Skip to content

Commit

Permalink
Add origin and target to cloudtrail
Browse files Browse the repository at this point in the history
  • Loading branch information
@romulets
romulets committed Sep 25, 2024
1 parent 325ab7c commit 241ed25
Show file tree
Hide file tree
Showing 40 changed files with 661 additions and 197 deletions.
22 changes: 16 additions & 6 deletions ...s/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,16 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"EX_PRINCIPAL_ID",
"arn:aws:iam::123456789012:user/Alice",
"Alice"
],
"target": [
"Bob"
]
},
"event": {
"action": "AddUserToGroup",
"category": [
Expand All @@ -51,15 +61,15 @@
"name": "admin"
},
"related": {
"entity": [
"EX_PRINCIPAL_ID",
"arn:aws:iam::123456789012:user/Alice",
"Bob",
"Alice"
],
"user": [
"Alice",
"Bob"
],
"entity": [
"Alice",
"Bob",
"EX_PRINCIPAL_ID",
"arn:aws:iam::123456789012:user/Alice"
]
},
"source": {
Expand Down
73 changes: 50 additions & 23 deletions ...ges/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,20 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
"JohnDoe",
"arn:aws:iam::111111111111:role/JohnRole1"
],
"target": [
"Role2WithTags",
"arn:aws:iam::111122223333:role/JohnRole2",
"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags",
"arn:aws:iam::111111111111:role/JohnRole2"
]
},
"event": {
"action": "AssumeRole",
"category": [
Expand All @@ -93,6 +107,18 @@
"info"
]
},
"related": {
"entity": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
"Role2WithTags",
"JohnDoe",
"arn:aws:iam::111122223333:role/JohnRole2",
"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags",
"arn:aws:iam::111111111111:role/JohnRole1",
"arn:aws:iam::111111111111:role/JohnRole2"
]
},
"source": {
"address": "81.2.69.144",
"geo": {
Expand Down Expand Up @@ -128,18 +154,6 @@
"version": "4.9.184"
},
"version": "1.16.248"
},
"related": {
"entity": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"JohnDoe",
"Role2WithTags",
"arn:aws:iam::111111111111:role/JohnRole1",
"arn:aws:iam::111111111111:role/JohnRole2",
"arn:aws:iam::111122223333:role/JohnRole2",
"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"
]
}
},
{
Expand Down Expand Up @@ -225,6 +239,19 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
"JohnDoe",
"arn:aws:iam::111111111111:role/JohnRole1"
],
"target": [
"Role2WithTags",
"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags",
"arn:aws:iam::111111111111:role/JohnRole2"
]
},
"event": {
"action": "AssumeRole",
"category": [
Expand All @@ -240,6 +267,17 @@
"info"
]
},
"related": {
"entity": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
"Role2WithTags",
"JohnDoe",
"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags",
"arn:aws:iam::111111111111:role/JohnRole1",
"arn:aws:iam::111111111111:role/JohnRole2"
]
},
"source": {
"address": "81.2.69.144",
"geo": {
Expand Down Expand Up @@ -275,17 +313,6 @@
"version": "4.9.184"
},
"version": "1.16.248"
},
"related": {
"entity": [
"AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"JohnDoe",
"Role2WithTags",
"arn:aws:iam::111111111111:role/JohnRole1",
"arn:aws:iam::111111111111:role/JohnRole2",
"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"
]
}
}
]
Expand Down
14 changes: 14 additions & 0 deletions ...aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"0123456789012",
"Alice",
"arn:aws:iam::0123456789012:user/Alice"
]
},
"event": {
"action": "ChangePassword",
"category": [
Expand Down Expand Up @@ -98,6 +105,13 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"0123456789012",
"Alice",
"arn:aws:iam::0123456789012:user/Alice"
]
},
"event": {
"action": "ChangePassword",
"category": [
Expand Down
3 changes: 3 additions & 0 deletions ...s/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,9 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": []
},
"event": {
"created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
Expand Down
28 changes: 25 additions & 3 deletions ...s/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"AIDACKCEVSQ6C2EXAMPLE",
"JohnDoe",
"arn:aws:iam::111122223333:user/JohnDoe"
]
},
"event": {
"action": "ConsoleLogin",
"category": [
Expand Down Expand Up @@ -147,6 +154,13 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"AIDACKCEVSQ6C2EXAMPLE",
"JaneDoe",
"arn:aws:iam::111122223333:user/JaneDoe"
]
},
"event": {
"action": "ConsoleLogin",
"category": [
Expand Down Expand Up @@ -265,6 +279,14 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"arn:aws:iam::123456789012:role/RoleToBeAssumed",
"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"RoleToBeAssumed"
]
},
"event": {
"action": "ConsoleLogin",
"category": [
Expand All @@ -282,10 +304,10 @@
},
"related": {
"entity": [
"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"RoleToBeAssumed",
"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"arn:aws:iam::123456789012:role/RoleToBeAssumed",
"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName"
"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"RoleToBeAssumed"
]
},
"source": {
Expand Down
15 changes: 13 additions & 2 deletions ...s/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,17 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"EXAMPLE_ID",
"Alice",
"arn:aws:iam::0123456789012:user/Alice"
],
"target": [
"Bob",
"EXAMPLE_KEY_ID"
]
},
"event": {
"action": "CreateAccessKey",
"category": [
Expand All @@ -62,10 +73,10 @@
},
"related": {
"entity": [
"Alice",
"Bob",
"EXAMPLE_ID",
"Bob",
"EXAMPLE_KEY_ID",
"Alice",
"arn:aws:iam::0123456789012:user/Alice"
],
"user": [
Expand Down
32 changes: 25 additions & 7 deletions .../data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,24 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"AIDA2IBR2EZTJMPOR52WV",
"arn:aws:iam::1010101010101:user/[email protected]",
"[email protected]"
],
"target": [
"sg-4e483165",
"subnet-c4bf5e9b",
"vpc-73d2e309",
"test-cloudtrail-event-instance-14340",
"subnet-0a0bee6c",
"subnet-37391109",
"subnet-fee506df",
"subnet-bf6ab5b1",
"subnet-8bdf6bc6"
]
},
"event": {
"action": "CreateDBInstance",
"created": "2021-11-11T01:02:03.123456789Z",
Expand All @@ -160,18 +178,18 @@
},
"related": {
"entity": [
"AIDA2IBR2EZTJMPOR52WV",
"arn:aws:iam::1010101010101:user/[email protected]",
"sg-4e483165",
"subnet-c4bf5e9b",
"[email protected]",
"subnet-0a0bee6c",
"subnet-37391109",
"subnet-8bdf6bc6",
"subnet-bf6ab5b1",
"subnet-c4bf5e9b",
"subnet-fee506df",
"subnet-8bdf6bc6",
"AIDA2IBR2EZTJMPOR52WV",
"vpc-73d2e309",
"test-cloudtrail-event-instance-14340",
"[email protected]",
"vpc-73d2e309"
"subnet-fee506df",
"arn:aws:iam::1010101010101:user/[email protected]"
],
"user": [
"[email protected]"
Expand Down
14 changes: 14 additions & 0 deletions ...es/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,13 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"0123456789012",
"Alice",
"arn:aws:iam::0123456789012:user/Alice"
]
},
"event": {
"action": "CreateGroup",
"category": [
Expand Down Expand Up @@ -126,6 +133,13 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"0123456789012",
"Alice",
"arn:aws:iam::0123456789012:user/Alice"
]
},
"event": {
"action": "CreateGroup",
"category": [
Expand Down
11 changes: 9 additions & 2 deletions ...aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,13 @@
"ecs": {
"version": "8.11.0"
},
"entity": {
"origin": [
"EX_PRINCIPAL_ID",
"arn:aws:iam::123456789012:user/Alice",
"Alice"
]
},
"event": {
"action": "CreateKeyPair",
"category": [
Expand All @@ -54,9 +61,9 @@
},
"related": {
"entity": [
"Alice",
"EX_PRINCIPAL_ID",
"arn:aws:iam::123456789012:user/Alice"
"arn:aws:iam::123456789012:user/Alice",
"Alice"
],
"user": [
"Alice"
Expand Down
Loading

0 comments on commit 241ed25

Please sign in to comment.