWS::S3::Bucket\"}],\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-replication]\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "s3.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "test@elastic.co", + "elastic-cspm-cloudtrail-test-bucket", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-replication]", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log new file mode 100644 index 0000000000..d1484b4d4e --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log @@ -0,0 +1,2 @@ +{"additionalEventData":{"AuthenticationMethod":"AuthHeader","CipherSuite":"TLS_AES_128_GCM_SHA256","SignatureVersion":"SigV4","bytesTransferredIn":123,"bytesTransferredOut":0,"x-amz-id-2":"zXLN03wj65sxnk/OnvhA18FYsOImSG1R8H3tRqiDLimljoIdjAH9c3RpCYsXEXe9szHWbuBpNME="},"awsRegion":"us-east-1","eventCategory":"Management","eventID":"b03b0a3d-44bf-4e9e-bf1d-393c95e52d83","eventName":"PutBucketVersioning","eventSource":"s3.amazonaws.com","eventTime":"2024-10-14T14:25:17Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"MSN1PWYVY2GT59PH","requestParameters":{"Host":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","VersioningConfiguration":{"Status":"Enabled","xmlns":"http://s3.amazonaws.com/doc/2006-03-01/"},"bucketName":"elastic-cspm-cloudtrail-test-bucket","versioning":""},"resources":[{"ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket","accountId":"000000000","type":"AWS::S3::Bucket"}],"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b9ebeb30-e2c8-40eb-8c5b-3a825acea708 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-versioning]","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log-expected.json new file mode 100644 index 0000000000..35468f19a7 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log-expected.json @@ -0,0 +1,157 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T14:25:17.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "additional_eventdata": "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=123, AuthenticationMethod=AuthHeader, x-amz-id-2=zXLN03wj65sxnk/OnvhA18FYsOImSG1R8H3tRqiDLimljoIdjAH9c3RpCYsXEXe9szHWbuBpNME=, bytesTransferredOut=0}", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "additional_eventdata": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 123, + "bytesTransferredOut": 0, + "x-amz-id-2": "zXLN03wj65sxnk/OnvhA18FYsOImSG1R8H3tRqiDLimljoIdjAH9c3RpCYsXEXe9szHWbuBpNME=" + }, + "request_parameters": { + "Host": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com", + "VersioningConfiguration": { + "Status": "Enabled", + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" + }, + "bucketName": "elastic-cspm-cloudtrail-test-bucket" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "MSN1PWYVY2GT59PH", + "request_parameters": "{bucketName=elastic-cspm-cloudtrail-test-bucket, Host=elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com, VersioningConfiguration={Status=Enabled, xmlns=http://s3.amazonaws.com/doc/2006-03-01/}}", + "resources": [ + { + "account_id": "000000000", + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "type": "AWS::S3::Bucket" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "PutBucketVersioning", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "b03b0a3d-44bf-4e9e-bf1d-393c95e52d83", + "kind": "event", + "original": "{\"additionalEventData\":{\"AuthenticationMethod\":\"AuthHeader\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"SignatureVersion\":\"SigV4\",\"bytesTransferredIn\":123,\"bytesTransferredOut\":0,\"x-amz-id-2\":\"zXLN03wj65sxnk/OnvhA18FYsOImSG1R8H3tRqiDLimljoIdjAH9c3RpCYsXEXe9szHWbuBpNME=\"},\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"b03b0a3d-44bf-4e9e-bf1d-393c95e52d83\",\"eventName\":\"PutBucketVersioning\",\"eventSource\":\"s3.amazonaws.com\",\"eventTime\":\"2024-10-14T14:25:17Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"MSN1PWYVY2GT59PH\",\"requestParameters\":{\"Host\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"VersioningConfiguration\":{\"Status\":\"Enabled\",\"xmlns\":\"http://s3.amazonaws.com/doc/2006-03-01/\"},\"bucketName\":\"elastic-cspm-cloudtrail-test-bucket\",\"versioning\":\"\"},\"resources\":[{\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket\",\"accountId\":\"000000000\",\"type\":\"AWS::S3::Bucket\"}],\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b9ebeb30-e2c8-40eb-8c5b-3a825acea708 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-versioning]\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "s3.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "elastic-cspm-cloudtrail-test-bucket" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b9ebeb30-e2c8-40eb-8c5b-3a825acea708 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.put-bucket-versioning]", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log new file mode 100644 index 0000000000..16d931926e --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log @@ -0,0 +1,2 @@ +{"additionalEventData":{"AuthenticationMethod":"AuthHeader","CipherSuite":"TLS_AES_128_GCM_SHA256","SignatureVersion":"SigV4","bytesTransferredIn":0,"bytesTransferredOut":0,"x-amz-id-2":"HTb5ENhNh4c3y4pyC9yiVAYEdnllRj1vNGSoBWz3YlXkK0DQ4bpt8BjuihpNQhDNBAqsCFxH+yE"},"awsRegion":"us-east-1","eventCategory":"Management","eventID":"6829a09f-4a37-4ec7-86d2-e739f77a57f3","eventName":"PutObject","eventSource":"s3.amazonaws.com","eventTime":"2024-10-15T08:57:13Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"7FQJXG8C228Y7NNK","requestParameters":{"Host":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","bucketName":"elastic-cspm-cloudtrail-test-bucket"},"resources":[{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json"},{"accountId":"000000000","type":"AWS::S3::Bucket","ARN":"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket"}],"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.delete-bucket]","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log-expected.json new file mode 100644 index 0000000000..a3726b173e --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log-expected.json @@ -0,0 +1,162 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T08:57:13.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "additional_eventdata": "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=0, AuthenticationMethod=AuthHeader, x-amz-id-2=HTb5ENhNh4c3y4pyC9yiVAYEdnllRj1vNGSoBWz3YlXkK0DQ4bpt8BjuihpNQhDNBAqsCFxH+yE, bytesTransferredOut=0}", + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "additional_eventdata": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 0, + "bytesTransferredOut": 0, + "x-amz-id-2": "HTb5ENhNh4c3y4pyC9yiVAYEdnllRj1vNGSoBWz3YlXkK0DQ4bpt8BjuihpNQhDNBAqsCFxH+yE" + }, + "request_parameters": { + "Host": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com", + "bucketName": "elastic-cspm-cloudtrail-test-bucket" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "7FQJXG8C228Y7NNK", + "request_parameters": "{bucketName=elastic-cspm-cloudtrail-test-bucket, Host=elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com}", + "resources": [ + { + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json", + "type": "AWS::S3::Object" + }, + { + "account_id": "000000000", + "arn": "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "type": "AWS::S3::Bucket" + } + ], + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "PutObject", + "category": [ + "file" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "6829a09f-4a37-4ec7-86d2-e739f77a57f3", + "kind": "event", + "original": "{\"additionalEventData\":{\"AuthenticationMethod\":\"AuthHeader\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"SignatureVersion\":\"SigV4\",\"bytesTransferredIn\":0,\"bytesTransferredOut\":0,\"x-amz-id-2\":\"HTb5ENhNh4c3y4pyC9yiVAYEdnllRj1vNGSoBWz3YlXkK0DQ4bpt8BjuihpNQhDNBAqsCFxH+yE\"},\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"6829a09f-4a37-4ec7-86d2-e739f77a57f3\",\"eventName\":\"PutObject\",\"eventSource\":\"s3.amazonaws.com\",\"eventTime\":\"2024-10-15T08:57:13Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"7FQJXG8C228Y7NNK\",\"requestParameters\":{\"Host\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"bucketName\":\"elastic-cspm-cloudtrail-test-bucket\"},\"resources\":[{\"type\":\"AWS::S3::Object\",\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json\"},{\"accountId\":\"000000000\",\"type\":\"AWS::S3::Bucket\",\"ARN\":\"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket\"}],\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.delete-bucket]\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "s3.amazonaws.com", + "type": [ + "change" + ] + }, + "related": { + "entity": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "test@elastic.co", + "elastic-cspm-cloudtrail-test-bucket", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", + "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "elastic-cspm-cloudtrail-test-bucket.s3.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "[aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.delete-bucket]", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json index dacca7f672..c611ac59ab 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-06T15:19:50.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -57,7 +64,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Bob", "Alice", @@ -73,7 +79,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -91,4 +98,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log new file mode 100644 index 0000000000..34f951ee33 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"74cda083-4dd1-441b-9c88-77446f9d8216","eventName":"RestoreDBInstanceFromS3","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T19:07:20Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"a6f1facd-7db5-4eaf-b697-e1d7fead7236","requestParameters":{"allocatedStorage":5,"dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-31611-restored-from-s3","engine":"mysql","engineVersion":"8.0.39","masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS","masterUsername":"admin","s3BucketName":"rmf-cloudtrail-backup-test","s3IngestionRoleArn":"arn:aws:iam::000000000:role/rds-export","sourceEngine":"mysql","sourceEngineVersion":"8.0.39"},"responseElements":{"allocatedStorage":5,"associatedRoles":[],"autoMinorVersionUpgrade":true,"backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"rds-ca-rsa2048-g1","certificateDetails":{"cAIdentifier":"rds-ca-rsa2048-g1"},"copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored-from-s3","dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-31611-restored-from-s3","dBInstanceStatus":"creating","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-DFSLUDXPAQX7Z3OLNXDTAOV5UU","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.39","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"in-sync"}],"pendingModifiedValues":{"masterUserPassword":"HIDDEN_DUE_TO_SECURITY_REASONS"},"performanceInsightsEnabled":false,"preferredBackupWindow":"03:09-03:39","preferredMaintenanceWindow":"sun:03:45-sun:04:15","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.restore-db-instance-from-s3","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log-expected.json new file mode 100644 index 0000000000..b5509025ad --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log-expected.json @@ -0,0 +1,263 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T19:07:20.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "allocatedStorage": 5, + "dBInstanceClass": "db.t3.micro", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611-restored-from-s3", + "engine": "mysql", + "engineVersion": "8.0.39", + "masterUserPassword": "HIDDEN_DUE_TO_SECURITY_REASONS", + "masterUsername": "admin", + "s3BucketName": "rmf-cloudtrail-backup-test", + "s3IngestionRoleArn": "arn:aws:iam::000000000:role/rds-export", + "sourceEngine": "mysql", + "sourceEngineVersion": "8.0.39" + }, + "response_elements": { + "allocatedStorage": 5, + "autoMinorVersionUpgrade": true, + "backupRetentionPeriod": 1, + "backupTarget": "region", + "cACertificateIdentifier": "rds-ca-rsa2048-g1", + "certificateDetails": { + "cAIdentifier": "rds-ca-rsa2048-g1" + }, + "copyTagsToSnapshot": false, + "customerOwnedIpEnabled": false, + "dBInstanceArn": "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored-from-s3", + "dBInstanceClass": "db.t3.micro", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611-restored-from-s3", + "dBInstanceStatus": "creating", + "dBParameterGroups": [ + { + "dBParameterGroupName": "default.mysql8.0", + "parameterApplyStatus": "in-sync" + } + ], + "dBSubnetGroup": { + "dBSubnetGroupDescription": "default", + "dBSubnetGroupName": "default", + "subnetGroupStatus": "Complete", + "subnets": [ + { + "subnetAvailabilityZone": { + "name": "us-east-1d" + }, + "subnetIdentifier": "subnet-c4bf5e9b", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1a" + }, + "subnetIdentifier": "subnet-0a0bee6c", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1e" + }, + "subnetIdentifier": "subnet-37391109", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1b" + }, + "subnetIdentifier": "subnet-fee506df", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1f" + }, + "subnetIdentifier": "subnet-bf6ab5b1", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1c" + }, + "subnetIdentifier": "subnet-8bdf6bc6", + "subnetStatus": "Active" + } + ], + "vpcId": "vpc-73d2e309" + }, + "dbInstancePort": 0, + "dbiResourceId": "db-DFSLUDXPAQX7Z3OLNXDTAOV5UU", + "dedicatedLogVolume": false, + "deletionProtection": false, + "engine": "mysql", + "engineLifecycleSupport": "open-source-rds-extended-support", + "engineVersion": "8.0.39", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "licenseModel": "general-public-license", + "masterUsername": "admin", + "monitoringInterval": 0, + "multiAZ": false, + "networkType": "IPV4", + "optionGroupMemberships": [ + { + "optionGroupName": "default:mysql-8-0", + "status": "in-sync" + } + ], + "pendingModifiedValues": { + "masterUserPassword": "HIDDEN_DUE_TO_SECURITY_REASONS" + }, + "performanceInsightsEnabled": false, + "preferredBackupWindow": "03:09-03:39", + "preferredMaintenanceWindow": "sun:03:45-sun:04:15", + "publiclyAccessible": true, + "storageEncrypted": false, + "storageThroughput": 0, + "storageType": "gp2", + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "a6f1facd-7db5-4eaf-b697-e1d7fead7236", + "request_parameters": "{dBInstanceIdentifier=test-cloudtrail-event-instance-31611-restored-from-s3, engineVersion=8.0.39, masterUsername=admin, s3IngestionRoleArn=arn:aws:iam::000000000:role/rds-export, allocatedStorage=5, engine=mysql, s3BucketName=rmf-cloudtrail-backup-test, dBInstanceClass=db.t3.micro, sourceEngineVersion=8.0.39, sourceEngine=mysql, masterUserPassword=HIDDEN_DUE_TO_SECURITY_REASONS}", + "response_elements": "{allocatedStorage=5, backupTarget=region, cACertificateIdentifier=rds-ca-rsa2048-g1, dbInstancePort=0, dBParameterGroups=[{dBParameterGroupName=default.mysql8.0, parameterApplyStatus=in-sync}], dbiResourceId=db-DFSLUDXPAQX7Z3OLNXDTAOV5UU, preferredBackupWindow=03:09-03:39, deletionProtection=false, dBInstanceArn=arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored-from-s3, dBInstanceIdentifier=test-cloudtrail-event-instance-31611-restored-from-s3, engine=mysql, publiclyAccessible=true, iAMDatabaseAuthenticationEnabled=false, networkType=IPV4, engineVersion=8.0.39, performanceInsightsEnabled=false, masterUsername=admin, certificateDetails={cAIdentifier=rds-ca-rsa2048-g1}, multiAZ=false, dBInstanceClass=db.t3.micro, storageEncrypted=false, dBSubnetGroup={vpcId=vpc-73d2e309, subnets=[{subnetIdentifier=subnet-c4bf5e9b, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1d}}, {subnetIdentifier=subnet-0a0bee6c, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1a}}, {subnetIdentifier=subnet-37391109, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1e}}, {subnetIdentifier=subnet-fee506df, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1b}}, {subnetIdentifier=subnet-bf6ab5b1, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1f}}, {subnetIdentifier=subnet-8bdf6bc6, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1c}}], subnetGroupStatus=Complete, dBSubnetGroupDescription=default, dBSubnetGroupName=default}, storageThroughput=0, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], customerOwnedIpEnabled=false, licenseModel=general-public-license, pendingModifiedValues={masterUserPassword=HIDDEN_DUE_TO_SECURITY_REASONS}, monitoringInterval=0, preferredMaintenanceWindow=sun:03:45-sun:04:15, dBInstanceStatus=creating, backupRetentionPeriod=1, engineLifecycleSupport=open-source-rds-extended-support, storageType=gp2, optionGroupMemberships=[{optionGroupName=default:mysql-8-0, status=in-sync}], dedicatedLogVolume=false, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "RestoreDBInstanceFromS3", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "74cda083-4dd1-441b-9c88-77446f9d8216", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"74cda083-4dd1-441b-9c88-77446f9d8216\",\"eventName\":\"RestoreDBInstanceFromS3\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T19:07:20Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"a6f1facd-7db5-4eaf-b697-e1d7fead7236\",\"requestParameters\":{\"allocatedStorage\":5,\"dBInstanceClass\":\"db.t3.micro\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611-restored-from-s3\",\"engine\":\"mysql\",\"engineVersion\":\"8.0.39\",\"masterUserPassword\":\"HIDDEN_DUE_TO_SECURITY_REASONS\",\"masterUsername\":\"admin\",\"s3BucketName\":\"rmf-cloudtrail-backup-test\",\"s3IngestionRoleArn\":\"arn:aws:iam::000000000:role/rds-export\",\"sourceEngine\":\"mysql\",\"sourceEngineVersion\":\"8.0.39\"},\"responseElements\":{\"allocatedStorage\":5,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"backupRetentionPeriod\":1,\"backupTarget\":\"region\",\"cACertificateIdentifier\":\"rds-ca-rsa2048-g1\",\"certificateDetails\":{\"cAIdentifier\":\"rds-ca-rsa2048-g1\"},\"copyTagsToSnapshot\":false,\"customerOwnedIpEnabled\":false,\"dBInstanceArn\":\"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored-from-s3\",\"dBInstanceClass\":\"db.t3.micro\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611-restored-from-s3\",\"dBInstanceStatus\":\"creating\",\"dBParameterGroups\":[{\"dBParameterGroupName\":\"default.mysql8.0\",\"parameterApplyStatus\":\"in-sync\"}],\"dBSecurityGroups\":[],\"dBSubnetGroup\":{\"dBSubnetGroupDescription\":\"default\",\"dBSubnetGroupName\":\"default\",\"subnetGroupStatus\":\"Complete\",\"subnets\":[{\"subnetAvailabilityZone\":{\"name\":\"us-east-1d\"},\"subnetIdentifier\":\"subnet-c4bf5e9b\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1a\"},\"subnetIdentifier\":\"subnet-0a0bee6c\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1e\"},\"subnetIdentifier\":\"subnet-37391109\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1b\"},\"subnetIdentifier\":\"subnet-fee506df\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1f\"},\"subnetIdentifier\":\"subnet-bf6ab5b1\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1c\"},\"subnetIdentifier\":\"subnet-8bdf6bc6\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"}],\"vpcId\":\"vpc-73d2e309\"},\"dbInstancePort\":0,\"dbiResourceId\":\"db-DFSLUDXPAQX7Z3OLNXDTAOV5UU\",\"dedicatedLogVolume\":false,\"deletionProtection\":false,\"domainMemberships\":[],\"engine\":\"mysql\",\"engineLifecycleSupport\":\"open-source-rds-extended-support\",\"engineVersion\":\"8.0.39\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"licenseModel\":\"general-public-license\",\"masterUsername\":\"admin\",\"monitoringInterval\":0,\"multiAZ\":false,\"networkType\":\"IPV4\",\"optionGroupMemberships\":[{\"optionGroupName\":\"default:mysql-8-0\",\"status\":\"in-sync\"}],\"pendingModifiedValues\":{\"masterUserPassword\":\"HIDDEN_DUE_TO_SECURITY_REASONS\"},\"performanceInsightsEnabled\":false,\"preferredBackupWindow\":\"03:09-03:39\",\"preferredMaintenanceWindow\":\"sun:03:45-sun:04:15\",\"publiclyAccessible\":true,\"readReplicaDBInstanceIdentifiers\":[],\"storageEncrypted\":false,\"storageThroughput\":0,\"storageType\":\"gp2\",\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.restore-db-instance-from-s3\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "subnet-c4bf5e9b", + "test@elastic.co", + "subnet-0a0bee6c", + "subnet-37391109", + "arn:aws:iam::000000000:user/test@elastic.co", + "subnet-bf6ab5b1", + "subnet-8bdf6bc6", + "vpc-73d2e309", + "ACCESSKEYID", + "subnet-fee506df", + "test-cloudtrail-event-instance-31611-restored-from-s3", + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored-from-s3" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored-from-s3" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.restore-db-instance-from-s3", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log new file mode 100644 index 0000000000..92d58b0f9c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"e74a78f8-5411-40ad-b663-05985f8065df","eventName":"RestoreDBInstanceFromDBSnapshot","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T15:25:07Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"5315dea6-1d39-4e4f-b50a-37edc0b2e0f3","requestParameters":{"dBInstanceClass":"db.t3.small","dBInstanceIdentifier":"test-cloudtrail-event-instance-31611-restored","dBSnapshotIdentifier":"test-cloudtrail-event-instance-31611-snap"},"responseElements":{"allocatedStorage":20,"associatedRoles":[],"autoMinorVersionUpgrade":true,"backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"rds-ca-rsa2048-g1","certificateDetails":{"cAIdentifier":"rds-ca-rsa2048-g1"},"copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored","dBInstanceClass":"db.t3.small","dBInstanceIdentifier":"test-cloudtrail-event-instance-31611-restored","dBInstanceStatus":"creating","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-VTGGYHG364W76XFDRWWXSUUKJU","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.32","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"pending-apply"}],"pendingModifiedValues":{},"performanceInsightsEnabled":false,"preferredBackupWindow":"09:50-10:20","preferredMaintenanceWindow":"mon:05:28-mon:05:58","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.restore-db-instance-from-db-snapshot","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log-expected.json new file mode 100644 index 0000000000..514bc515b4 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log-expected.json @@ -0,0 +1,252 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:25:07.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "dBInstanceClass": "db.t3.small", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611-restored", + "dBSnapshotIdentifier": "test-cloudtrail-event-instance-31611-snap" + }, + "response_elements": { + "allocatedStorage": 20, + "autoMinorVersionUpgrade": true, + "backupRetentionPeriod": 1, + "backupTarget": "region", + "cACertificateIdentifier": "rds-ca-rsa2048-g1", + "certificateDetails": { + "cAIdentifier": "rds-ca-rsa2048-g1" + }, + "copyTagsToSnapshot": false, + "customerOwnedIpEnabled": false, + "dBInstanceArn": "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored", + "dBInstanceClass": "db.t3.small", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611-restored", + "dBInstanceStatus": "creating", + "dBParameterGroups": [ + { + "dBParameterGroupName": "default.mysql8.0", + "parameterApplyStatus": "in-sync" + } + ], + "dBSubnetGroup": { + "dBSubnetGroupDescription": "default", + "dBSubnetGroupName": "default", + "subnetGroupStatus": "Complete", + "subnets": [ + { + "subnetAvailabilityZone": { + "name": "us-east-1d" + }, + "subnetIdentifier": "subnet-c4bf5e9b", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1a" + }, + "subnetIdentifier": "subnet-0a0bee6c", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1e" + }, + "subnetIdentifier": "subnet-37391109", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1b" + }, + "subnetIdentifier": "subnet-fee506df", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1f" + }, + "subnetIdentifier": "subnet-bf6ab5b1", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1c" + }, + "subnetIdentifier": "subnet-8bdf6bc6", + "subnetStatus": "Active" + } + ], + "vpcId": "vpc-73d2e309" + }, + "dbInstancePort": 0, + "dbiResourceId": "db-VTGGYHG364W76XFDRWWXSUUKJU", + "dedicatedLogVolume": false, + "deletionProtection": false, + "engine": "mysql", + "engineLifecycleSupport": "open-source-rds-extended-support", + "engineVersion": "8.0.32", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "licenseModel": "general-public-license", + "masterUsername": "admin", + "monitoringInterval": 0, + "multiAZ": false, + "networkType": "IPV4", + "optionGroupMemberships": [ + { + "optionGroupName": "default:mysql-8-0", + "status": "pending-apply" + } + ], + "performanceInsightsEnabled": false, + "preferredBackupWindow": "09:50-10:20", + "preferredMaintenanceWindow": "mon:05:28-mon:05:58", + "publiclyAccessible": true, + "storageEncrypted": false, + "storageThroughput": 0, + "storageType": "gp2", + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "5315dea6-1d39-4e4f-b50a-37edc0b2e0f3", + "request_parameters": "{dBInstanceIdentifier=test-cloudtrail-event-instance-31611-restored, dBInstanceClass=db.t3.small, dBSnapshotIdentifier=test-cloudtrail-event-instance-31611-snap}", + "response_elements": "{allocatedStorage=20, backupTarget=region, cACertificateIdentifier=rds-ca-rsa2048-g1, dbInstancePort=0, dBParameterGroups=[{dBParameterGroupName=default.mysql8.0, parameterApplyStatus=in-sync}], dbiResourceId=db-VTGGYHG364W76XFDRWWXSUUKJU, preferredBackupWindow=09:50-10:20, deletionProtection=false, dBInstanceArn=arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored, dBInstanceIdentifier=test-cloudtrail-event-instance-31611-restored, engine=mysql, publiclyAccessible=true, iAMDatabaseAuthenticationEnabled=false, networkType=IPV4, engineVersion=8.0.32, performanceInsightsEnabled=false, masterUsername=admin, certificateDetails={cAIdentifier=rds-ca-rsa2048-g1}, multiAZ=false, dBInstanceClass=db.t3.small, storageEncrypted=false, dBSubnetGroup={vpcId=vpc-73d2e309, subnets=[{subnetIdentifier=subnet-c4bf5e9b, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1d}}, {subnetIdentifier=subnet-0a0bee6c, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1a}}, {subnetIdentifier=subnet-37391109, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1e}}, {subnetIdentifier=subnet-fee506df, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1b}}, {subnetIdentifier=subnet-bf6ab5b1, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1f}}, {subnetIdentifier=subnet-8bdf6bc6, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1c}}], subnetGroupStatus=Complete, dBSubnetGroupDescription=default, dBSubnetGroupName=default}, storageThroughput=0, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], customerOwnedIpEnabled=false, licenseModel=general-public-license, monitoringInterval=0, preferredMaintenanceWindow=mon:05:28-mon:05:58, dBInstanceStatus=creating, backupRetentionPeriod=1, engineLifecycleSupport=open-source-rds-extended-support, storageType=gp2, optionGroupMemberships=[{optionGroupName=default:mysql-8-0, status=pending-apply}], dedicatedLogVolume=false, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "RestoreDBInstanceFromDBSnapshot", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "e74a78f8-5411-40ad-b663-05985f8065df", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"e74a78f8-5411-40ad-b663-05985f8065df\",\"eventName\":\"RestoreDBInstanceFromDBSnapshot\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T15:25:07Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"5315dea6-1d39-4e4f-b50a-37edc0b2e0f3\",\"requestParameters\":{\"dBInstanceClass\":\"db.t3.small\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611-restored\",\"dBSnapshotIdentifier\":\"test-cloudtrail-event-instance-31611-snap\"},\"responseElements\":{\"allocatedStorage\":20,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"backupRetentionPeriod\":1,\"backupTarget\":\"region\",\"cACertificateIdentifier\":\"rds-ca-rsa2048-g1\",\"certificateDetails\":{\"cAIdentifier\":\"rds-ca-rsa2048-g1\"},\"copyTagsToSnapshot\":false,\"customerOwnedIpEnabled\":false,\"dBInstanceArn\":\"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored\",\"dBInstanceClass\":\"db.t3.small\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611-restored\",\"dBInstanceStatus\":\"creating\",\"dBParameterGroups\":[{\"dBParameterGroupName\":\"default.mysql8.0\",\"parameterApplyStatus\":\"in-sync\"}],\"dBSecurityGroups\":[],\"dBSubnetGroup\":{\"dBSubnetGroupDescription\":\"default\",\"dBSubnetGroupName\":\"default\",\"subnetGroupStatus\":\"Complete\",\"subnets\":[{\"subnetAvailabilityZone\":{\"name\":\"us-east-1d\"},\"subnetIdentifier\":\"subnet-c4bf5e9b\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1a\"},\"subnetIdentifier\":\"subnet-0a0bee6c\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1e\"},\"subnetIdentifier\":\"subnet-37391109\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1b\"},\"subnetIdentifier\":\"subnet-fee506df\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1f\"},\"subnetIdentifier\":\"subnet-bf6ab5b1\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1c\"},\"subnetIdentifier\":\"subnet-8bdf6bc6\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"}],\"vpcId\":\"vpc-73d2e309\"},\"dbInstancePort\":0,\"dbiResourceId\":\"db-VTGGYHG364W76XFDRWWXSUUKJU\",\"dedicatedLogVolume\":false,\"deletionProtection\":false,\"domainMemberships\":[],\"engine\":\"mysql\",\"engineLifecycleSupport\":\"open-source-rds-extended-support\",\"engineVersion\":\"8.0.32\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"licenseModel\":\"general-public-license\",\"masterUsername\":\"admin\",\"monitoringInterval\":0,\"multiAZ\":false,\"networkType\":\"IPV4\",\"optionGroupMemberships\":[{\"optionGroupName\":\"default:mysql-8-0\",\"status\":\"pending-apply\"}],\"pendingModifiedValues\":{},\"performanceInsightsEnabled\":false,\"preferredBackupWindow\":\"09:50-10:20\",\"preferredMaintenanceWindow\":\"mon:05:28-mon:05:58\",\"publiclyAccessible\":true,\"readReplicaDBInstanceIdentifiers\":[],\"storageEncrypted\":false,\"storageThroughput\":0,\"storageType\":\"gp2\",\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.restore-db-instance-from-db-snapshot\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "subnet-c4bf5e9b", + "test@elastic.co", + "subnet-0a0bee6c", + "subnet-37391109", + "arn:aws:iam::000000000:user/test@elastic.co", + "subnet-bf6ab5b1", + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored", + "subnet-8bdf6bc6", + "test-cloudtrail-event-instance-31611-restored", + "vpc-73d2e309", + "ACCESSKEYID", + "subnet-fee506df" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611-restored" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.restore-db-instance-from-db-snapshot", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log index 9c65739168..4dd1bfa46f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log @@ -1 +1,2 @@ -{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5e1fb8e0-231d-4527-a146-d051e37d0d4f","eventName":"RunInstances","eventSource":"ec2.amazonaws.com","eventTime":"2024-09-11T09:28:29Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"1010101010101","requestID":"ffd44d98-cea5-4b4a-9c38-b2aee9f73489","requestParameters":{"blockDeviceMapping":{},"clientToken":"aeafce9c-025e-47f3-b3cc-7d9292cbadfd","disableApiStop":false,"disableApiTermination":false,"instanceType":"t1.micro","instancesSet":{"items":[{"imageId":"ami-00a4cd63f089232e0","maxCount":1,"minCount":1}]},"monitoring":{"enabled":false},"tagSpecificationSet":{"items":[{"resourceType":"instance","tags":[{"key":"name","value":"cloudtrail-event-test"},{"key":"division","value":"engineering"},{"key":"org","value":"security"},{"key":"team","value":"cloud"},{"key":"project","value":"testproject"}]}]}},"responseElements":{"groupSet":{},"instancesSet":{"items":[{"amiLaunchIndex":0,"architecture":"x86_64","blockDeviceMapping":{},"capacityReservationSpecification":{"capacityReservationPreference":"open"},"clientToken":"aeafce9c-025e-47f3-b3cc-7d9292cbadfd","cpuOptions":{"coreCount":1,"threadsPerCore":1},"currentInstanceBootMode":"legacy-bios","ebsOptimized":false,"enaSupport":true,"enclaveOptions":{"enabled":false},"groupSet":{"items":[{"groupId":"sg-4e483165","groupName":"default"}]},"hypervisor":"xen","imageId":"ami-00a4cd63f089232e0","instanceId":"i-0f2f135de18b555e3","instanceState":{"code":0,"name":"pending"},"instanceType":"t1.micro","launchTime":1726046908000,"maintenanceOptions":{"autoRecovery":"default"},"metadataOptions":{"httpEndpoint":"enabled","httpProtocolIpv4":"enabled","httpProtocolIpv6":"disabled","httpPutResponseHopLimit":1,"httpTokens":"optional","instanceMetadataTags":"disabled","state":"pending"},"monitoring":{"state":"disabled"},"networkInterfaceSet":{"items":[{"attachment":{"attachTime":1726046908000,"attachmentId":"eni-attach-0b039fe5f25fca954","deleteOnTermination":true,"deviceIndex":0,"networkCardIndex":0,"status":"attaching"},"groupSet":{"items":[{"groupId":"sg-4e483165","groupName":"default"}]},"interfaceType":"interface","ipv6AddressesSet":{},"macAddress":"0e:ff:ec:9c:25:65","networkInterfaceId":"eni-043138569d4a31e90","ownerId":"1010101010101","privateDnsName":"ip-172-31-35-48.ec2.internal","privateIpAddress":"172.31.35.48","privateIpAddressesSet":{"item":[{"primary":true,"privateDnsName":"ip-172-31-35-48.ec2.internal","privateIpAddress":"172.31.35.48"}]},"sourceDestCheck":true,"status":"in-use","subnetId":"subnet-c4bf5e9b","tagSet":{},"vpcId":"vpc-73d2e309"}]},"placement":{"availabilityZone":"us-east-1d","tenancy":"default"},"privateDnsName":"ip-172-31-35-48.ec2.internal","privateDnsNameOptions":{"enableResourceNameDnsAAAARecord":false,"enableResourceNameDnsARecord":false,"hostnameType":"ip-name"},"privateIpAddress":"172.31.35.48","productCodes":{},"rootDeviceName":"/dev/xvda","rootDeviceType":"ebs","sourceDestCheck":true,"stateReason":{"code":"pending","message":"pending"},"subnetId":"subnet-c4bf5e9b","tagSet":{"items":[{"key":"team","value":"cloud"},{"key":"division","value":"engineering"},{"key":"org","value":"security"},{"key":"name","value":"cloudtrail-event-test"},{"key":"project","value":"testproject"}]},"virtualizationType":"hvm","vpcId":"vpc-73d2e309"}]},"ownerId":"1010101010101","requestId":"ffd44d98-cea5-4b4a-9c38-b2aee9f73489","reservationId":"r-0dfcd099dcab4e63a"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/ec2.run-instances","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5e1fb8e0-231d-4527-a146-d051e37d0d4f","eventName":"RunInstances","eventSource":"ec2.amazonaws.com","eventTime":"2024-09-11T09:28:29Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"1010101010101","requestID":"ffd44d98-cea5-4b4a-9c38-b2aee9f73489","requestParameters":{"blockDeviceMapping":{},"clientToken":"aeafce9c-025e-47f3-b3cc-7d9292cbadfd","disableApiStop":false,"disableApiTermination":false,"instanceType":"t1.micro","instancesSet":{"items":[{"imageId":"ami-00a4cd63f089232e0","maxCount":1,"minCount":1}]},"monitoring":{"enabled":false},"tagSpecificationSet":{"items":[{"resourceType":"instance","tags":[{"key":"name","value":"cloudtrail-event-test"},{"key":"division","value":"engineering"},{"key":"org","value":"security"},{"key":"team","value":"cloud"},{"key":"project","value":"testproject"}]}]}},"responseElements":{"groupSet":{},"instancesSet":{"items":[{"amiLaunchIndex":0,"architecture":"x86_64","blockDeviceMapping":{},"capacityReservationSpecification":{"capacityReservationPreference":"open"},"clientToken":"aeafce9c-025e-47f3-b3cc-7d9292cbadfd","cpuOptions":{"coreCount":1,"threadsPerCore":1},"currentInstanceBootMode":"legacy-bios","ebsOptimized":false,"enaSupport":true,"enclaveOptions":{"enabled":false},"groupSet":{"items":[{"groupId":"sg-4e483165","groupName":"default"}]},"hypervisor":"xen","imageId":"ami-00a4cd63f089232e0","instanceId":"i-0f2f135de18b555e3","instanceState":{"code":0,"name":"pending"},"instanceType":"t1.micro","launchTime":1726046908000,"maintenanceOptions":{"autoRecovery":"default"},"metadataOptions":{"httpEndpoint":"enabled","httpProtocolIpv4":"enabled","httpProtocolIpv6":"disabled","httpPutResponseHopLimit":1,"httpTokens":"optional","instanceMetadataTags":"disabled","state":"pending"},"monitoring":{"state":"disabled"},"networkInterfaceSet":{"items":[{"attachment":{"attachTime":1726046908000,"attachmentId":"eni-attach-0b039fe5f25fca954","deleteOnTermination":true,"deviceIndex":0,"networkCardIndex":0,"status":"attaching"},"groupSet":{"items":[{"groupId":"sg-4e483165","groupName":"default"}]},"interfaceType":"interface","ipv6AddressesSet":{},"macAddress":"0e:ff:ec:9c:25:65","networkInterfaceId":"eni-043138569d4a31e90","ownerId":"1010101010101","privateDnsName":"ip-172-31-35-48.ec2.internal","privateIpAddress":"172.31.35.48","privateIpAddressesSet":{"item":[{"primary":true,"privateDnsName":"ip-172-31-35-48.ec2.internal","privateIpAddress":"172.31.35.48"}]},"sourceDestCheck":true,"status":"in-use","subnetId":"subnet-c4bf5e9b","tagSet":{},"vpcId":"vpc-73d2e309"}]},"placement":{"availabilityZone":"us-east-1d","tenancy":"default"},"privateDnsName":"ip-172-31-35-48.ec2.internal","privateDnsNameOptions":{"enableResourceNameDnsAAAARecord":false,"enableResourceNameDnsARecord":false,"hostnameType":"ip-name"},"privateIpAddress":"172.31.35.48","productCodes":{},"rootDeviceName":"/dev/xvda","rootDeviceType":"ebs","sourceDestCheck":true,"stateReason":{"code":"pending","message":"pending"},"subnetId":"subnet-c4bf5e9b","tagSet":{"items":[{"key":"team","value":"cloud"},{"key":"division","value":"engineering"},{"key":"org","value":"security"},{"key":"name","value":"cloudtrail-event-test"},{"key":"project","value":"testproject"}]},"virtualizationType":"hvm","vpcId":"vpc-73d2e309"}]},"ownerId":"1010101010101","requestId":"ffd44d98-cea5-4b4a-9c38-b2aee9f73489","reservationId":"r-0dfcd099dcab4e63a"},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/ec2.run-instances","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json index e4c24d0dac..7542664d48 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2024-09-11T09:28:29.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co" + ] + } + }, "aws": { "cloudtrail": { "event_category": "Management", @@ -236,7 +243,6 @@ }, "related": { "entity": [ - "AIDA2IBR2EZTJMPOR52WV", "i-0f2f135de18b555e3", "sg-4e483165", "subnet-c4bf5e9b", @@ -272,7 +278,8 @@ "ip": "216.160.83.56" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "tls": { "cipher": "TLS_AES_128_GCM_SHA256", @@ -294,6 +301,24 @@ "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/ec2.run-instances", "version": "2.14.5" } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log new file mode 100644 index 0000000000..6fe7bd12b9 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"bf8d383c-5843-48ec-97a2-3c2af7418543","eventName":"ScheduleKeyDeletion","eventSource":"kms.amazonaws.com","eventTime":"2024-10-14T14:25:29Z","eventType":"AwsApiCall","eventVersion":"1.09","readOnly":false,"recipientAccountId":"000000000","requestID":"5e250fa2-18f9-4bf8-9593-a9e0601f2941","requestParameters":{"keyId":"arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11","pendingWindowInDays":7},"resources":[{"ARN":"arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11","accountId":"000000000","type":"AWS::KMS::Key"}],"responseElements":{"deletionDate":"Oct 21, 2024, 2:25:29 PM","keyId":"arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11","keyState":"PendingDeletion","pendingWindowInDays":7},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_256_GCM_SHA384","clientProvidedHostHeader":"kms.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b9ebeb30-e2c8-40eb-8c5b-3a825acea708 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#kms.schedule-key-deletion","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log-expected.json new file mode 100644 index 0000000000..346b02f92c --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log-expected.json @@ -0,0 +1,150 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-14T14:25:29.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.09", + "flattened": { + "request_parameters": { + "keyId": "arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11", + "pendingWindowInDays": 7 + }, + "response_elements": { + "deletionDate": "Oct 21, 2024, 2:25:29 PM", + "keyId": "arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11", + "keyState": "PendingDeletion", + "pendingWindowInDays": 7 + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "5e250fa2-18f9-4bf8-9593-a9e0601f2941", + "request_parameters": "{pendingWindowInDays=7, keyId=arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11}", + "resources": [ + { + "account_id": "000000000", + "arn": "arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11", + "type": "AWS::KMS::Key" + } + ], + "response_elements": "{pendingWindowInDays=7, deletionDate=Oct 21, 2024, 2:25:29 PM, keyState=PendingDeletion, keyId=arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ScheduleKeyDeletion", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "bf8d383c-5843-48ec-97a2-3c2af7418543", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"bf8d383c-5843-48ec-97a2-3c2af7418543\",\"eventName\":\"ScheduleKeyDeletion\",\"eventSource\":\"kms.amazonaws.com\",\"eventTime\":\"2024-10-14T14:25:29Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.09\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"5e250fa2-18f9-4bf8-9593-a9e0601f2941\",\"requestParameters\":{\"keyId\":\"arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11\",\"pendingWindowInDays\":7},\"resources\":[{\"ARN\":\"arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11\",\"accountId\":\"000000000\",\"type\":\"AWS::KMS::Key\"}],\"responseElements\":{\"deletionDate\":\"Oct 21, 2024, 2:25:29 PM\",\"keyId\":\"arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11\",\"keyState\":\"PendingDeletion\",\"pendingWindowInDays\":7},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_256_GCM_SHA384\",\"clientProvidedHostHeader\":\"kms.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b9ebeb30-e2c8-40eb-8c5b-3a825acea708 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#kms.schedule-key-deletion\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "kms.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:kms:us-east-1:000000000:key/27d7cd14-7557-4509-a438-15fbf1e8db11" + ] + } + }, + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "client": { + "server_name": "kms.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_b9ebeb30-e2c8-40eb-8c5b-3a825acea708 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#kms.schedule-key-deletion", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log new file mode 100644 index 0000000000..313ec66521 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","principalId":"PRINCIPAL:StateManagerService","arn":"arn:aws:sts::00000000000:assumed-role/AWSServiceRoleForAmazonSSM/StateManagerService","accountId":"00000000000","accessKeyId":"ACCESSKEY","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"PRINCIPAL","arn":"arn:aws:iam::00000000000:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM","accountId":"00000000000","userName":"AWSServiceRoleForAmazonSSM"},"webIdFederationData":{},"attributes":{"creationDate":"2024-11-04T19:56:35Z","mfaAuthenticated":"false"}},"invokedBy":"ssm.amazonaws.com"},"eventTime":"2024-11-04T19:56:35Z","eventSource":"ssm.amazonaws.com","eventName":"SendCommand","awsRegion":"us-east-1","sourceIPAddress":"ssm.amazonaws.com","userAgent":"ssm.amazonaws.com","requestParameters":{"instanceIds":["*"],"documentName":"AWS-RunPatchBaselineAssociation","documentVersion":"1","timeoutSeconds":600,"comment":"1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71","parameters":"HIDDEN_DUE_TO_SECURITY_REASONS","maxConcurrency":"100%","maxErrors":"100%","clientName":"","interactive":false},"responseElements":{"command":{"commandId":"9f9aa7a3-b1a6-45ba-b83f-f5cc4b5f9961","documentName":"AWS-RunPatchBaselineAssociation","documentVersion":"1","comment":"1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71","expiresAfter":"Nov 5, 2024, 2:06:35 AM","parameters":"HIDDEN_DUE_TO_SECURITY_REASONS","instanceIds":["*"],"targets":[],"requestedDateTime":"Nov 4, 2024, 7:56:35 PM","status":"Pending","statusDetails":"Pending","outputS3Region":"us-east-1","outputS3BucketName":"","outputS3KeyPrefix":"","maxConcurrency":"100%","maxErrors":"100%","targetCount":0,"completedCount":0,"errorCount":0,"deliveryTimedOutCount":0,"serviceRole":"","notificationConfig":{"notificationArn":"","notificationEvents":[],"notificationType":""},"cloudWatchOutputConfig":{"cloudWatchLogGroupName":"","cloudWatchOutputEnabled":false},"interactive":false,"timeoutSeconds":600,"clientName":"StateManager","clientSourceId":"","alarmConfiguration":{"ignorePollAlarmFailure":false,"alarms":[]},"triggeredAlarms":[],"hasSendCommandSignature":false,"hasCancelCommandSignature":false}},"requestID":"8dd0bf64-ad22-4210-ac5b-027967c93994","eventID":"854f1ab5-82e4-44dc-b29a-62b346e257d7","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management"} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json new file mode 100644 index 0000000000..a53f1701c9 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json @@ -0,0 +1,165 @@ +{ + "expected": [ + { + "@timestamp": "2024-11-04T19:56:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:sts::00000000000:assumed-role/AWSServiceRoleForAmazonSSM/StateManagerService" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "comment": "1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71", + "documentName": "AWS-RunPatchBaselineAssociation", + "documentVersion": "1", + "instanceIds": [ + "*" + ], + "interactive": false, + "maxConcurrency": "100%", + "maxErrors": "100%", + "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS", + "timeoutSeconds": 600 + }, + "response_elements": { + "command": { + "alarmConfiguration": { + "ignorePollAlarmFailure": false + }, + "clientName": "StateManager", + "cloudWatchOutputConfig": { + "cloudWatchOutputEnabled": false + }, + "commandId": "9f9aa7a3-b1a6-45ba-b83f-f5cc4b5f9961", + "comment": "1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71", + "completedCount": 0, + "deliveryTimedOutCount": 0, + "documentName": "AWS-RunPatchBaselineAssociation", + "documentVersion": "1", + "errorCount": 0, + "expiresAfter": "Nov 5, 2024, 2:06:35 AM", + "hasCancelCommandSignature": false, + "hasSendCommandSignature": false, + "instanceIds": [ + "*" + ], + "interactive": false, + "maxConcurrency": "100%", + "maxErrors": "100%", + "outputS3Region": "us-east-1", + "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS", + "requestedDateTime": "Nov 4, 2024, 7:56:35 PM", + "status": "Pending", + "statusDetails": "Pending", + "targetCount": 0, + "timeoutSeconds": 600 + } + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "8dd0bf64-ad22-4210-ac5b-027967c93994", + "request_parameters": "{maxErrors=100%, instanceIds=[*], interactive=false, timeoutSeconds=600, comment=1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71, documentName=AWS-RunPatchBaselineAssociation, parameters=HIDDEN_DUE_TO_SECURITY_REASONS, documentVersion=1, maxConcurrency=100%}", + "response_elements": "{command={clientName=StateManager, interactive=false, alarmConfiguration={ignorePollAlarmFailure=false}, deliveryTimedOutCount=0, targetCount=0, documentVersion=1, maxConcurrency=100%, hasSendCommandSignature=false, expiresAfter=Nov 5, 2024, 2:06:35 AM, instanceIds=[*], hasCancelCommandSignature=false, requestedDateTime=Nov 4, 2024, 7:56:35 PM, errorCount=0, documentName=AWS-RunPatchBaselineAssociation, completedCount=0, commandId=9f9aa7a3-b1a6-45ba-b83f-f5cc4b5f9961, outputS3Region=us-east-1, maxErrors=100%, statusDetails=Pending, timeoutSeconds=600, comment=1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71, cloudWatchOutputConfig={cloudWatchOutputEnabled=false}, parameters=HIDDEN_DUE_TO_SECURITY_REASONS, status=Pending}}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:sts::00000000000:assumed-role/AWSServiceRoleForAmazonSSM/StateManagerService", + "invoked_by": "ssm.amazonaws.com", + "session_context": { + "creation_date": "2024-11-04T19:56:35.000Z", + "mfa_authenticated": "false", + "session_issuer": { + "account_id": "00000000000", + "arn": "arn:aws:iam::00000000000:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM", + "principal_id": "PRINCIPAL", + "type": "Role" + } + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "SendCommand", + "category": [ + "process" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "854f1ab5-82e4-44dc-b29a-62b346e257d7", + "kind": "event", + "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"PRINCIPAL:StateManagerService\",\"arn\":\"arn:aws:sts::00000000000:assumed-role/AWSServiceRoleForAmazonSSM/StateManagerService\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"PRINCIPAL\",\"arn\":\"arn:aws:iam::00000000000:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM\",\"accountId\":\"00000000000\",\"userName\":\"AWSServiceRoleForAmazonSSM\"},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2024-11-04T19:56:35Z\",\"mfaAuthenticated\":\"false\"}},\"invokedBy\":\"ssm.amazonaws.com\"},\"eventTime\":\"2024-11-04T19:56:35Z\",\"eventSource\":\"ssm.amazonaws.com\",\"eventName\":\"SendCommand\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"ssm.amazonaws.com\",\"userAgent\":\"ssm.amazonaws.com\",\"requestParameters\":{\"instanceIds\":[\"*\"],\"documentName\":\"AWS-RunPatchBaselineAssociation\",\"documentVersion\":\"1\",\"timeoutSeconds\":600,\"comment\":\"1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71\",\"parameters\":\"HIDDEN_DUE_TO_SECURITY_REASONS\",\"maxConcurrency\":\"100%\",\"maxErrors\":\"100%\",\"clientName\":\"\",\"interactive\":false},\"responseElements\":{\"command\":{\"commandId\":\"9f9aa7a3-b1a6-45ba-b83f-f5cc4b5f9961\",\"documentName\":\"AWS-RunPatchBaselineAssociation\",\"documentVersion\":\"1\",\"comment\":\"1e59ed7b-bf7f-4304-ba2d-e48cfcf5658d:c257a672-eb26-428b-9a92-3e51bbb69c71\",\"expiresAfter\":\"Nov 5, 2024, 2:06:35 AM\",\"parameters\":\"HIDDEN_DUE_TO_SECURITY_REASONS\",\"instanceIds\":[\"*\"],\"targets\":[],\"requestedDateTime\":\"Nov 4, 2024, 7:56:35 PM\",\"status\":\"Pending\",\"statusDetails\":\"Pending\",\"outputS3Region\":\"us-east-1\",\"outputS3BucketName\":\"\",\"outputS3KeyPrefix\":\"\",\"maxConcurrency\":\"100%\",\"maxErrors\":\"100%\",\"targetCount\":0,\"completedCount\":0,\"errorCount\":0,\"deliveryTimedOutCount\":0,\"serviceRole\":\"\",\"notificationConfig\":{\"notificationArn\":\"\",\"notificationEvents\":[],\"notificationType\":\"\"},\"cloudWatchOutputConfig\":{\"cloudWatchLogGroupName\":\"\",\"cloudWatchOutputEnabled\":false},\"interactive\":false,\"timeoutSeconds\":600,\"clientName\":\"StateManager\",\"clientSourceId\":\"\",\"alarmConfiguration\":{\"ignorePollAlarmFailure\":false,\"alarms\":[]},\"triggeredAlarms\":[],\"hasSendCommandSignature\":false,\"hasCancelCommandSignature\":false}},\"requestID\":\"8dd0bf64-ad22-4210-ac5b-027967c93994\",\"eventID\":\"854f1ab5-82e4-44dc-b29a-62b346e257d7\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\"}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [] + }, + "related": { + "entity": [ + "00000000000", + "ACCESSKEY", + "arn:aws:sts::00000000000:assumed-role/AWSServiceRoleForAmazonSSM/StateManagerService", + "AWSServiceRoleForAmazonSSM", + "arn:aws:iam::00000000000:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM" + ] + }, + "source": { + "address": "ssm.amazonaws.com" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "00000000000" + ] + } + }, + "user": { + "id": "PRINCIPAL:StateManagerService", + "name": "AWSServiceRoleForAmazonSSM" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "ssm.amazonaws.com" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log new file mode 100644 index 0000000000..ca5f9f8b3a --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"PRINCPALID","arn":"arn:aws:iam::00000000000:user/pwncloud-backdoor-user","accountId":"00000000000","accessKeyId":"ACCESSKEYID","userName":"pwncloud-backdoor-user"},"eventTime":"2024-10-30T20:30:00Z","eventSource":"ssm.amazonaws.com","eventName":"SendCommand","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ssm.send-command","requestParameters":{"targets":[{"key":"instanceids","values":["i-0ddf9acf8eeb33959"]}],"documentName":"EncryptFilesAndUploadRansomNote","interactive":false},"responseElements":{"command":{"commandId":"29afe621-dae7-4f93-a5b6-e485d0e429b1","documentName":"EncryptFilesAndUploadRansomNote","documentVersion":"$DEFAULT","comment":"","expiresAfter":"Oct 30, 2024, 10:30:00 PM","parameters":"HIDDEN_DUE_TO_SECURITY_REASONS","instanceIds":[],"targets":[{"key":"instanceids","values":["i-0ddf9acf8eeb33959"]}],"requestedDateTime":"Oct 30, 2024, 8:30:00 PM","status":"Pending","statusDetails":"Pending","outputS3Region":"us-east-1","outputS3BucketName":"","outputS3KeyPrefix":"","maxConcurrency":"50","maxErrors":"0","targetCount":0,"completedCount":0,"errorCount":0,"deliveryTimedOutCount":0,"serviceRole":"","notificationConfig":{"notificationArn":"","notificationEvents":[],"notificationType":""},"cloudWatchOutputConfig":{"cloudWatchLogGroupName":"","cloudWatchOutputEnabled":false},"interactive":false,"timeoutSeconds":3600,"clientName":"","clientSourceId":"","alarmConfiguration":{"ignorePollAlarmFailure":false,"alarms":[]},"triggeredAlarms":[],"hasSendCommandSignature":false,"hasCancelCommandSignature":false}},"requestID":"11b4aa49-fb0a-4045-aa33-d12ac1d3b304","eventID":"c25b98b1-270c-47e6-ba2d-e2e25f26bec7","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json new file mode 100644 index 0000000000..d21302a676 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json @@ -0,0 +1,186 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T20:30:00.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "documentName": "EncryptFilesAndUploadRansomNote", + "interactive": false, + "targets": [ + { + "key": "instanceids", + "values": [ + "i-0ddf9acf8eeb33959" + ] + } + ] + }, + "response_elements": { + "command": { + "alarmConfiguration": { + "ignorePollAlarmFailure": false + }, + "cloudWatchOutputConfig": { + "cloudWatchOutputEnabled": false + }, + "commandId": "29afe621-dae7-4f93-a5b6-e485d0e429b1", + "completedCount": 0, + "deliveryTimedOutCount": 0, + "documentName": "EncryptFilesAndUploadRansomNote", + "documentVersion": "$DEFAULT", + "errorCount": 0, + "expiresAfter": "Oct 30, 2024, 10:30:00 PM", + "hasCancelCommandSignature": false, + "hasSendCommandSignature": false, + "interactive": false, + "maxConcurrency": "50", + "maxErrors": "0", + "outputS3Region": "us-east-1", + "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS", + "requestedDateTime": "Oct 30, 2024, 8:30:00 PM", + "status": "Pending", + "statusDetails": "Pending", + "targetCount": 0, + "targets": [ + { + "key": "instanceids", + "values": [ + "i-0ddf9acf8eeb33959" + ] + } + ], + "timeoutSeconds": 3600 + } + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "11b4aa49-fb0a-4045-aa33-d12ac1d3b304", + "request_parameters": "{interactive=false, documentName=EncryptFilesAndUploadRansomNote, targets=[{values=[i-0ddf9acf8eeb33959], key=instanceids}]}", + "response_elements": "{command={interactive=false, alarmConfiguration={ignorePollAlarmFailure=false}, deliveryTimedOutCount=0, targets=[{values=[i-0ddf9acf8eeb33959], key=instanceids}], targetCount=0, documentVersion=$DEFAULT, maxConcurrency=50, hasSendCommandSignature=false, expiresAfter=Oct 30, 2024, 10:30:00 PM, hasCancelCommandSignature=false, requestedDateTime=Oct 30, 2024, 8:30:00 PM, errorCount=0, documentName=EncryptFilesAndUploadRansomNote, completedCount=0, commandId=29afe621-dae7-4f93-a5b6-e485d0e429b1, outputS3Region=us-east-1, maxErrors=0, statusDetails=Pending, timeoutSeconds=3600, cloudWatchOutputConfig={cloudWatchOutputEnabled=false}, parameters=HIDDEN_DUE_TO_SECURITY_REASONS, status=Pending}}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::00000000000:user/pwncloud-backdoor-user", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "SendCommand", + "category": [ + "process" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "c25b98b1-270c-47e6-ba2d-e2e25f26bec7", + "kind": "event", + "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCPALID\",\"arn\":\"arn:aws:iam::00000000000:user/pwncloud-backdoor-user\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"userName\":\"pwncloud-backdoor-user\"},\"eventTime\":\"2024-10-30T20:30:00Z\",\"eventSource\":\"ssm.amazonaws.com\",\"eventName\":\"SendCommand\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ssm.send-command\",\"requestParameters\":{\"targets\":[{\"key\":\"instanceids\",\"values\":[\"i-0ddf9acf8eeb33959\"]}],\"documentName\":\"EncryptFilesAndUploadRansomNote\",\"interactive\":false},\"responseElements\":{\"command\":{\"commandId\":\"29afe621-dae7-4f93-a5b6-e485d0e429b1\",\"documentName\":\"EncryptFilesAndUploadRansomNote\",\"documentVersion\":\"$DEFAULT\",\"comment\":\"\",\"expiresAfter\":\"Oct 30, 2024, 10:30:00 PM\",\"parameters\":\"HIDDEN_DUE_TO_SECURITY_REASONS\",\"instanceIds\":[],\"targets\":[{\"key\":\"instanceids\",\"values\":[\"i-0ddf9acf8eeb33959\"]}],\"requestedDateTime\":\"Oct 30, 2024, 8:30:00 PM\",\"status\":\"Pending\",\"statusDetails\":\"Pending\",\"outputS3Region\":\"us-east-1\",\"outputS3BucketName\":\"\",\"outputS3KeyPrefix\":\"\",\"maxConcurrency\":\"50\",\"maxErrors\":\"0\",\"targetCount\":0,\"completedCount\":0,\"errorCount\":0,\"deliveryTimedOutCount\":0,\"serviceRole\":\"\",\"notificationConfig\":{\"notificationArn\":\"\",\"notificationEvents\":[],\"notificationType\":\"\"},\"cloudWatchOutputConfig\":{\"cloudWatchLogGroupName\":\"\",\"cloudWatchOutputEnabled\":false},\"interactive\":false,\"timeoutSeconds\":3600,\"clientName\":\"\",\"clientSourceId\":\"\",\"alarmConfiguration\":{\"ignorePollAlarmFailure\":false,\"alarms\":[]},\"triggeredAlarms\":[],\"hasSendCommandSignature\":false,\"hasCancelCommandSignature\":false}},\"requestID\":\"11b4aa49-fb0a-4045-aa33-d12ac1d3b304\",\"eventID\":\"c25b98b1-270c-47e6-ba2d-e2e25f26bec7\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"ssm.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [] + }, + "related": { + "entity": [ + "ACCESSKEYID", + "i-0ddf9acf8eeb33959", + "pwncloud-backdoor-user", + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ], + "user": [ + "pwncloud-backdoor-user" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "i-0ddf9acf8eeb33959" + ] + } + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "client": { + "server_name": "ssm.us-east-1.amazonaws.com" + }, + "version": "1.2", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCPALID", + "name": "pwncloud-backdoor-user" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#ssm.send-command", + "os": { + "name": "Linux" + }, + "version": "2.18.17" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log new file mode 100644 index 0000000000..7af6af9c64 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"15f299e4-4e8c-4ebe-abe4-c09e96a217e6","eventName":"SendSerialConsoleSSHPublicKey","eventSource":"ec2-instance-connect.amazonaws.com","eventTime":"2024-10-16T12:14:07Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"9e7b4b59-bc27-4711-a430-4b9bb6ea87cb","requestParameters":{"instanceId":"i-097069fd5068721f3","monitorMode":false,"sSHPublicKey":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\n","serialPort":0},"responseElements":{"requestId":"9e7b4b59-bc27-4711-a430-4b9bb6ea87cb","success":true},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2-instance-connect.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_194b211b-09c5-4bf4-a5b5-0bb97a779b69 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2-instance-connect.send-serial-console-ssh-public-key","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log-expected.json new file mode 100644 index 0000000000..a91943e514 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log-expected.json @@ -0,0 +1,143 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T12:14:07.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "instanceId": "i-097069fd5068721f3", + "monitorMode": false, + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\n", + "serialPort": 0 + }, + "response_elements": { + "requestId": "9e7b4b59-bc27-4711-a430-4b9bb6ea87cb", + "success": true + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "9e7b4b59-bc27-4711-a430-4b9bb6ea87cb", + "request_parameters": "{instanceId=i-097069fd5068721f3, sSHPublicKey=ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\n, serialPort=0, monitorMode=false}", + "response_elements": "{requestId=9e7b4b59-bc27-4711-a430-4b9bb6ea87cb, success=true}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "SendSerialConsoleSSHPublicKey", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "15f299e4-4e8c-4ebe-abe4-c09e96a217e6", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"15f299e4-4e8c-4ebe-abe4-c09e96a217e6\",\"eventName\":\"SendSerialConsoleSSHPublicKey\",\"eventSource\":\"ec2-instance-connect.amazonaws.com\",\"eventTime\":\"2024-10-16T12:14:07Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"9e7b4b59-bc27-4711-a430-4b9bb6ea87cb\",\"requestParameters\":{\"instanceId\":\"i-097069fd5068721f3\",\"monitorMode\":false,\"sSHPublicKey\":\"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\\n\",\"serialPort\":0},\"responseElements\":{\"requestId\":\"9e7b4b59-bc27-4711-a430-4b9bb6ea87cb\",\"success\":true},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2-instance-connect.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_194b211b-09c5-4bf4-a5b5-0bb97a779b69 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2-instance-connect.send-serial-console-ssh-public-key\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2-instance-connect.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "i-097069fd5068721f3", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "i-097069fd5068721f3" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2-instance-connect.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_194b211b-09c5-4bf4-a5b5-0bb97a779b69 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2-instance-connect.send-serial-console-ssh-public-key", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log new file mode 100644 index 0000000000..54207ec460 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"c085aaa6-3b7e-48c2-b430-fb821ae9e073","eventName":"SendSSHPublicKey","eventSource":"ec2-instance-connect.amazonaws.com","eventTime":"2024-10-16T12:13:21Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"ae708954-95b3-40b1-a0d3-48a3093274ac","requestParameters":{"availabilityZone":"us-east-1d","instanceId":"i-097069fd5068721f3","instanceOSUser":"ec2-user","sSHPublicKey":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\n"},"responseElements":{"requestId":"ae708954-95b3-40b1-a0d3-48a3093274ac","success":true},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"ec2-instance-connect.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_194b211b-09c5-4bf4-a5b5-0bb97a779b69 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2-instance-connect.send-ssh-public-key","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log-expected.json new file mode 100644 index 0000000000..0092b1f626 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log-expected.json @@ -0,0 +1,143 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-16T12:13:21.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "availabilityZone": "us-east-1d", + "instanceId": "i-097069fd5068721f3", + "instanceOSUser": "ec2-user", + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\n" + }, + "response_elements": { + "requestId": "ae708954-95b3-40b1-a0d3-48a3093274ac", + "success": true + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "ae708954-95b3-40b1-a0d3-48a3093274ac", + "request_parameters": "{instanceId=i-097069fd5068721f3, instanceOSUser=ec2-user, sSHPublicKey=ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\n, availabilityZone=us-east-1d}", + "response_elements": "{requestId=ae708954-95b3-40b1-a0d3-48a3093274ac, success=true}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "SendSSHPublicKey", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "c085aaa6-3b7e-48c2-b430-fb821ae9e073", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"c085aaa6-3b7e-48c2-b430-fb821ae9e073\",\"eventName\":\"SendSSHPublicKey\",\"eventSource\":\"ec2-instance-connect.amazonaws.com\",\"eventTime\":\"2024-10-16T12:13:21Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"ae708954-95b3-40b1-a0d3-48a3093274ac\",\"requestParameters\":{\"availabilityZone\":\"us-east-1d\",\"instanceId\":\"i-097069fd5068721f3\",\"instanceOSUser\":\"ec2-user\",\"sSHPublicKey\":\"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnNrCoRSpEDQZ3sx52Hyf5nYGqlGQALWR+d1MdO3Ne4 romulo@Elastics-Macbook-Pro.local\\n\"},\"responseElements\":{\"requestId\":\"ae708954-95b3-40b1-a0d3-48a3093274ac\",\"success\":true},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"ec2-instance-connect.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_194b211b-09c5-4bf4-a5b5-0bb97a779b69 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2-instance-connect.send-ssh-public-key\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ec2-instance-connect.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "i-097069fd5068721f3", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "i-097069fd5068721f3" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "ec2-instance-connect.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_194b211b-09c5-4bf4-a5b5-0bb97a779b69 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2-instance-connect.send-ssh-public-key", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json index 4dc2e88249..e6c9b4985f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-08T15:30:25.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -50,7 +57,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "TEST-trail", "EXAMPLE_KEY", "Alice", @@ -65,7 +71,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -80,4 +87,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log new file mode 100644 index 0000000000..0622e0a126 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"c3c698fc-eaa1-493e-94bf-784c7341ade9","eventName":"StartSession","eventSource":"ssm.amazonaws.com","eventTime":"2024-10-10T11:44:29Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"8e17f548-5e38-4583-b2a2-4f9f226828e1","requestParameters":{"target":"i-1234567890abcdef0"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-east-1.amazonaws.com","tlsVersion":"TLSv1.2"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_dd5d4d4c-486c-447c-b310-be868807ca5d cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.start-session","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log-expected.json new file mode 100644 index 0000000000..364060035a --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log-expected.json @@ -0,0 +1,138 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T11:44:29.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "target": "i-1234567890abcdef0" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "8e17f548-5e38-4583-b2a2-4f9f226828e1", + "request_parameters": "{target=i-1234567890abcdef0}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "StartSession", + "category": [ + "session" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "c3c698fc-eaa1-493e-94bf-784c7341ade9", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"c3c698fc-eaa1-493e-94bf-784c7341ade9\",\"eventName\":\"StartSession\",\"eventSource\":\"ssm.amazonaws.com\",\"eventTime\":\"2024-10-10T11:44:29Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"8e17f548-5e38-4583-b2a2-4f9f226828e1\",\"requestParameters\":{\"target\":\"i-1234567890abcdef0\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"ssm.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.2\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_dd5d4d4c-486c-447c-b310-be868807ca5d cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.start-session\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [ + "start" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "i-1234567890abcdef0", + "arn:aws:iam::000000000:user/test@elastic.co" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "i-1234567890abcdef0" + ] + } + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "client": { + "server_name": "ssm.us-east-1.amazonaws.com" + }, + "version": "1.2", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_dd5d4d4c-486c-447c-b310-be868807ca5d cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ssm.start-session", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log index a2627c3380..8344e21c7c 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log @@ -1 +1,2 @@ -{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5988b0ec-dbca-4f81-b0f7-12891720f170","eventName":"StopConfigurationRecorder","eventSource":"config.amazonaws.com","eventTime":"2024-09-11T09:29:18Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"2c953b2f-f1cc-48c3-8856-9a6f8bcfb10d","requestParameters":{"configurationRecorderName":"default"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"config.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/configservice.stop-configuration-recorder","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} \ No newline at end of file +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"5988b0ec-dbca-4f81-b0f7-12891720f170","eventName":"StopConfigurationRecorder","eventSource":"config.amazonaws.com","eventTime":"2024-09-11T09:29:18Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"1010101010101","requestID":"2c953b2f-f1cc-48c3-8856-9a6f8bcfb10d","requestParameters":{"configurationRecorderName":"default"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"config.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/configservice.stop-configuration-recorder","userIdentity":{"accessKeyId":"ACCESS_KEY_EXAMPLE","accountId":"1010101010101","arn":"arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co","principalId":"AIDA2IBR2EZTJMPOR52WV","type":"IAMUser","userName":"testcloudtrail@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json index 6b7bb131b0..17abd9e5dc 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2024-09-11T09:29:18.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co" + ] + } + }, "aws": { "cloudtrail": { "event_category": "Management", @@ -46,7 +53,6 @@ }, "related": { "entity": [ - "AIDA2IBR2EZTJMPOR52WV", "ACCESS_KEY_EXAMPLE", "default", "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", @@ -76,8 +82,16 @@ "ip": "216.160.83.56" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "default" + ] + } + }, "tls": { "cipher": "TLS_AES_128_GCM_SHA256", "client": { @@ -98,6 +112,24 @@ "original": "aws-cli/2.14.5 Python/3.11.6 Darwin/23.6.0 exec-env/grimoire_7ea17849-045c-4e81-8a81-d0822d5c4aaf exe/x86_64 prompt/off command/configservice.stop-configuration-recorder", "version": "2.14.5" } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log new file mode 100644 index 0000000000..5eb050688f --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"b9b41f25-ec6a-41dd-9eef-3101ebbab030","eventName":"StopDBCluster","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T15:58:04Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"f882dfc4-b81f-4c75-b673-4e48cf737bb1","requestParameters":{"dBClusterIdentifier":"test-cloudtrail-event-instance-31611-cluster"},"responseElements":{"allocatedStorage":1,"associatedRoles":[],"autoMinorVersionUpgrade":true,"availabilityZones":["us-east-1d","us-east-1b","us-east-1c"],"backupRetentionPeriod":14,"clusterCreateTime":"Oct 10, 2024 3:18:55 PM","copyTagsToSnapshot":false,"crossAccountClone":false,"dBClusterArn":"arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster","dBClusterIdentifier":"test-cloudtrail-event-instance-31611-cluster","dBClusterMembers":[],"dBClusterParameterGroup":"default.aurora-mysql8.0","dBSubnetGroup":"default","dbClusterResourceId":"cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4","deletionProtection":false,"domainMemberships":[],"earliestRestorableTime":"Oct 10, 2024 3:19:46 PM","endpoint":"test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com","engine":"aurora-mysql","engineMode":"provisioned","engineVersion":"8.0.mysql_aurora.3.07.1","hostedZoneId":"Z2R2ITUGPM61AM","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"latestRestorableTime":"Oct 10, 2024 3:19:46 PM","localWriteForwardingStatus":"disabled","masterUsername":"master","multiAZ":false,"networkType":"IPV4","port":3306,"preferredBackupWindow":"03:14-03:44","preferredMaintenanceWindow":"wed:04:17-wed:04:47","readReplicaIdentifiers":[],"readerEndpoint":"test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com","status":"available","storageEncrypted":false,"tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.stop-db-cluster","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log-expected.json new file mode 100644 index 0000000000..e23bd2d7a3 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log-expected.json @@ -0,0 +1,181 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:58:04.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "dBClusterIdentifier": "test-cloudtrail-event-instance-31611-cluster" + }, + "response_elements": { + "allocatedStorage": 1, + "autoMinorVersionUpgrade": true, + "availabilityZones": [ + "us-east-1d", + "us-east-1b", + "us-east-1c" + ], + "backupRetentionPeriod": 14, + "clusterCreateTime": "Oct 10, 2024 3:18:55 PM", + "copyTagsToSnapshot": false, + "crossAccountClone": false, + "dBClusterArn": "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster", + "dBClusterIdentifier": "test-cloudtrail-event-instance-31611-cluster", + "dBClusterParameterGroup": "default.aurora-mysql8.0", + "dBSubnetGroup": "default", + "dbClusterResourceId": "cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4", + "deletionProtection": false, + "earliestRestorableTime": "Oct 10, 2024 3:19:46 PM", + "endpoint": "test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com", + "engine": "aurora-mysql", + "engineMode": "provisioned", + "engineVersion": "8.0.mysql_aurora.3.07.1", + "hostedZoneId": "Z2R2ITUGPM61AM", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "latestRestorableTime": "Oct 10, 2024 3:19:46 PM", + "localWriteForwardingStatus": "disabled", + "masterUsername": "master", + "multiAZ": false, + "networkType": "IPV4", + "port": 3306, + "preferredBackupWindow": "03:14-03:44", + "preferredMaintenanceWindow": "wed:04:17-wed:04:47", + "readerEndpoint": "test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com", + "status": "available", + "storageEncrypted": false, + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "f882dfc4-b81f-4c75-b673-4e48cf737bb1", + "request_parameters": "{dBClusterIdentifier=test-cloudtrail-event-instance-31611-cluster}", + "response_elements": "{crossAccountClone=false, allocatedStorage=1, availabilityZones=[us-east-1d, us-east-1b, us-east-1c], localWriteForwardingStatus=disabled, preferredBackupWindow=03:14-03:44, deletionProtection=false, endpoint=test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com, engineMode=provisioned, engine=aurora-mysql, readerEndpoint=test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com, iAMDatabaseAuthenticationEnabled=false, earliestRestorableTime=Oct 10, 2024 3:19:46 PM, networkType=IPV4, clusterCreateTime=Oct 10, 2024 3:18:55 PM, engineVersion=8.0.mysql_aurora.3.07.1, masterUsername=master, multiAZ=false, storageEncrypted=false, dBSubnetGroup=default, hostedZoneId=Z2R2ITUGPM61AM, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], port=3306, preferredMaintenanceWindow=wed:04:17-wed:04:47, backupRetentionPeriod=14, dBClusterParameterGroup=default.aurora-mysql8.0, dBClusterIdentifier=test-cloudtrail-event-instance-31611-cluster, dbClusterResourceId=cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false, dBClusterArn=arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster, latestRestorableTime=Oct 10, 2024 3:19:46 PM, status=available}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "StopDBCluster", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "b9b41f25-ec6a-41dd-9eef-3101ebbab030", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"b9b41f25-ec6a-41dd-9eef-3101ebbab030\",\"eventName\":\"StopDBCluster\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T15:58:04Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"f882dfc4-b81f-4c75-b673-4e48cf737bb1\",\"requestParameters\":{\"dBClusterIdentifier\":\"test-cloudtrail-event-instance-31611-cluster\"},\"responseElements\":{\"allocatedStorage\":1,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"availabilityZones\":[\"us-east-1d\",\"us-east-1b\",\"us-east-1c\"],\"backupRetentionPeriod\":14,\"clusterCreateTime\":\"Oct 10, 2024 3:18:55 PM\",\"copyTagsToSnapshot\":false,\"crossAccountClone\":false,\"dBClusterArn\":\"arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster\",\"dBClusterIdentifier\":\"test-cloudtrail-event-instance-31611-cluster\",\"dBClusterMembers\":[],\"dBClusterParameterGroup\":\"default.aurora-mysql8.0\",\"dBSubnetGroup\":\"default\",\"dbClusterResourceId\":\"cluster-HRC5HWCJA77W3Z6TLQ7JG3ZJT4\",\"deletionProtection\":false,\"domainMemberships\":[],\"earliestRestorableTime\":\"Oct 10, 2024 3:19:46 PM\",\"endpoint\":\"test-cloudtrail-event-instance-31611-cluster.cluster-cputujbhmdty.us-east-1.rds.amazonaws.com\",\"engine\":\"aurora-mysql\",\"engineMode\":\"provisioned\",\"engineVersion\":\"8.0.mysql_aurora.3.07.1\",\"hostedZoneId\":\"Z2R2ITUGPM61AM\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"latestRestorableTime\":\"Oct 10, 2024 3:19:46 PM\",\"localWriteForwardingStatus\":\"disabled\",\"masterUsername\":\"master\",\"multiAZ\":false,\"networkType\":\"IPV4\",\"port\":3306,\"preferredBackupWindow\":\"03:14-03:44\",\"preferredMaintenanceWindow\":\"wed:04:17-wed:04:47\",\"readReplicaIdentifiers\":[],\"readerEndpoint\":\"test-cloudtrail-event-instance-31611-cluster.cluster-ro-cputujbhmdty.us-east-1.rds.amazonaws.com\",\"status\":\"available\",\"storageEncrypted\":false,\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.stop-db-cluster\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:cluster:test-cloudtrail-event-instance-31611-cluster" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.stop-db-cluster", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log new file mode 100644 index 0000000000..56dcba1d6a --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"d55a25ae-f9f3-40ad-8ee0-684e9ec1d3c4","eventName":"StopDBInstance","eventSource":"rds.amazonaws.com","eventTime":"2024-10-10T15:57:46Z","eventType":"AwsApiCall","eventVersion":"1.08","readOnly":false,"recipientAccountId":"000000000","requestID":"9fa32ae6-ef0f-4bbe-8e96-f27680855187","requestParameters":{"dBInstanceIdentifier":"test-cloudtrail-event-instance-31611"},"responseElements":{"allocatedStorage":20,"associatedRoles":[],"autoMinorVersionUpgrade":true,"availabilityZone":"us-east-1c","backupRetentionPeriod":1,"backupTarget":"region","cACertificateIdentifier":"rds-ca-rsa2048-g1","certificateDetails":{"cAIdentifier":"rds-ca-rsa2048-g1","validTill":"Oct 10, 2025 3:16:47 PM"},"copyTagsToSnapshot":false,"customerOwnedIpEnabled":false,"dBInstanceArn":"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611","dBInstanceClass":"db.t3.micro","dBInstanceIdentifier":"test-cloudtrail-event-instance-31611","dBInstanceStatus":"stopping","dBParameterGroups":[{"dBParameterGroupName":"default.mysql8.0","parameterApplyStatus":"in-sync"}],"dBSecurityGroups":[],"dBSubnetGroup":{"dBSubnetGroupDescription":"default","dBSubnetGroupName":"default","subnetGroupStatus":"Complete","subnets":[{"subnetAvailabilityZone":{"name":"us-east-1d"},"subnetIdentifier":"subnet-c4bf5e9b","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1a"},"subnetIdentifier":"subnet-0a0bee6c","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1e"},"subnetIdentifier":"subnet-37391109","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1b"},"subnetIdentifier":"subnet-fee506df","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1f"},"subnetIdentifier":"subnet-bf6ab5b1","subnetOutpost":{},"subnetStatus":"Active"},{"subnetAvailabilityZone":{"name":"us-east-1c"},"subnetIdentifier":"subnet-8bdf6bc6","subnetOutpost":{},"subnetStatus":"Active"}],"vpcId":"vpc-73d2e309"},"dbInstancePort":0,"dbiResourceId":"db-2IQHUP3Y6264WPLOECCLFOMN6Y","dedicatedLogVolume":false,"deletionProtection":false,"domainMemberships":[],"endpoint":{"address":"test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com","hostedZoneId":"Z2R2ITUGPM61AM","port":3306},"engine":"mysql","engineLifecycleSupport":"open-source-rds-extended-support","engineVersion":"8.0.32","httpEndpointEnabled":false,"iAMDatabaseAuthenticationEnabled":false,"instanceCreateTime":"Oct 10, 2024 3:17:35 PM","latestRestorableTime":"Oct 10, 2024 3:55:00 PM","licenseModel":"general-public-license","masterUsername":"admin","monitoringInterval":0,"multiAZ":false,"networkType":"IPV4","optionGroupMemberships":[{"optionGroupName":"default:mysql-8-0","status":"in-sync"}],"pendingModifiedValues":{},"performanceInsightsEnabled":false,"preferredBackupWindow":"09:50-10:20","preferredMaintenanceWindow":"mon:05:28-mon:05:58","publiclyAccessible":true,"readReplicaDBInstanceIdentifiers":[],"storageEncrypted":false,"storageThroughput":0,"storageType":"gp2","tagList":[],"vpcSecurityGroups":[{"status":"active","vpcSecurityGroupId":"sg-4e483165"}]},"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"rds.us-east-1.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.stop-db-instance","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log-expected.json new file mode 100644 index 0000000000..4b6784be80 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log-expected.json @@ -0,0 +1,259 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-10T15:57:46.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.08", + "flattened": { + "request_parameters": { + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611" + }, + "response_elements": { + "allocatedStorage": 20, + "autoMinorVersionUpgrade": true, + "availabilityZone": "us-east-1c", + "backupRetentionPeriod": 1, + "backupTarget": "region", + "cACertificateIdentifier": "rds-ca-rsa2048-g1", + "certificateDetails": { + "cAIdentifier": "rds-ca-rsa2048-g1", + "validTill": "Oct 10, 2025 3:16:47 PM" + }, + "copyTagsToSnapshot": false, + "customerOwnedIpEnabled": false, + "dBInstanceArn": "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611", + "dBInstanceClass": "db.t3.micro", + "dBInstanceIdentifier": "test-cloudtrail-event-instance-31611", + "dBInstanceStatus": "stopping", + "dBParameterGroups": [ + { + "dBParameterGroupName": "default.mysql8.0", + "parameterApplyStatus": "in-sync" + } + ], + "dBSubnetGroup": { + "dBSubnetGroupDescription": "default", + "dBSubnetGroupName": "default", + "subnetGroupStatus": "Complete", + "subnets": [ + { + "subnetAvailabilityZone": { + "name": "us-east-1d" + }, + "subnetIdentifier": "subnet-c4bf5e9b", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1a" + }, + "subnetIdentifier": "subnet-0a0bee6c", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1e" + }, + "subnetIdentifier": "subnet-37391109", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1b" + }, + "subnetIdentifier": "subnet-fee506df", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1f" + }, + "subnetIdentifier": "subnet-bf6ab5b1", + "subnetStatus": "Active" + }, + { + "subnetAvailabilityZone": { + "name": "us-east-1c" + }, + "subnetIdentifier": "subnet-8bdf6bc6", + "subnetStatus": "Active" + } + ], + "vpcId": "vpc-73d2e309" + }, + "dbInstancePort": 0, + "dbiResourceId": "db-2IQHUP3Y6264WPLOECCLFOMN6Y", + "dedicatedLogVolume": false, + "deletionProtection": false, + "endpoint": { + "address": "test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com", + "hostedZoneId": "Z2R2ITUGPM61AM", + "port": 3306 + }, + "engine": "mysql", + "engineLifecycleSupport": "open-source-rds-extended-support", + "engineVersion": "8.0.32", + "httpEndpointEnabled": false, + "iAMDatabaseAuthenticationEnabled": false, + "instanceCreateTime": "Oct 10, 2024 3:17:35 PM", + "latestRestorableTime": "Oct 10, 2024 3:55:00 PM", + "licenseModel": "general-public-license", + "masterUsername": "admin", + "monitoringInterval": 0, + "multiAZ": false, + "networkType": "IPV4", + "optionGroupMemberships": [ + { + "optionGroupName": "default:mysql-8-0", + "status": "in-sync" + } + ], + "performanceInsightsEnabled": false, + "preferredBackupWindow": "09:50-10:20", + "preferredMaintenanceWindow": "mon:05:28-mon:05:58", + "publiclyAccessible": true, + "storageEncrypted": false, + "storageThroughput": 0, + "storageType": "gp2", + "vpcSecurityGroups": [ + { + "status": "active", + "vpcSecurityGroupId": "sg-4e483165" + } + ] + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "9fa32ae6-ef0f-4bbe-8e96-f27680855187", + "request_parameters": "{dBInstanceIdentifier=test-cloudtrail-event-instance-31611}", + "response_elements": "{allocatedStorage=20, backupTarget=region, cACertificateIdentifier=rds-ca-rsa2048-g1, dbInstancePort=0, dBParameterGroups=[{dBParameterGroupName=default.mysql8.0, parameterApplyStatus=in-sync}], availabilityZone=us-east-1c, dbiResourceId=db-2IQHUP3Y6264WPLOECCLFOMN6Y, preferredBackupWindow=09:50-10:20, deletionProtection=false, dBInstanceArn=arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611, dBInstanceIdentifier=test-cloudtrail-event-instance-31611, endpoint={hostedZoneId=Z2R2ITUGPM61AM, address=test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com, port=3306}, engine=mysql, publiclyAccessible=true, iAMDatabaseAuthenticationEnabled=false, networkType=IPV4, engineVersion=8.0.32, performanceInsightsEnabled=false, masterUsername=admin, certificateDetails={validTill=Oct 10, 2025 3:16:47 PM, cAIdentifier=rds-ca-rsa2048-g1}, multiAZ=false, instanceCreateTime=Oct 10, 2024 3:17:35 PM, dBInstanceClass=db.t3.micro, storageEncrypted=false, dBSubnetGroup={vpcId=vpc-73d2e309, subnets=[{subnetIdentifier=subnet-c4bf5e9b, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1d}}, {subnetIdentifier=subnet-0a0bee6c, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1a}}, {subnetIdentifier=subnet-37391109, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1e}}, {subnetIdentifier=subnet-fee506df, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1b}}, {subnetIdentifier=subnet-bf6ab5b1, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1f}}, {subnetIdentifier=subnet-8bdf6bc6, subnetStatus=Active, subnetAvailabilityZone={name=us-east-1c}}], subnetGroupStatus=Complete, dBSubnetGroupDescription=default, dBSubnetGroupName=default}, storageThroughput=0, httpEndpointEnabled=false, vpcSecurityGroups=[{vpcSecurityGroupId=sg-4e483165, status=active}], customerOwnedIpEnabled=false, licenseModel=general-public-license, monitoringInterval=0, preferredMaintenanceWindow=mon:05:28-mon:05:58, dBInstanceStatus=stopping, backupRetentionPeriod=1, engineLifecycleSupport=open-source-rds-extended-support, storageType=gp2, optionGroupMemberships=[{optionGroupName=default:mysql-8-0, status=in-sync}], dedicatedLogVolume=false, autoMinorVersionUpgrade=true, copyTagsToSnapshot=false, latestRestorableTime=Oct 10, 2024 3:55:00 PM}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "StopDBInstance", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "d55a25ae-f9f3-40ad-8ee0-684e9ec1d3c4", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"d55a25ae-f9f3-40ad-8ee0-684e9ec1d3c4\",\"eventName\":\"StopDBInstance\",\"eventSource\":\"rds.amazonaws.com\",\"eventTime\":\"2024-10-10T15:57:46Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.08\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"9fa32ae6-ef0f-4bbe-8e96-f27680855187\",\"requestParameters\":{\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611\"},\"responseElements\":{\"allocatedStorage\":20,\"associatedRoles\":[],\"autoMinorVersionUpgrade\":true,\"availabilityZone\":\"us-east-1c\",\"backupRetentionPeriod\":1,\"backupTarget\":\"region\",\"cACertificateIdentifier\":\"rds-ca-rsa2048-g1\",\"certificateDetails\":{\"cAIdentifier\":\"rds-ca-rsa2048-g1\",\"validTill\":\"Oct 10, 2025 3:16:47 PM\"},\"copyTagsToSnapshot\":false,\"customerOwnedIpEnabled\":false,\"dBInstanceArn\":\"arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611\",\"dBInstanceClass\":\"db.t3.micro\",\"dBInstanceIdentifier\":\"test-cloudtrail-event-instance-31611\",\"dBInstanceStatus\":\"stopping\",\"dBParameterGroups\":[{\"dBParameterGroupName\":\"default.mysql8.0\",\"parameterApplyStatus\":\"in-sync\"}],\"dBSecurityGroups\":[],\"dBSubnetGroup\":{\"dBSubnetGroupDescription\":\"default\",\"dBSubnetGroupName\":\"default\",\"subnetGroupStatus\":\"Complete\",\"subnets\":[{\"subnetAvailabilityZone\":{\"name\":\"us-east-1d\"},\"subnetIdentifier\":\"subnet-c4bf5e9b\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1a\"},\"subnetIdentifier\":\"subnet-0a0bee6c\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1e\"},\"subnetIdentifier\":\"subnet-37391109\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1b\"},\"subnetIdentifier\":\"subnet-fee506df\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1f\"},\"subnetIdentifier\":\"subnet-bf6ab5b1\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"},{\"subnetAvailabilityZone\":{\"name\":\"us-east-1c\"},\"subnetIdentifier\":\"subnet-8bdf6bc6\",\"subnetOutpost\":{},\"subnetStatus\":\"Active\"}],\"vpcId\":\"vpc-73d2e309\"},\"dbInstancePort\":0,\"dbiResourceId\":\"db-2IQHUP3Y6264WPLOECCLFOMN6Y\",\"dedicatedLogVolume\":false,\"deletionProtection\":false,\"domainMemberships\":[],\"endpoint\":{\"address\":\"test-cloudtrail-event-instance-31611.cputujbhmdty.us-east-1.rds.amazonaws.com\",\"hostedZoneId\":\"Z2R2ITUGPM61AM\",\"port\":3306},\"engine\":\"mysql\",\"engineLifecycleSupport\":\"open-source-rds-extended-support\",\"engineVersion\":\"8.0.32\",\"httpEndpointEnabled\":false,\"iAMDatabaseAuthenticationEnabled\":false,\"instanceCreateTime\":\"Oct 10, 2024 3:17:35 PM\",\"latestRestorableTime\":\"Oct 10, 2024 3:55:00 PM\",\"licenseModel\":\"general-public-license\",\"masterUsername\":\"admin\",\"monitoringInterval\":0,\"multiAZ\":false,\"networkType\":\"IPV4\",\"optionGroupMemberships\":[{\"optionGroupName\":\"default:mysql-8-0\",\"status\":\"in-sync\"}],\"pendingModifiedValues\":{},\"performanceInsightsEnabled\":false,\"preferredBackupWindow\":\"09:50-10:20\",\"preferredMaintenanceWindow\":\"mon:05:28-mon:05:58\",\"publiclyAccessible\":true,\"readReplicaDBInstanceIdentifiers\":[],\"storageEncrypted\":false,\"storageThroughput\":0,\"storageType\":\"gp2\",\"tagList\":[],\"vpcSecurityGroups\":[{\"status\":\"active\",\"vpcSecurityGroupId\":\"sg-4e483165\"}]},\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.stop-db-instance\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "rds.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "sg-4e483165", + "subnet-c4bf5e9b", + "test@elastic.co", + "subnet-0a0bee6c", + "subnet-37391109", + "arn:aws:iam::000000000:user/test@elastic.co", + "subnet-bf6ab5b1", + "test-cloudtrail-event-instance-31611", + "subnet-8bdf6bc6", + "vpc-73d2e309", + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611", + "ACCESSKEYID", + "subnet-fee506df" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:rds:us-east-1:000000000:db:test-cloudtrail-event-instance-31611" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "rds.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_a8d22859-b414-4964-b4ca-4cd40b399170 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.stop-db-instance", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json index 3e0503a0e1..9c4f8fe7d4 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-09T16:46:16.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -50,7 +57,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Alice", "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", @@ -65,8 +71,16 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], + "target": { + "entity": { + "id": [ + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail" + ] + } + }, "user": { "id": "EXAMPLE_ID", "name": "Alice" @@ -80,4 +94,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log new file mode 100644 index 0000000000..a4c415ed41 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"IAMUser","principalId":"PRINCIPALID","arn":"arn:aws:iam::00000000000:user/pwncloud-backdoor-user","accountId":"00000000000","accessKeyId":"ACCESSKEYID","userName":"pwncloud-backdoor-user"},"eventTime":"2024-10-30T20:02:26Z","eventSource":"sns.amazonaws.com","eventName":"Subscribe","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.subscribe","requestParameters":{"topicArn":"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration","protocol":"email","endpoint":"REDACTED","returnSubscriptionArn":false},"responseElements":{"subscriptionArn":"pending confirmation"},"requestID":"4da33b73-c474-525c-9068-64ef57666036","eventID":"8c5abfc5-26d3-4ac1-beae-d2462f9d8d37","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"sns.us-east-1.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log-expected.json new file mode 100644 index 0000000000..923f03be07 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log-expected.json @@ -0,0 +1,148 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-30T20:02:26.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "endpoint": "REDACTED", + "protocol": "email", + "returnSubscriptionArn": false, + "topicArn": "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + }, + "response_elements": { + "subscriptionArn": "pending confirmation" + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "4da33b73-c474-525c-9068-64ef57666036", + "request_parameters": "{protocol=email, endpoint=REDACTED, returnSubscriptionArn=false, topicArn=arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration}", + "response_elements": "{subscriptionArn=pending confirmation}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::00000000000:user/pwncloud-backdoor-user", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Subscribe", + "category": [ + "configuration" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "8c5abfc5-26d3-4ac1-beae-d2462f9d8d37", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::00000000000:user/pwncloud-backdoor-user\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEYID\",\"userName\":\"pwncloud-backdoor-user\"},\"eventTime\":\"2024-10-30T20:02:26Z\",\"eventSource\":\"sns.amazonaws.com\",\"eventName\":\"Subscribe\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.subscribe\",\"requestParameters\":{\"topicArn\":\"arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration\",\"protocol\":\"email\",\"endpoint\":\"REDACTED\",\"returnSubscriptionArn\":false},\"responseElements\":{\"subscriptionArn\":\"pending confirmation\"},\"requestID\":\"4da33b73-c474-525c-9068-64ef57666036\",\"eventID\":\"8c5abfc5-26d3-4ac1-beae-d2462f9d8d37\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"sns.us-east-1.amazonaws.com\"}}", + "outcome": "success", + "provider": "sns.amazonaws.com", + "type": [ + "change" + ] + }, + "related": { + "entity": [ + "ACCESSKEYID", + "pwncloud-backdoor-user", + "arn:aws:iam::00000000000:user/pwncloud-backdoor-user", + "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + ], + "user": [ + "pwncloud-backdoor-user" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "arn:aws:sns:us-east-1:00000000000:pwncloud-data-exfiltration" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "sns.us-east-1.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "pwncloud-backdoor-user" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.18.17 md/awscrt#0.22.0 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#sns.subscribe", + "os": { + "name": "Linux" + }, + "version": "2.18.17" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log new file mode 100644 index 0000000000..b4a5f97645 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.10","userIdentity":{"type":"Root","principalId":"00000000000","arn":"arn:aws:iam::00000000000:root","accountId":"00000000000","accessKeyId":"ACCESSKEY","sessionContext":{"attributes":{"creationDate":"2024-10-29T14:06:25Z","mfaAuthenticated":"true"}}},"eventTime":"2024-10-29T15:31:54Z","eventSource":"ssm.amazonaws.com","eventName":"TerminateSession","awsRegion":"us-east-1","sourceIPAddress":"216.160.83.56","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36","requestParameters":{"sessionId":"root-5hvouhyykagjjk3f6glxk8o6bu"},"responseElements":{"sessionId":"root-5hvouhyykagjjk3f6glxk8o6bu"},"requestID":"695e60be-fe04-417d-9977-491ec28bbbb6","eventID":"722d2b25-6a0d-4b47-b567-219e8aa5476a","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"00000000000","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-east-1.amazonaws.com"},"sessionCredentialFromConsole":"true"} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json new file mode 100644 index 0000000000..55be17704b --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json @@ -0,0 +1,146 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-29T15:31:54.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::00000000000:root" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "sessionId": "root-5hvouhyykagjjk3f6glxk8o6bu" + }, + "response_elements": { + "sessionId": "root-5hvouhyykagjjk3f6glxk8o6bu" + } + }, + "read_only": false, + "recipient_account_id": "00000000000", + "request_id": "695e60be-fe04-417d-9977-491ec28bbbb6", + "request_parameters": "{sessionId=root-5hvouhyykagjjk3f6glxk8o6bu}", + "response_elements": "{sessionId=root-5hvouhyykagjjk3f6glxk8o6bu}", + "user_identity": { + "access_key_id": "ACCESSKEY", + "arn": "arn:aws:iam::00000000000:root", + "session_context": { + "creation_date": "2024-10-29T14:06:25.000Z", + "mfa_authenticated": "true" + }, + "type": "Root" + } + } + }, + "cloud": { + "account": { + "id": "00000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "TerminateSession", + "category": [ + "session" + ], + "created": "2021-11-11T01:02:03.123456789Z", + "id": "722d2b25-6a0d-4b47-b567-219e8aa5476a", + "kind": "event", + "original": "{\"eventVersion\":\"1.10\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"00000000000\",\"arn\":\"arn:aws:iam::00000000000:root\",\"accountId\":\"00000000000\",\"accessKeyId\":\"ACCESSKEY\",\"sessionContext\":{\"attributes\":{\"creationDate\":\"2024-10-29T14:06:25Z\",\"mfaAuthenticated\":\"true\"}}},\"eventTime\":\"2024-10-29T15:31:54Z\",\"eventSource\":\"ssm.amazonaws.com\",\"eventName\":\"TerminateSession\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36\",\"requestParameters\":{\"sessionId\":\"root-5hvouhyykagjjk3f6glxk8o6bu\"},\"responseElements\":{\"sessionId\":\"root-5hvouhyykagjjk3f6glxk8o6bu\"},\"requestID\":\"695e60be-fe04-417d-9977-491ec28bbbb6\",\"eventID\":\"722d2b25-6a0d-4b47-b567-219e8aa5476a\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"00000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"ssm.us-east-1.amazonaws.com\"},\"sessionCredentialFromConsole\":\"true\"}", + "outcome": "success", + "provider": "ssm.amazonaws.com", + "type": [ + "end" + ] + }, + "related": { + "entity": [ + "arn:aws:iam::00000000000:root", + "ACCESSKEY", + "root-5hvouhyykagjjk3f6glxk8o6bu" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "root-5hvouhyykagjjk3f6glxk8o6bu" + ] + } + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "client": { + "server_name": "ssm.us-east-1.amazonaws.com" + }, + "version": "1.2", + "version_protocol": "tls" + }, + "user": { + "id": "00000000000" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "130.0.0.0" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log index fd941b7254..306a88e8c6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log @@ -1 +1,2 @@ -{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T16:06:40Z","eventSource":"iam.amazonaws.com","eventName":"UploadSSHPublicKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain","userName":"Alice"},"responseElements":{"sSHPublicKey":{"fingerprint":"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de","status":"Active","uploadDate":"Jan 10, 2020 4:06:40 PM","userName":"Alice","sSHPublicKeyId":"EXAMPLE_KEY_ID","sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain"}},"requestID":"EXAMPLE-44b9-41cd-90f2-EXAMPLE","eventID":"EXAMPLE-9a9d-4da4-9998-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-west-2.amazonaws.com"}} \ No newline at end of file +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T16:06:40Z","eventSource":"iam.amazonaws.com","eventName":"UploadSSHPublicKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain","userName":"Alice"},"responseElements":{"sSHPublicKey":{"fingerprint":"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de","status":"Active","uploadDate":"Jan 10, 2020 4:06:40 PM","userName":"Alice","sSHPublicKeyId":"EXAMPLE_KEY_ID","sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain"}},"requestID":"EXAMPLE-44b9-41cd-90f2-EXAMPLE","eventID":"EXAMPLE-9a9d-4da4-9998-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-west-2.amazonaws.com"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json index 4c327e9e65..3175a55e48 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T16:06:40.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -61,7 +68,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -75,7 +81,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "tls": { "cipher": "ECDHE-RSA-AES128-GCM-SHA256", @@ -99,6 +106,24 @@ "name": "Other", "original": "signin.amazonaws.com" } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json index 6a24cee4af..6a039246c6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T15:01:23.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -55,7 +62,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "Bob", "EXAMPLE_KEY_ID", "Alice", @@ -71,7 +77,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -89,4 +96,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json index a479148991..f60f3a953f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T18:05:33.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -58,7 +65,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -72,7 +78,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -87,4 +94,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log new file mode 100644 index 0000000000..71caca3667 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log @@ -0,0 +1,2 @@ +{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"200661bf-fe5a-46c4-b098-d57a761c741b","eventName":"UpdateAssumeRolePolicy","eventSource":"iam.amazonaws.com","eventTime":"2024-10-15T08:29:21Z","eventType":"AwsApiCall","eventVersion":"1.10","readOnly":false,"recipientAccountId":"000000000","requestID":"eb25ac6f-e7f7-46aa-ad00-52c5e2511cc1","requestParameters":{"policyDocument":"{\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"Statement2\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"000000000\"},\"Action\": \"sts:AssumeRole\"}]}","roleName":"cloudtrail-role"},"responseElements":null,"sourceIPAddress":"216.160.83.56","tlsDetails":{"cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"iam.amazonaws.com","tlsVersion":"TLSv1.3"},"userAgent":"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.update-assume-role-policy","userIdentity":{"accessKeyId":"ACCESSKEYID","accountId":"000000000","arn":"arn:aws:iam::000000000:user/test@elastic.co","principalId":"PRINCIPALID","type":"IAMUser","userName":"test@elastic.co"}} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log-expected.json new file mode 100644 index 0000000000..370fa6c530 --- /dev/null +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log-expected.json @@ -0,0 +1,136 @@ +{ + "expected": [ + { + "@timestamp": "2024-10-15T08:29:21.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::000000000:user/test@elastic.co" + ] + } + }, + "aws": { + "cloudtrail": { + "event_category": "Management", + "event_type": "AwsApiCall", + "event_version": "1.10", + "flattened": { + "request_parameters": { + "policyDocument": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"Statement2\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"000000000\"},\"Action\": \"sts:AssumeRole\"}]}", + "roleName": "cloudtrail-role" + } + }, + "read_only": false, + "recipient_account_id": "000000000", + "request_id": "eb25ac6f-e7f7-46aa-ad00-52c5e2511cc1", + "request_parameters": "{policyDocument={\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"Statement2\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"000000000\"},\"Action\": \"sts:AssumeRole\"}]}, roleName=cloudtrail-role}", + "user_identity": { + "access_key_id": "ACCESSKEYID", + "arn": "arn:aws:iam::000000000:user/test@elastic.co", + "type": "IAMUser" + } + } + }, + "cloud": { + "account": { + "id": "000000000" + }, + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "UpdateAssumeRolePolicy", + "created": "2021-11-11T01:02:03.123456789Z", + "id": "200661bf-fe5a-46c4-b098-d57a761c741b", + "kind": "event", + "original": "{\"awsRegion\":\"us-east-1\",\"eventCategory\":\"Management\",\"eventID\":\"200661bf-fe5a-46c4-b098-d57a761c741b\",\"eventName\":\"UpdateAssumeRolePolicy\",\"eventSource\":\"iam.amazonaws.com\",\"eventTime\":\"2024-10-15T08:29:21Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.10\",\"readOnly\":false,\"recipientAccountId\":\"000000000\",\"requestID\":\"eb25ac6f-e7f7-46aa-ad00-52c5e2511cc1\",\"requestParameters\":{\"policyDocument\":\"{\\\"Version\\\": \\\"2012-10-17\\\",\\\"Statement\\\": [{\\\"Sid\\\": \\\"Statement2\\\",\\\"Effect\\\": \\\"Allow\\\",\\\"Principal\\\": {\\\"AWS\\\": \\\"000000000\\\"},\\\"Action\\\": \\\"sts:AssumeRole\\\"}]}\",\"roleName\":\"cloudtrail-role\"},\"responseElements\":null,\"sourceIPAddress\":\"216.160.83.56\",\"tlsDetails\":{\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"iam.amazonaws.com\",\"tlsVersion\":\"TLSv1.3\"},\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.update-assume-role-policy\",\"userIdentity\":{\"accessKeyId\":\"ACCESSKEYID\",\"accountId\":\"000000000\",\"arn\":\"arn:aws:iam::000000000:user/test@elastic.co\",\"principalId\":\"PRINCIPALID\",\"type\":\"IAMUser\",\"userName\":\"test@elastic.co\"}}", + "outcome": "success", + "provider": "iam.amazonaws.com", + "type": [ + "info" + ] + }, + "related": { + "entity": [ + "test@elastic.co", + "ACCESSKEYID", + "arn:aws:iam::000000000:user/test@elastic.co", + "cloudtrail-role" + ], + "user": [ + "test@elastic.co" + ] + }, + "source": { + "address": "216.160.83.56", + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ], + "target": { + "entity": { + "id": [ + "cloudtrail-role" + ] + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "server_name": "iam.amazonaws.com" + }, + "version": "1.3", + "version_protocol": "tls" + }, + "user": { + "id": "PRINCIPALID", + "name": "test@elastic.co" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-cli", + "original": "aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_52af3621-8820-4e8a-8f18-7683368a7dc2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#iam.update-assume-role-policy", + "version": "2.17.60" + } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] + } + ] +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json index a94adebc57..c11dd5bc29 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-09T02:23:11.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -52,7 +59,6 @@ }, "related": { "entity": [ - "0123456789012", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -66,7 +72,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "0123456789012", @@ -83,6 +90,13 @@ }, { "@timestamp": "2020-01-09T02:24:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "error_code": "EntityAlreadyExistsException", @@ -135,7 +149,6 @@ }, "related": { "entity": [ - "0123456789012", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -149,7 +162,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "0123456789012", @@ -166,6 +180,13 @@ }, { "@timestamp": "2020-01-09T02:23:11.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -225,7 +246,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user_agent": { "device": { @@ -238,6 +260,13 @@ }, { "@timestamp": "2020-01-09T02:24:35.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "error_code": "EntityAlreadyExistsException", @@ -299,7 +328,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user_agent": { "device": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json index f6ff1b580d..6b24a267fe 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T18:25:42.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -53,7 +60,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Bob", "Alice", @@ -69,7 +75,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -87,4 +94,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json index 77be87c2b9..d98230732e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T16:06:54.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -55,7 +62,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "Bob", "EXAMPLE_KEY_ID", "Alice", @@ -71,7 +77,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -90,6 +97,13 @@ }, { "@timestamp": "2020-01-10T16:06:54.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -143,7 +157,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "Bob", "EXAMPLE_KEY_ID", "Alice", @@ -159,7 +172,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -177,4 +191,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json index b4788b9e35..f4fe5c52de 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2016-07-14T19:15:45.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "error_code": "TrailNotFoundException", @@ -46,7 +53,6 @@ }, "related": { "entity": [ - "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", "EXAMPLE_KEY_ID", "myTrail2", @@ -79,7 +85,8 @@ "ip": "89.160.20.156" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EX_PRINCIPAL_ID", @@ -99,6 +106,13 @@ }, { "@timestamp": "2020-01-08T20:58:45.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -160,7 +174,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "TEST-trail", "EXAMPLE_KEY", "Alice", @@ -177,7 +190,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -192,4 +206,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log index f4ec7b890a..62721399a4 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log @@ -1 +1,2 @@ -{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2020-01-08T20:53:12Z","eventSource":"iam.amazonaws.com","eventName":"UpdateUser","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":{"userName":"Bob","newUserName":"Robert"},"responseElements":null,"requestID":"3a6b3260-739d-465e-9406-bcEXAMPLE","eventID":"9150d546-3564-4262-8e62-110EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"} \ No newline at end of file +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2020-01-08T20:53:12Z","eventSource":"iam.amazonaws.com","eventName":"UpdateUser","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":{"userName":"Bob","newUserName":"Robert"},"responseElements":null,"requestID":"3a6b3260-739d-465e-9406-bcEXAMPLE","eventID":"9150d546-3564-4262-8e62-110EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"} + diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json index 1bff9ffbaa..164676d2f8 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-08T20:53:12.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -49,7 +56,6 @@ }, "related": { "entity": [ - "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", "Bob", "EXAMPLE_KEY_ID", @@ -66,7 +72,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "changes": { @@ -86,6 +93,24 @@ "original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", "version": "1.16.310" } + }, + { + "@timestamp": "2021-11-11T01:02:03.123456789Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2021-11-11T01:02:03.123456789Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "actor_target_mapping" + ] } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json index a2c0498cc1..4eee9187a8 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2020-01-10T16:06:40.000Z", + "actor": { + "entity": { + "id": [ + "arn:aws:iam::0123456789012:user/Alice" + ] + } + }, "aws": { "cloudtrail": { "event_type": "AwsApiCall", @@ -61,7 +68,6 @@ }, "related": { "entity": [ - "EXAMPLE_ID", "EXAMPLE_KEY", "Alice", "arn:aws:iam::0123456789012:user/Alice" @@ -75,7 +81,8 @@ "ip": "127.0.0.1" }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "actor_target_mapping" ], "user": { "id": "EXAMPLE_ID", @@ -93,4 +100,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/cloudtrail/_dev/test/system/test-default-config.yml index cb16d9ff9e..b04dcf4530 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/system/test-default-config.yml +++ b/packages/aws/data_stream/cloudtrail/_dev/test/system/test-default-config.yml @@ -8,6 +8,7 @@ data_stream: vars: queue_url: "{{TF_OUTPUT_queue_url}}" preserve_original_event: true + actor_target_mapping: true cloudtrail_digest_regex: '^(.+?)\.log' assert: hit_count: 1 diff --git a/packages/aws/data_stream/cloudtrail/agent/stream/aws-cloudwatch.yml.hbs b/packages/aws/data_stream/cloudtrail/agent/stream/aws-cloudwatch.yml.hbs index 0aeb2d31b3..f57a4e99bf 100644 --- a/packages/aws/data_stream/cloudtrail/agent/stream/aws-cloudwatch.yml.hbs +++ b/packages/aws/data_stream/cloudtrail/agent/stream/aws-cloudwatch.yml.hbs @@ -91,6 +91,9 @@ tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} +{{#if actor_target_mapping}} + - actor_target_mapping +{{/if}} {{#each tags as |tag i|}} - {{tag}} {{/each}} diff --git a/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs b/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs index f7108fc5f7..710a7c394b 100644 --- a/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs +++ b/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs @@ -83,6 +83,9 @@ tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} +{{#if actor_target_mapping}} + - actor_target_mapping +{{/if}} {{#each tags as |tag i|}} - {{tag}} {{/each}} diff --git a/packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs b/packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs index 2418c56141..7e6284073a 100644 --- a/packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs +++ b/packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs @@ -55,6 +55,9 @@ tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} +{{#if actor_target_mapping}} + - actor_target_mapping +{{/if}} {{#each tags as |tag i|}} - {{tag}} {{/each}} diff --git a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml index a469737ead..c142691c8d 100644 --- a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml @@ -51,13 +51,14 @@ processors: - script: description: Appends any relevant entity to `related.entity` for all events lang: painless + if: "ctx?.json?.eventName != null && ctx?.tags != null && ctx.tags.contains('actor_target_mapping')" on_failure: - set: description: Add error reason field: error.message value: "{{{ _ingest.on_failure_message }}}" source: | - void addFields(Set entities, String[] fields) { + void addFields(Set entities, List fields) { for (String field : fields) { addField(entities, field); } @@ -67,7 +68,7 @@ processors: addValue(entities, field(fieldName).get(null)); } - boolean addValues(Set entities, String[] values) { + boolean addValues(Set entities, List values) { boolean addedAll = true; for (String value : values) { addedAll = addedAll && addValue(entities, value); @@ -81,57 +82,75 @@ processors: return false; } - return entities.add(value); + return entities.add(value); } - // Using tree set to ensure a sorting is kept (testing purposes) - TreeSet entities = new TreeSet(); + void enrichCloudformation(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "cloudformation.amazonaws.com") { + return; + } - addFields(entities, new String[]{ - "json.userIdentity.accessKeyId", - "json.userIdentity.arn", - "json.userIdentity.sessionContext.sessionIssuer.arn", - "json.userIdentity.identityProvider", - "json.userIdentity.principalId", - "json.userIdentity.sessionContext.sessionIssuer.userName", - "json.userIdentity.sessionContext.webIdFederationData.federatedProvider", - "json.userIdentity.userName" - }); - - field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(entities, f.ARN)); + if (eventName == "CreateStackSet") { + addField(enrichCtx.target, "json.responseElements.stackSetId"); + } else if (eventName == "CreateStack") { + addField(enrichCtx.target, "json.responseElements.stackId"); + } + } - String eventSource = field("json.eventSource").get(null); + void enrichCloudtrail(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "cloudtrail.amazonaws.com") { + return; + } - if (eventSource == "sts.amazonaws.com") { - addFields(entities, new String[]{ - "json.requestParameters.roleArn", - "json.sourceIdentity", - "json.additionalEventData.MFAIdentifier", - "json.responseElements.assumedRoleUser.arn", - "json.requestParameters.roleSessionName", - "json.responseElements.accessKeyId" - }); + addFields(enrichCtx.related, [ + "json.requestParameters.name", + "json.requestParameters.s3BucketName", + "json.responseElements.cloudWatchLogsLogGroupArn", + "json.responseElements.cloudWatchLogsRoleArn", + "json.responseElements.kmsKeyId", + "json.responseElements.snsTopicARN", + "json.responseElements.trailARN", + "json.responseElements.name" + ]); - } else if (eventSource == "iam.amazonaws.com") { - addFields(entities, new String[]{ - "json.requestParameters.userName", - "json.requestParameters.accessKeyId", - "json.requestParameters.policyArn", - "json.requestParameters.roleName", - "json.requestParameters.policyName", - "json.requestParameters.serialNumber", - "json.responseElements.accessKey.userName", - "json.responseElements.accessKey.accessKeyId", - "json.responseElements.user.arn", - "json.responseElements.user.userId", - "json.responseElements.user.userName", - "json.responseElements.userId", - "json.responseElements.role.arn", - "json.responseElements.serialNumber" - }); + if (eventName == "DeleteTrail" + || eventName == "StopLogging") { + addField(enrichCtx.target, "json.requestParameters.name"); + } else if (eventName == "DescribeTrails") { + addField(enrichCtx.target, "json.recipientAccountId"); + } + } + + void enrichEc2InstanceConnect(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "ec2-instance-connect.amazonaws.com") { + return; + } + + if (eventName == "SendSSHPublicKey" + || eventName == "SendSerialConsoleSSHPublicKey") { + addField(enrichCtx.target, "json.requestParameters.instanceId"); + } + } + + void enrichConfig(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "config.amazonaws.com") { + return; + } + + addField(enrichCtx.related, "json.requestParameters.configurationRecorderName"); + + if (eventName == "StopConfigurationRecorder" + || eventName == "StartConfigurationRecorder") { + addField(enrichCtx.target, "json.requestParameters.configurationRecorderName"); + } + } + + void enrichEc2(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "ec2.amazonaws.com") { + return; + } - } else if (eventSource == "ec2.amazonaws.com") { - addFields(entities, new String[]{ + addFields(enrichCtx.related, [ "json.requestParameters.groupId", "json.requestParameters.groupName", "json.requestParameters.roleName", @@ -146,113 +165,591 @@ processors: "json.responseElements.vpc.dhcpOptionsId", "json.responseElements.snapshotId", "json.responseElements.volumeId" - }); + ]); field("json.responseElements.securityGroupRuleSet.items").get(new ArrayList()).stream().forEach(i -> { - addValues(entities, new String[]{ + addValues(enrichCtx.related, [ i.groupId, i.referencedGroupInfo?.groupId, i.securityGroupRuleId - }); + ]); }); field("json.responseElements.groupSet.items").get(new ArrayList()).stream().forEach(i -> { - addValue(entities, i.groupId); + addValue(enrichCtx.related, i.groupId); }); field("json.requestParameters.groupSet.items").get(new ArrayList()).stream().forEach(i -> { - addValue(entities, i.groupId); + addValue(enrichCtx.related, i.groupId); }); field("json.requestParameters.instancesSet.items").get(new ArrayList()).stream().forEach(i -> { - addValue(entities, i.instanceId); + addValue(enrichCtx.related, i.instanceId); }); field("json.responseElements.instancesSet.items").get(new ArrayList()).stream().forEach(instances -> { - addValues(entities, new String[]{ + addValues(enrichCtx.related, [ instances.subnetId, instances.vpcId, instances.instanceId, instances.imageId, instances.iamInstanceProfile?.arn - }); + ]); instances.networkInterfaceSet?.items?.stream().forEach(networks -> { - addValues(entities, new String[]{ + addValues(enrichCtx.related, [ networks.networkInterfaceId, networks.vpcId, networks.subnetId - }); + ]); networks.groupSet?.items?.stream().forEach(group -> { - addValue(entities, group.groupId); + addValue(enrichCtx.related, group.groupId); }); }); }); field("json.requestParameters.revokedSecurityGroupRuleSet.items").get(new ArrayList()).stream().forEach(i -> { - addValues(entities, new String[]{ + addValues(enrichCtx.related, [ i.securityGroupRuleId, i.groupId - }); + ]); }); - } else if (eventSource == "s3.amazonaws.com") { - addField(entities, "json.requestParameters.bucketName"); - - } else if (eventSource == "cloudtrail.amazonaws.com") { - addFields(entities, new String[]{ - "json.requestParameters.name", - "json.requestParameters.s3BucketName", - "json.responseElements.cloudWatchLogsLogGroupArn", - "json.responseElements.cloudWatchLogsRoleArn", - "json.responseElements.kmsKeyId", - "json.responseElements.snsTopicARN", - "json.responseElements.trailARN", - "json.responseElements.name" - }); - - } else if (eventSource == "kms.amazonaws.com") { - addFields(entities, new String[]{ + if (eventName == "AuthorizeSecurityGroupIngress" + || eventName == "AuthorizeSecurityGroupEgress") { + addField(enrichCtx.target, "json.requestParameters.groupId"); + field("json.responseElements.securityGroupRuleSet.items").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.target, f.securityGroupRuleId)); + + } else if (eventName == "CreateTrafficMirrorFilter") { + addField(enrichCtx.target, "json.responseElements.CreateTrafficMirrorFilterResponse.trafficMirrorFilter.trafficMirrorFilterId"); + + } else if (eventName == "CreateTrafficMirrorFilterRule") { + addField(enrichCtx.target, "json.responseElements.CreateTrafficMirrorFilterRuleResponse.trafficMirrorFilterRule.trafficMirrorFilterRuleId"); + + } else if (eventName == "CreateTrafficMirrorSession") { + addField(enrichCtx.target, "json.responseElements.CreateTrafficMirrorSessionResponse.trafficMirrorSession.trafficMirrorSessionId"); + + } else if (eventName == "CreateTrafficMirrorTarget") { + addField(enrichCtx.target, "json.responseElements.CreateTrafficMirrorTargetResponse.trafficMirrorTarget.trafficMirrorTargetId"); + + } else if (eventName == "DeleteFlowLogs") { + addField(enrichCtx.target, "json.requestParameters.DeleteFlowLogsRequest.FlowLogId.content"); + + } else if (eventName == "DeleteNetworkAcl") { + addField(enrichCtx.target, "json.requestParameters.networkAclId"); + + } else if (eventName == "DeleteNetworkAclEntry") { + addField(enrichCtx.target, "json.requestParameters.networkAclId"); + def ruleNumber = field("json.requestParameters.ruleNumber").get(null); + if (ruleNumber != null) { + addValue(enrichCtx.target, String.valueOf(ruleNumber)); + } + + } else if (eventName == "GetPasswordData") { + addField(enrichCtx.target, "json.requestParameters.instanceId"); + + } else if (eventName == "ModifyImageAttribute") { + addField(enrichCtx.target, "json.requestParameters.imageId"); + + } else if (eventName == "ModifySnapshotAttribute") { + addField(enrichCtx.target, "json.requestParameters.snapshotId"); + + } else if (eventName == "DescribeSecurityGroups" + || eventName == "DescribeNetworkInterfaces" + || eventName == "DescribeRegions" + || eventName == "DescribeVpcs" + || eventName == "DescribeNetworkAcls" + || eventName == "DescribeVolumes" + ) { + addField(enrichCtx.target, "json.recipientAccountId"); + } + } + + void enrichElasticFileSystem(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "elasticfilesystem.amazonaws.com") { + return; + } + + if (eventName == "DeleteFileSystem") { + addField(enrichCtx.target, "json.requestParameters.fileSystemId"); + } else if (eventName == "DeleteMountTarget") { + addField(enrichCtx.target, "json.requestParameters.mountTargetId"); + } + } + + void enrichEvents(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "events.amazonaws.com") { + return; + } + + if (eventName == "DeleteRule") { + addField(enrichCtx.target, "json.requestParameters.name"); + } + } + + void enrichGuardDuty(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "guardduty.amazonaws.com") { + return; + } + + addFields(enrichCtx.related, [ + "json.requestParameters.detectorId", + "json.responseElements.detectorId" + ]); + + if (eventName == "CreateDetector") { + addField(enrichCtx.target, "json.responseElements.detectorId"); + } else if (eventName == "DeleteDetector") { + addField(enrichCtx.target, "json.requestParameters.detectorId"); + } + } + + void enrichIam(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "iam.amazonaws.com") { + return; + } + + addFields(enrichCtx.related, [ + "json.requestParameters.userName", + "json.requestParameters.serialNumber", + "json.requestParameters.accessKeyId", + "json.requestParameters.policyArn", + "json.requestParameters.roleName", + "json.requestParameters.policyName", + "json.requestParameters.serialNumber", + "json.responseElements.accessKey.userName", + "json.responseElements.accessKey.accessKeyId", + "json.responseElements.user.arn", + "json.responseElements.user.userId", + "json.responseElements.user.userName", + "json.responseElements.userId", + "json.responseElements.role.arn", + "json.responseElements.serialNumber" + ]); + + if (eventName == "AttachGroupPolicy") { + addField(enrichCtx.target, "json.requestParameters.groupName"); + + } else if (eventName == "AttachRolePolicy" + || eventName == "ListAttachedRolePolicies" + || eventName == "UpdateAssumeRolePolicy") { + addField(enrichCtx.target, "json.requestParameters.roleName"); + + } else if (eventName == "AttachUserPolicy") { + addFields(enrichCtx.target, [ + "json.requestParameters.policyArn", + "json.requestParameters.userName" + ]); + + } else if (eventName == "CreateAccessKey") { + addFields(enrichCtx.target, [ + "json.responseElements.accessKey.accessKeyId", + "json.requestParameters.userName" + ]); + + } else if (eventName == "CreateUser" + || eventName == "DeactivateMFADevice") { + addField(enrichCtx.target, "json.requestParameters.userName"); + + } else if (eventName == "DeleteVirtualMFADevice") { + addField(enrichCtx.target, "json.requestParameters.serialNumber"); + + } else if (eventName == "GetPolicy") { + addField(enrichCtx.target, "json.requestParameters.policyArn"); + + } else if (eventName == "CreatePolicy") { + addField(enrichCtx.target, "json.responseElements.policy.arn"); + + } else if (eventName == "ListRoles" + || eventName == "ListUsers") { + addField(enrichCtx.target, "json.recipientAccountId"); + } + } + + void enrichKms(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "kms.amazonaws.com") { + return; + } + + addFields(enrichCtx.related, [ "json.requestParameters.keyId", "json.responseElements.keyId", "json.responseElements.keyMetadata.arn", "json.responseElements.keyMetadata.keyId" - }); - - } else if (eventSource == "config.amazonaws.com") { - addField(entities, "json.requestParameters.configurationRecorderName"); - - } else if (eventSource == "lambda.amazonaws.com") { - addFields(entities, new String[]{ + ]); + + if (eventName == "DisableKey" + || eventName == "ScheduleKeyDeletion") { + field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.target, f.ARN)); + } + } + + void enrichLambda(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "lambda.amazonaws.com") { + return; + } + + addFields(enrichCtx.related, [ "json.requestParameters.functionName", "json.responseElements.functionArn", "json.responseElements.functionName", "json.responseElements.role", "json.responseElements.vpcConfig.securityGroupIds", "json.responseElements.vpcConfig.subnetIds" - }); + ]); + + if (eventName == null) { + return; + } + + if (eventName.contains("AddPermission")) { // needs to be contains because lambda event names are versioned on the name + addField(enrichCtx.target, "json.requestParameters.functionName"); - } else if (eventSource == "rds.amazonaws.com") { - addFields(entities, new String[]{ + } else if (eventName.contains("ListFunctions")) { + addField(enrichCtx.target, "json.recipientAccountId"); + + } + } + + void enrichLogs(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "logs.amazonaws.com") { + return; + } + + if (eventName == "DeleteLogGroup") { + addField(enrichCtx.target, "json.requestParameters.logGroupName"); + + } else if (eventName == "DeleteLogStream") { + addField(enrichCtx.target, "json.requestParameters.logStreamName"); + + } + } + + void enrichMonitoring(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "monitoring.amazonaws.com") { + return; + } + + if (eventName == "DeleteAlarms") { + field("json.requestParameters.alarmNames").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.target, f)); + + } + } + + void enrichRds(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "rds.amazonaws.com") { + return; + } + + addFields(enrichCtx.related, [ "json.requestParameters.dBInstanceIdentifier", "json.requestParameters.dBInstanceArn", "json.responseElements.dBInstanceIdentifier", "json.responseElements.dbInstanceArn", "json.responseElements.dBSubnetGroup.vpcId", "json.responseElements.vpcSecurityGroups.vpcSecurityGroupId" - }); + ]); field("json.responseElements.dBSubnetGroup.subnets").get(new ArrayList()).stream().forEach(i -> { - addValue(entities, i.subnetIdentifier); + addValue(enrichCtx.related, i.subnetIdentifier); }); field("json.responseElements.vpcSecurityGroups").get(new ArrayList()).stream().forEach(i -> { - addValue(entities, i.vpcSecurityGroupId); + addValue(enrichCtx.related, i.vpcSecurityGroupId); }); + + if (eventName == "DeleteDBCluster" + || eventName == "ModifyDBCluster" + || eventName == "StopDBCluster") { + addField(enrichCtx.target, "json.responseElements.dBClusterArn"); + + } else if (eventName == "DeleteDBInstance" + || eventName == "ModifyDBInstance" + || eventName == "RestoreDBInstanceFromDBSnapshot" + || eventName == "RestoreDBInstanceFromS3" + || eventName == "StopDBInstance") { + addField(enrichCtx.target, "json.responseElements.dBInstanceArn"); + + } else if (eventName == "DeleteGlobalCluster") { + addField(enrichCtx.target, "json.responseElements.globalClusterArn"); + + } else if (eventName == "ModifyDBClusterSnapshotAttribute") { + addField(enrichCtx.target, "json.responseElements.dBClusterSnapshotIdentifier"); + + } else if (eventName == "ModifyDBSnapshotAttribute") { + addField(enrichCtx.target, "json.responseElements.dBSnapshotIdentifier"); + + } else if (eventName == "DescribeDBInstances") { + addField(enrichCtx.target, "json.recipientAccountId"); + + } + } + + void enrichRolesAnywhere(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "rolesanywhere.amazonaws.com") { + return; + } + + if (eventName == "CreateTrustAnchor") { + addField(enrichCtx.target, "json.responseElements.trustAnchor.trustAnchorArn"); + + } + } + + void enrichRoute53Resolver(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "route53resolver.amazonaws.com") { + return; + } + + if (eventName == "DeleteResolverQueryLogConfig") { + addField(enrichCtx.target, "json.responseElements.resolverQueryLogConfig.arn"); + } } + + void enrichS3(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "s3.amazonaws.com") { + return; + } + + addField(enrichCtx.related, "json.requestParameters.bucketName"); + + if (eventName == "CopyObject" + || eventName == "PutBucketLogging" + || eventName == "PutBucketVersioning" + || eventName == "PutObject" + || eventName == "GetBucketPolicy" + || eventName == "ListObjects" + || eventName == "HeadObject" + || eventName == "GetObject" + || eventName == "DeleteObject" + || eventName == "DeleteBucket") { + field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.target, f.ARN)); + + } else if (eventName == "PutBucketReplication") { + field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.target, f.ARN)); + addField(enrichCtx.target, "json.requestParameters.ReplicationConfiguration.Rule.Destination.Bucket"); + + } else if (eventName == "ListBuckets") { + addField(enrichCtx.target, "json.recipientAccountId"); + + } + } + + void enrichSecretsManager(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "secretsmanager.amazonaws.com") { + return; + } + + if (eventName == "BatchGetSecretValue") { + field("json.requestParameters.secretIdList").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.target, f)); + + } else if (eventName == "GetSecretValue") { + addField(enrichCtx.target, "json.requestParameters.secretId"); + + } + } + + void enrichSignin(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "signin.amazonaws.com") { + return; + } + + if (eventName == "ConsoleLogin") { + addField(enrichCtx.target, "json.recipientAccountId"); + } + } + + void enrichSsm(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "ssm.amazonaws.com") { + return; + } + + if (eventName == "GetParameter" + || eventName == "GetParameters" + || eventName == "CreateControlChannel" + || eventName == "OpenControlChannel") { + field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.target, f.ARN)); + + } else if (eventName == "StartSession") { + addField(enrichCtx.target, "json.requestParameters.target"); + + } else if (eventName == "CreateDocument") { + addField(enrichCtx.target, "json.requestParameters.name"); + + } else if (eventName == "TerminateSession" + || eventName == "OpenDataChannel") { + addField(enrichCtx.target, "json.requestParameters.sessionId"); + + } else if (eventName == "SendCommand") { + List instanceIds = field("json.requestParameters.instanceIds").get(new ArrayList()); + + if (instanceIds.isEmpty()) { + instanceIds = field("json.requestParameters.targets").get(new ArrayList()).stream().flatMap(target -> target.values.stream()).collect(Collectors.toList()); + } + + if (instanceIds.size() == 1 && instanceIds.get(0) == "*") { + instanceIds = [ field("json.recipientAccountId").get(null) ]; // if all instances, point to full account + } + + addValues(enrichCtx.target, instanceIds); + + } else if (eventName == "ListInstanceAssociations") { + addField(enrichCtx.target, "json.recipientAccountId"); + } + } + + void enrichSts(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "sts.amazonaws.com") { + return; + } + + addFields(enrichCtx.related, [ + "json.requestParameters.roleArn", + "json.sourceIdentity", + "json.additionalEventData.MFAIdentifier", + "json.responseElements.assumedRoleUser.arn", + "json.requestParameters.roleSessionName", + "json.responseElements.accessKeyId" + ]); + + if (eventName == "AssumeRole") { + def userType = field("json.userIdentity.type").get(null); + + if (userType == "AWSService") { + enrichCtx.actor = field("json.userIdentity.invokedBy").get(null); + } else if (userType == "AssumedRole") { + enrichCtx.actor = field("json.userIdentity.sessionContext.sessionIssuer.arn").get(null); + } else { + enrichCtx.actor = field("json.userIdentity.arn").get(null); + } + + addField(enrichCtx.target, "json.requestParameters.roleArn"); + + } else if (eventName == "GetCallerIdentity") { + addField(enrichCtx.target, "json.recipientAccountId"); + enrichCtx.actor = field("json.userIdentity.arn").get(null); + + } + } + + void enrichWafv2(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "wafv2.amazonaws.com") { + return; + } + + addFields(enrichCtx.related, [ + "json.requestParameters.id", + "json.responseElements.summary" + ]); + + if (eventName == "DeleteRuleGroup" + || eventName == "DeleteWebACL") { + addField(enrichCtx.target, "json.requestParameters.id"); + } + } + + void enrichSns(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "sns.amazonaws.com") { + return; + } + + if (eventName == "CreateTopic") { + addField(enrichCtx.target, "json.responseElements.topicArn"); + } else if (eventName == "Subscribe" + || eventName == "Publish") { + addField(enrichCtx.target, "json.requestParameters.topicArn"); + } + + } + + void enrichBedrock(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "bedrock.amazonaws.com") { + return; + } + + if (eventName == "Converse") { + addField(enrichCtx.target, "json.requestParameters.modelId"); + + } + } + + void enrichElasticLoadBalancing(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "elasticloadbalancing.amazonaws.com") { + return; + } + + if (eventName == "DescribeLoadBalancers") { + addField(enrichCtx.target, "json.recipientAccountId"); + + } + } + + void enrichDynamoDB(def enrichCtx, def eventSource, def eventName) { + if (eventSource != "dynamodb.amazonaws.com") { + return; + } + + if (eventName == "ListTables") { + addField(enrichCtx.target, "json.recipientAccountId"); + + } + } + + // Using tree set to ensure a sorting is kept (testing purposes) + Map enrichCtx = [:]; + enrichCtx.related = new TreeSet(); + enrichCtx.target = new TreeSet(); + enrichCtx.actor = field("json.userIdentity.arn").get(null); // default actor value + + addFields(enrichCtx.related, [ + "json.userIdentity.accessKeyId", + "json.userIdentity.arn", + "json.userIdentity.userName", + "json.userIdentity.sessionContext.sessionIssuer.arn", + "json.userIdentity.sessionContext.sessionIssuer.userName" + ]); + + field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(enrichCtx.related, f.ARN)); + + String eventSource = field("json.eventSource").get(null); + String eventName = field("json.eventName").get(null); + + enrichCloudformation(enrichCtx, eventSource, eventName); + enrichCloudtrail(enrichCtx, eventSource, eventName); + enrichConfig(enrichCtx, eventSource, eventName); + enrichEc2InstanceConnect(enrichCtx, eventSource, eventName); + enrichEc2(enrichCtx, eventSource, eventName); + enrichElasticFileSystem(enrichCtx, eventSource, eventName); + enrichEvents(enrichCtx, eventSource, eventName); + enrichGuardDuty(enrichCtx, eventSource, eventName); + enrichIam(enrichCtx, eventSource, eventName); + enrichKms(enrichCtx, eventSource, eventName); + enrichLambda(enrichCtx, eventSource, eventName); + enrichLogs(enrichCtx, eventSource, eventName); + enrichMonitoring(enrichCtx, eventSource, eventName); + enrichRds(enrichCtx, eventSource, eventName); + enrichRolesAnywhere(enrichCtx, eventSource, eventName); + enrichRoute53Resolver(enrichCtx, eventSource, eventName); + enrichS3(enrichCtx, eventSource, eventName); + enrichSecretsManager(enrichCtx, eventSource, eventName); + enrichSignin(enrichCtx, eventSource, eventName); + enrichSsm(enrichCtx, eventSource, eventName); + enrichSts(enrichCtx, eventSource, eventName); + enrichWafv2(enrichCtx, eventSource, eventName); + enrichSns(enrichCtx, eventSource, eventName); + enrichBedrock(enrichCtx, eventSource, eventName); + enrichElasticLoadBalancing(enrichCtx, eventSource, eventName); + enrichDynamoDB(enrichCtx, eventSource, eventName); - field("related.entity").set(entities); + if (!enrichCtx.target.isEmpty()) { + field("target.entity.id").set(enrichCtx.target); + enrichCtx.related.addAll(enrichCtx.target); + } + + field("actor.entity.id").set([ enrichCtx.actor ]); + + field("related.entity").set(enrichCtx.related); - rename: field: json.eventVersion @@ -835,6 +1332,198 @@ processors: type: - user - change + GetCallerIdentity: + category: + - authentication + type: + - info + DescribeInstances: + category: + - host + type: + - info + DescribeSecurityGroups: + category: + - network + type: + - info + ListBuckets: + category: + - file + type: + - info + DescribeNetworkInterfaces: + category: + - network + type: + - info + DescribeRegions: + category: + - api + type: + - info + ListRoles: + category: + - iam + type: + - info + DescribeVpcs: + category: + - network + type: + - info + DescribeNetworkAcls: + category: + - network + type: + - info + DescribeLoadBalancers: + category: + - network + type: + - info + DescribeVolumes: + category: + - host + type: + - info + DescribeTrails: + category: + - configuration + type: + - info + ListFunctions: + category: + - package + type: + - info + ListTables: + category: + - database + type: + - info + ListInstanceAssociations: + category: + - host + type: + - info + DescribeDBInstances: + category: + - database + type: + - info + AuthorizeSecurityGroupIngress: + category: + - network + type: + - access + CreateTopic: + category: + - configuration + type: + - creation + Subscribe: + category: + - configuration + type: + - change + Publish: + category: + - api + type: [] + SendCommand: + category: + - process + type: [] + GetPolicy: + category: + - iam + type: + - info + CreatePolicy: + category: + - iam + type: + - creation + ListAttachedRolePolicies: + category: + - iam + type: + - info + AttachRolePolicy: + category: + - iam + type: + - change + Converse: + category: + - api + type: [] + CreateDocument: + category: + - file + type: + - creation + StartSession: + category: + - session + type: + - start + CreateControlChannel: + category: + - session + type: + - start + OpenControlChannel: + category: + - session + type: + - start + CreateDataChannel: + category: + - session + type: + - start + OpenDataChannel: + category: + - session + type: + - start + TerminateSession: + category: + - session + type: + - end + ListObjects: + category: + - file + type: + - info + HeadObject: + category: + - file + type: + - info + GetObject: + category: + - file + type: + - info + PutObject: + category: + - file + type: + - change + DeleteTrail: + category: + - configuration + type: + - deletion + DeleteObject: + category: + - file + type: + - delete source: >- ctx.event.kind = 'event'; ctx.event.type = ['info']; diff --git a/packages/aws/data_stream/cloudtrail/fields/fields.yml b/packages/aws/data_stream/cloudtrail/fields/fields.yml index debd5df88e..acd314e467 100644 --- a/packages/aws/data_stream/cloudtrail/fields/fields.yml +++ b/packages/aws/data_stream/cloudtrail/fields/fields.yml @@ -190,3 +190,20 @@ - name: related.entity description: "A collection of all entity identifiers associated with the document. \nIf the document contains multiple entities, identifiers for each will be included.\nExample identifiers include(but not limited to) cloud resource IDs, ARNs, email addresses,\nand hostnames. \n" type: keyword +- name: target + type: group + fields: + - name: entity + type: group + fields: + - name: id + type: keyword + +- name: actor + type: group + fields: + - name: entity + type: group + fields: + - name: id + type: keyword diff --git a/packages/aws/data_stream/cloudtrail/manifest.yml b/packages/aws/data_stream/cloudtrail/manifest.yml index 33994724e3..f8173473da 100644 --- a/packages/aws/data_stream/cloudtrail/manifest.yml +++ b/packages/aws/data_stream/cloudtrail/manifest.yml @@ -164,6 +164,17 @@ streams: show_user: false description: > Additional settings to be added to the configuration. Be careful using this as it might break the input as those settings are not validated and can override the settings specified above. See [`aws-s3` input settings docs](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html) for details. + + - name: actor_target_mapping + required: true + show_user: true + title: Actor and Target Entity Mapping + description: > + Maps actor and target entity identifiers relative to an event into designated fields (`actor.entity.id` for the acting entity and `target.entity.id` for the affected entity/entities). All identifiers, regardless of role, are captured in the `related.entity` field.This introduces additional ingest pipeline processors for parsing, which may introduce performance overhead in certain cases. + type: bool + multi: false + default: true + - input: httpjson title: AWS CloudTrail Logs via Splunk Enterprise REST API @@ -273,6 +284,17 @@ streams: type: bool multi: false default: false + + - name: actor_target_mapping + required: true + show_user: true + title: Actor and Target Entity Mapping + description: > + Maps actor and target entity identifiers relative to an event into designated fields (`actor.entity.id` for the acting entity and `target.entity.id` for the affected entity/entities). All identifiers, regardless of role, are captured in the `related.entity` field. This introduces additional ingest pipeline processors for parsing, which may introduce performance overhead in certain cases. + type: bool + multi: false + default: true + - input: aws-cloudwatch template_path: aws-cloudwatch.yml.hbs title: AWS CloudTrail Logs @@ -399,3 +421,13 @@ streams: type: bool multi: false default: false + + - name: actor_target_mapping + required: true + show_user: true + title: Actor and Target Entity Mapping + description: > + Maps actor and target entity identifiers relative to an event into designated fields (`actor.entity.id` for the acting entity and `target.entity.id` for the affected entity/entities). All identifiers, regardless of role, are captured in the `related.entity` field. This introduces additional ingest pipeline processors for parsing, which may introduce performance overhead in certain cases. + type: bool + multi: false + default: true diff --git a/packages/aws/docs/cloudtrail.md b/packages/aws/docs/cloudtrail.md index e6c9e7f624..257c5ac079 100644 --- a/packages/aws/docs/cloudtrail.md +++ b/packages/aws/docs/cloudtrail.md @@ -79,6 +79,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| actor.entity.id | | keyword | | aws.cloudtrail.additional_eventdata | Additional data about the event that was not part of the request or response. | keyword | | aws.cloudtrail.additional_eventdata.text | Multi-field of `aws.cloudtrail.additional_eventdata`. | text | | aws.cloudtrail.api_version | Identifies the API version associated with the AwsApiCall eventType value. | keyword | @@ -136,6 +137,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | input.type | Input type | keyword | | log.offset | Log offset | long | | related.entity | A collection of all entity identifiers associated with the document. If the document contains multiple entities, identifiers for each will be included. Example identifiers include(but not limited to) cloud resource IDs, ARNs, email addresses, and hostnames. | keyword | +| target.entity.id | | keyword | An example event for `cloudtrail` looks as following: