diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json index b6fdb963c118..d6bdee4bfd05 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json @@ -32,6 +32,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "AddUserToGroup", "category": [ @@ -51,15 +61,15 @@ "name": "admin" }, "related": { + "entity": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Bob", + "Alice" + ], "user": [ "Alice", "Bob" - ], - "entity": [ - "Alice", - "Bob", - "EX_PRINCIPAL_ID", - "arn:aws:iam::123456789012:user/Alice" ] }, "source": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json index 4b0c280a822f..5d103f045d55 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json @@ -78,6 +78,20 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", + "JohnDoe", + "arn:aws:iam::111111111111:role/JohnRole1" + ], + "target": [ + "Role2WithTags", + "arn:aws:iam::111122223333:role/JohnRole2", + "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", + "arn:aws:iam::111111111111:role/JohnRole2" + ] + }, "event": { "action": "AssumeRole", "category": [ @@ -93,6 +107,18 @@ "info" ] }, + "related": { + "entity": [ + "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", + "Role2WithTags", + "JohnDoe", + "arn:aws:iam::111122223333:role/JohnRole2", + "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", + "arn:aws:iam::111111111111:role/JohnRole1", + "arn:aws:iam::111111111111:role/JohnRole2" + ] + }, "source": { "address": "81.2.69.144", "geo": { @@ -128,18 +154,6 @@ "version": "4.9.184" }, "version": "1.16.248" - }, - "related": { - "entity": [ - "AROAIN5ATK5U7KEXAMPLE:JohnRole1", - "JohnDoe", - "Role2WithTags", - "arn:aws:iam::111111111111:role/JohnRole1", - "arn:aws:iam::111111111111:role/JohnRole2", - "arn:aws:iam::111122223333:role/JohnRole2", - "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", - "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags" - ] } }, { @@ -225,6 +239,19 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", + "JohnDoe", + "arn:aws:iam::111111111111:role/JohnRole1" + ], + "target": [ + "Role2WithTags", + "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", + "arn:aws:iam::111111111111:role/JohnRole2" + ] + }, "event": { "action": "AssumeRole", "category": [ @@ -240,6 +267,17 @@ "info" ] }, + "related": { + "entity": [ + "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", + "Role2WithTags", + "JohnDoe", + "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", + "arn:aws:iam::111111111111:role/JohnRole1", + "arn:aws:iam::111111111111:role/JohnRole2" + ] + }, "source": { "address": "81.2.69.144", "geo": { @@ -275,17 +313,6 @@ "version": "4.9.184" }, "version": "1.16.248" - }, - "related": { - "entity": [ - "AROAIN5ATK5U7KEXAMPLE:JohnRole1", - "JohnDoe", - "Role2WithTags", - "arn:aws:iam::111111111111:role/JohnRole1", - "arn:aws:iam::111111111111:role/JohnRole2", - "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", - "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags" - ] } } ] diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json index 6bd056bccb06..f9a5f614c4fd 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json @@ -27,6 +27,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "ChangePassword", "category": [ @@ -98,6 +105,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "ChangePassword", "category": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json index 282b0156876a..ab4d451f213c 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json @@ -124,6 +124,9 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [] + }, "event": { "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json index 37f03bb93230..54132404ffbc 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json @@ -39,6 +39,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AIDACKCEVSQ6C2EXAMPLE", + "JohnDoe", + "arn:aws:iam::111122223333:user/JohnDoe" + ] + }, "event": { "action": "ConsoleLogin", "category": [ @@ -147,6 +154,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AIDACKCEVSQ6C2EXAMPLE", + "JaneDoe", + "arn:aws:iam::111122223333:user/JaneDoe" + ] + }, "event": { "action": "ConsoleLogin", "category": [ @@ -265,6 +279,14 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", + "arn:aws:iam::123456789012:role/RoleToBeAssumed", + "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", + "RoleToBeAssumed" + ] + }, "event": { "action": "ConsoleLogin", "category": [ @@ -282,10 +304,10 @@ }, "related": { "entity": [ - "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", - "RoleToBeAssumed", + "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", "arn:aws:iam::123456789012:role/RoleToBeAssumed", - "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName" + "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", + "RoleToBeAssumed" ] }, "source": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json index 4c59b6e0539f..6296f9a4272c 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json @@ -44,6 +44,17 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob", + "EXAMPLE_KEY_ID" + ] + }, "event": { "action": "CreateAccessKey", "category": [ @@ -62,10 +73,10 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", "EXAMPLE_KEY_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json index f5943bec5bf6..c4e555698245 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json @@ -146,6 +146,24 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "testcloudtrail@elastic.co" + ], + "target": [ + "sg-4e483165", + "subnet-c4bf5e9b", + "vpc-73d2e309", + "test-cloudtrail-event-instance-14340", + "subnet-0a0bee6c", + "subnet-37391109", + "subnet-fee506df", + "subnet-bf6ab5b1", + "subnet-8bdf6bc6" + ] + }, "event": { "action": "CreateDBInstance", "created": "2021-11-11T01:02:03.123456789Z", @@ -160,18 +178,18 @@ }, "related": { "entity": [ - "AIDA2IBR2EZTJMPOR52WV", - "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", "sg-4e483165", + "subnet-c4bf5e9b", + "testcloudtrail@elastic.co", "subnet-0a0bee6c", "subnet-37391109", - "subnet-8bdf6bc6", "subnet-bf6ab5b1", - "subnet-c4bf5e9b", - "subnet-fee506df", + "subnet-8bdf6bc6", + "AIDA2IBR2EZTJMPOR52WV", + "vpc-73d2e309", "test-cloudtrail-event-instance-14340", - "testcloudtrail@elastic.co", - "vpc-73d2e309" + "subnet-fee506df", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co" ], "user": [ "testcloudtrail@elastic.co" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json index 52f680b093e5..66e18b93fc1f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json @@ -45,6 +45,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "CreateGroup", "category": [ @@ -126,6 +133,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "CreateGroup", "category": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json index 45f53fbf8a28..329cb40c5e19 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json @@ -37,6 +37,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Alice" + ] + }, "event": { "action": "CreateKeyPair", "category": [ @@ -54,9 +61,9 @@ }, "related": { "entity": [ - "Alice", "EX_PRINCIPAL_ID", - "arn:aws:iam::123456789012:user/Alice" + "arn:aws:iam::123456789012:user/Alice", + "Alice" ], "user": [ "Alice" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json index a80d6b0be20a..40a0eb31e60e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-lambda-json.log-expected.json @@ -75,6 +75,18 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "testcloudtrail@elastic.co" + ], + "target": [ + "arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn", + "arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test", + "cloudtrail-events-test" + ] + }, "event": { "action": "CreateFunction20150331", "created": "2021-11-11T01:02:03.123456789Z", @@ -90,11 +102,11 @@ "related": { "entity": [ "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test", + "testcloudtrail@elastic.co", "arn:aws:iam::1010101010101:role/cloudtrail-events-test-lambda-fn", "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", - "arn:aws:lambda:us-east-1:1010101010101:function:cloudtrail-events-test", - "cloudtrail-events-test", - "testcloudtrail@elastic.co" + "cloudtrail-events-test" ], "user": [ "testcloudtrail@elastic.co" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json index 1a8716fcb52b..267aab4ec565 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json @@ -51,6 +51,18 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "TEST-trail", + "TEST-cloudtrail-bucket", + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail" + ] + }, "event": { "action": "CreateTrail", "created": "2021-11-11T01:02:03.123456789Z", @@ -65,10 +77,10 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", - "TEST-cloudtrail-bucket", "TEST-trail", + "Alice", + "TEST-cloudtrail-bucket", "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", "arn:aws:iam::0123456789012:user/Alice" ], diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json index 75b85c824c11..452c19a5cc8d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json @@ -37,6 +37,17 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Alice" + ], + "target": [ + "Bob", + "arn:aws:iam::123456789012:user/Bob" + ] + }, "event": { "action": "CreateUser", "category": [ @@ -54,11 +65,11 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", - "arn:aws:iam::123456789012:user/Bob" + "Bob", + "arn:aws:iam::123456789012:user/Bob", + "Alice" ], "user": [ "Alice", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json index 58e0639aa4af..d94eb15114c3 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json @@ -41,6 +41,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "CreateVirtualMFADevice", "category": [ @@ -59,8 +66,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json index cdc7b41c5050..69b734ea030c 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json @@ -36,6 +36,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Alice" + ] + }, "event": { "action": "DeactivateMFADevice", "category": [ @@ -54,8 +64,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json index 84557b63b779..29906a1dbc5c 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json @@ -36,6 +36,17 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob", + "EXAMPLE_ID" + ] + }, "event": { "action": "DeleteAccessKey", "category": [ @@ -54,9 +65,9 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json index 1fd8815c2bd8..2da4e209b526 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json @@ -40,6 +40,17 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "arn:aws:iam::777788889999:role/AssumeNothing", + "AssumeNothing", + "AIDAQRSTUVWXYZEXAMPLE:devdsk", + "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk" + ], + "target": [ + "my-test-bucket-cross-account" + ] + }, "event": { "action": "DeleteBucket", "category": [ @@ -57,11 +68,11 @@ }, "related": { "entity": [ - "AIDAQRSTUVWXYZEXAMPLE:devdsk", - "AssumeNothing", + "my-test-bucket-cross-account", "arn:aws:iam::777788889999:role/AssumeNothing", - "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk", - "my-test-bucket-cross-account" + "AssumeNothing", + "AIDAQRSTUVWXYZEXAMPLE:devdsk", + "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk" ] }, "source": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json index 725b7484ee44..a1de1729e3af 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json @@ -35,6 +35,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "DeleteGroup", "category": [ @@ -115,6 +122,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_PRINCIPLE", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "DeleteGroup", "category": [ @@ -136,8 +150,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_PRINCIPLE", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json index 6388dbf9fae2..9a94436bdfb6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json @@ -36,6 +36,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "DeleteSSHPublicKey", "category": [ @@ -54,9 +64,9 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json index 08365738ce34..ad65442fcd57 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json @@ -31,6 +31,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail" + ] + }, "event": { "action": "DeleteTrail", "created": "2021-11-11T01:02:03.123456789Z", @@ -45,10 +55,10 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", - "arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail", - "arn:aws:iam::0123456789012:user/Alice" + "Alice", + "arn:aws:iam::0123456789012:user/Alice", + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail" ], "user": [ "Alice" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json index 4208446e5c7a..ce960a15bd27 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json @@ -35,6 +35,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "DeleteUser", "category": [ @@ -53,10 +63,10 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EX_PRINCIPAL_ID", - "arn:aws:iam::123456789012:user/Alice" + "arn:aws:iam::123456789012:user/Alice", + "Bob", + "Alice" ], "user": [ "Alice", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json index 3c94331a457f..3012805dd64f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json @@ -35,6 +35,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "DeleteVirtualMFADevice", "category": [ @@ -53,8 +60,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json index 1e37c2575c9a..f9f5e3700f20 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json @@ -43,6 +43,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "testcloudtrail@elastic.co" + ], + "target": [ + "arn:aws:kms:us-east-1:1010101010101:key/65479477-67d5-4b84-b71c-d540f7a8f31f" + ] + }, "event": { "action": "DisableKey", "created": "2021-11-11T01:02:03.123456789Z", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json index 3a1134b54703..aa5cef092b46 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json @@ -35,6 +35,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "EnableMFADevice", "category": [ @@ -53,9 +63,9 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json index d216f2b05b9a..21e1ff3fd717 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json @@ -65,6 +65,9 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [] + }, "event": { "created": "2021-11-11T01:02:03.123456789Z", "id": "41ed77ca-d659-b45a-8e9a-74e504300007", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json index 981b49130422..ffc7f806e7b1 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json @@ -36,6 +36,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "RemoveUserFromGroup", "category": [ @@ -57,9 +67,9 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json index b1c178517585..50b3687e3dcd 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-run-instances-json.log-expected.json @@ -222,6 +222,22 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "testcloudtrail@elastic.co" + ], + "target": [ + "i-0f2f135de18b555e3", + "sg-4e483165", + "subnet-c4bf5e9b", + "vpc-73d2e309", + "r-0dfcd099dcab4e63a", + "ami-00a4cd63f089232e0", + "eni-043138569d4a31e90" + ] + }, "event": { "action": "RunInstances", "created": "2021-11-11T01:02:03.123456789Z", @@ -237,15 +253,15 @@ "related": { "entity": [ "AIDA2IBR2EZTJMPOR52WV", - "ami-00a4cd63f089232e0", - "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", - "eni-043138569d4a31e90", "i-0f2f135de18b555e3", - "r-0dfcd099dcab4e63a", "sg-4e483165", "subnet-c4bf5e9b", + "vpc-73d2e309", "testcloudtrail@elastic.co", - "vpc-73d2e309" + "r-0dfcd099dcab4e63a", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "ami-00a4cd63f089232e0", + "eni-043138569d4a31e90" ], "user": [ "testcloudtrail@elastic.co" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json index bcf43366cb8d..36069d0d950a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json @@ -36,6 +36,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "TEST-trail" + ] + }, "event": { "action": "StartLogging", "created": "2021-11-11T01:02:03.123456789Z", @@ -50,9 +60,9 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", "TEST-trail", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json index 584b0d7a9b69..86c4ad7f1b0a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json @@ -32,6 +32,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "AIDA2IBR2EZTJMPOR52WV", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", + "testcloudtrail@elastic.co" + ], + "target": [ + "default" + ] + }, "event": { "action": "StopConfigurationRecorder", "created": "2021-11-11T01:02:03.123456789Z", @@ -47,8 +57,8 @@ "related": { "entity": [ "AIDA2IBR2EZTJMPOR52WV", - "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", "default", + "arn:aws:iam::1010101010101:user/testcloudtrail@elastic.co", "testcloudtrail@elastic.co" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json index 375d7afe1a70..d10657ebfda7 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json @@ -36,6 +36,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail" + ] + }, "event": { "action": "StopLogging", "created": "2021-11-11T01:02:03.123456789Z", @@ -50,8 +60,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", + "Alice", "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", "arn:aws:iam::0123456789012:user/Alice" ], diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json index b4a5585f99a3..7407167926ff 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json @@ -47,6 +47,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Alice" + ] + }, "event": { "action": "UploadSSHPublicKey", "created": "2021-11-11T01:02:03.123456789Z", @@ -61,8 +71,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json index 0174cde0b624..850146e94e64 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json @@ -37,6 +37,17 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob", + "EXAMPLE_KEY_ID" + ] + }, "event": { "action": "UpdateAccessKey", "category": [ @@ -55,10 +66,10 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", "EXAMPLE_KEY_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json index bbbf7ba31469..4911975b9e94 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json @@ -40,6 +40,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "UpdateAccountPasswordPolicy", "category": [ @@ -58,8 +65,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json index db25f58f3782..093bcf86921c 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json @@ -31,6 +31,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "UpdateGroup", "category": [ @@ -113,6 +120,13 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "0123456789012", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ] + }, "event": { "action": "UpdateGroup", "category": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json index dd2622d4739f..f942e4780d46 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json @@ -35,6 +35,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "UpdateLoginProfile", "category": [ @@ -53,9 +63,9 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json index b564a59f34af..bdbbf0650e07 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json @@ -37,6 +37,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "UpdateSSHPublicKey", "category": [ @@ -55,9 +65,9 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ @@ -124,6 +134,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "UpdateSSHPublicKey", "category": [ @@ -142,9 +162,9 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EXAMPLE_ID", + "Bob", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json index 512163d8622b..1edf417ea2b7 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json @@ -32,6 +32,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Alice" + ], + "target": [ + "myTrail2" + ] + }, "event": { "action": "UpdateTrail", "created": "2021-11-11T01:02:03.123456789Z", @@ -46,10 +56,10 @@ }, "related": { "entity": [ - "Alice", "EX_PRINCIPAL_ID", "arn:aws:iam::123456789012:user/Alice", - "myTrail2" + "myTrail2", + "Alice" ], "user": [ "Alice" @@ -145,6 +155,18 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "TEST-trail", + "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", + "test-cloudtrail-bucket" + ] + }, "event": { "action": "UpdateTrail", "created": "2021-11-11T01:02:03.123456789Z", @@ -159,9 +181,9 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", "TEST-trail", + "Alice", "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", "arn:aws:iam::0123456789012:user/Alice", "test-cloudtrail-bucket" diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json index 798c2e0c5817..529ea3b3149e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json @@ -31,6 +31,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EX_PRINCIPAL_ID", + "arn:aws:iam::123456789012:user/Alice", + "Alice" + ], + "target": [ + "Bob" + ] + }, "event": { "action": "UpdateUser", "category": [ @@ -49,10 +59,10 @@ }, "related": { "entity": [ - "Alice", - "Bob", "EX_PRINCIPAL_ID", - "arn:aws:iam::123456789012:user/Alice" + "arn:aws:iam::123456789012:user/Alice", + "Bob", + "Alice" ], "user": [ "Alice", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json index 6ef3b8e3ae4f..a1abfacc593d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json @@ -47,6 +47,16 @@ "ecs": { "version": "8.11.0" }, + "entity": { + "origin": [ + "EXAMPLE_ID", + "Alice", + "arn:aws:iam::0123456789012:user/Alice" + ], + "target": [ + "Alice" + ] + }, "event": { "action": "UploadSSHPublicKey", "created": "2021-11-11T01:02:03.123456789Z", @@ -61,8 +71,8 @@ }, "related": { "entity": [ - "Alice", "EXAMPLE_ID", + "Alice", "arn:aws:iam::0123456789012:user/Alice" ], "user": [ diff --git a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml index aca02ec77969..3004abcce540 100644 --- a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml @@ -51,163 +51,175 @@ processors: - script: description: Appends any relevant entity to `related.entity` for all events lang: painless - ignore_failure: true on_failure: - set: description: Add error reason field: error.message - value: "{{{ _ingest.on_failure_message }}}" + value: "{{{ _ingest.on_failure_message}}}" source: | - void addEntity(Set entities, String fieldName) { - entities.add(field(fieldName).get(null)); + void addField(Set entities, String fieldName) { + addValue(entities, field(fieldName).get(null)); } - Set entities = new HashSet(); + boolean addValue(Set entities, String value) { + if (value == null || value == "") { + return false; + } - addEntity(entities, "json.userIdentity.arn"); - addEntity(entities, "json.userIdentity.identityProvider"); - addEntity(entities, "json.userIdentity.principalId"); - addEntity(entities, "json.userIdentity.sessionContext.sessionIssuer.arn"); - addEntity(entities, "json.userIdentity.sessionContext.sessionIssuer.userName"); - addEntity(entities, "json.userIdentity.sessionContext.webIdFederationData.federatedProvider"); - addEntity(entities, "json.userIdentity.userName"); - field("json.resources").get(new ArrayList()).stream().forEach(f -> entities.add(f.ARN)); + return entities.add(value); + } - String eventSource = field("json.eventSource").get(null); + // Using tree set to ensure a sorting is kept (testing purposes) + TreeSet origin = new TreeSet(); + TreeSet target = new TreeSet(); - if (eventSource == "signin.amazonaws.com") { - addEntity(entities, "json.additionalEventData.MFAIdentifier"); + addField(origin, "json.userIdentity.arn"); + addField(origin, "json.userIdentity.identityProvider"); + addField(origin, "json.userIdentity.principalId"); + addField(origin, "json.userIdentity.sessionContext.sessionIssuer.arn"); + addField(origin, "json.userIdentity.sessionContext.sessionIssuer.userName"); + addField(origin, "json.userIdentity.sessionContext.webIdFederationData.federatedProvider"); + addField(origin, "json.userIdentity.userName"); + + field("json.resources").get(new ArrayList()).stream().forEach(f -> addValue(target, f.ARN)); - } else if (eventSource == "sts.amazonaws.com") { - addEntity(entities, "json.requestParameters.roleArn"); - addEntity(entities, "json.sourceIdentity"); - addEntity(entities, "json.additionalEventData.MFAIdentifier"); - addEntity(entities, "json.responseElements.assumedRoleUser.arn"); - addEntity(entities, "json.requestParameters.roleSessionName"); - addEntity(entities, "json.responseElements.accessKeyId"); + String eventSource = field("json.eventSource").get(null); + + if (eventSource == "sts.amazonaws.com") { + addField(target, "json.requestParameters.roleArn"); + addField(target, "json.sourceIdentity"); + addField(target, "json.additionalEventData.MFAIdentifier"); + addField(target, "json.responseElements.assumedRoleUser.arn"); + addField(target, "json.requestParameters.roleSessionName"); + addField(target, "json.responseElements.accessKeyId"); } else if (eventSource == "iam.amazonaws.com") { - addEntity(entities, "json.requestParameters.userName"); - addEntity(entities, "json.requestParameters.accessKeyId"); - addEntity(entities, "json.requestParameters.policyArn"); - addEntity(entities, "json.requestParameters.roleName"); - addEntity(entities, "json.requestParameters.policyName"); - addEntity(entities, "json.responseElements.accessKey.userName"); - addEntity(entities, "json.responseElements.accessKey.accessKeyId"); - addEntity(entities, "json.responseElements.user.arn"); - addEntity(entities, "json.responseElements.user.userName"); - addEntity(entities, "json.responseElements.userId"); - addEntity(entities, "json.responseElements.role.arn"); + addField(target, "json.requestParameters.userName"); + addField(target, "json.requestParameters.accessKeyId"); + addField(target, "json.requestParameters.policyArn"); + addField(target, "json.requestParameters.roleName"); + addField(target, "json.requestParameters.policyName"); + addField(target, "json.responseElements.accessKey.userName"); + addField(target, "json.responseElements.accessKey.accessKeyId"); + addField(target, "json.responseElements.user.arn"); + addField(target, "json.responseElements.user.userName"); + addField(target, "json.responseElements.userId"); + addField(target, "json.responseElements.role.arn"); } else if (eventSource == "ec2.amazonaws.com") { - addEntity(entities, "json.requestParameters.groupId"); - addEntity(entities, "json.requestParameters.groupName"); - addEntity(entities, "json.requestParameters.roleName"); - addEntity(entities, "json.requestParameters.subnetId"); - addEntity(entities, "json.requestParameters.volumeId"); - addEntity(entities, "json.requestParameters.networkInterfaceId"); - addEntity(entities, "json.requestParameters.vpcId"); - addEntity(entities, "json.requestParameters.snapshotId"); - addEntity(entities, "json.responseElements.groupId"); - addEntity(entities, "json.responseElements.reservationId"); - addEntity(entities, "json.responseElements.vpc.vpcId"); - addEntity(entities, "json.responseElements.vpc.dhcpOptionsId"); - addEntity(entities, "json.responseElements.snapshotId"); - addEntity(entities, "json.responseElements.volumeId"); + addField(target, "json.requestParameters.groupId"); + addField(target, "json.requestParameters.groupName"); + addField(target, "json.requestParameters.roleName"); + addField(target, "json.requestParameters.subnetId"); + addField(target, "json.requestParameters.volumeId"); + addField(target, "json.requestParameters.networkInterfaceId"); + addField(target, "json.requestParameters.vpcId"); + addField(target, "json.requestParameters.snapshotId"); + addField(target, "json.responseElements.groupId"); + addField(target, "json.responseElements.reservationId"); + addField(target, "json.responseElements.vpc.vpcId"); + addField(target, "json.responseElements.vpc.dhcpOptionsId"); + addField(target, "json.responseElements.snapshotId"); + addField(target, "json.responseElements.volumeId"); field("json.responseElements.securityGroupRuleSet.items").get(new ArrayList()).stream().forEach(i -> { - entities.add(i.groupId); - entities.add(i.referencedGroupInfo?.groupId); - entities.add(i.securityGroupRuleId); + addValue(target, i.groupId); + addValue(target, i.referencedGroupInfo?.groupId); + addValue(target, i.securityGroupRuleId); }); field("json.responseElements.groupSet.items").get(new ArrayList()).stream().forEach(i -> { - entities.add(i.groupId); + addValue(target, i.groupId); }); field("json.requestParameters.groupSet.items").get(new ArrayList()).stream().forEach(i -> { - entities.add(i.groupId); + addValue(target, i.groupId); }); field("json.requestParameters.instancesSet.items").get(new ArrayList()).stream().forEach(i -> { - entities.add(i.instanceId); + addValue(target, i.instanceId); }); field("json.responseElements.instancesSet.items").get(new ArrayList()).stream().forEach(instances -> { - entities.add(instances.subnetId); - entities.add(instances.vpcId); - entities.add(instances.instanceId); - entities.add(instances.imageId); - entities.add(instances.iamInstanceProfile?.arn); + addValue(target, instances.subnetId); + addValue(target, instances.vpcId); + addValue(target, instances.instanceId); + addValue(target, instances.imageId); + addValue(target, instances.iamInstanceProfile?.arn); instances.networkInterfaceSet?.items?.stream().forEach(networks -> { - entities.add(networks.networkInterfaceId); - entities.add(networks.vpcId); - entities.add(networks.subnetId); + addValue(target, networks.networkInterfaceId); + addValue(target, networks.vpcId); + addValue(target, networks.subnetId); networks.groupSet?.items?.stream().forEach(group -> { - entities.add(group.groupId); + addValue(target, group.groupId); }); }); }); field("json.requestParameters.revokedSecurityGroupRuleSet.items").get(new ArrayList()).stream().forEach(i -> { - entities.add(i.securityGroupRuleId); - entities.add(i.groupId); + addValue(target, i.securityGroupRuleId); + addValue(target, i.groupId); }); } else if (eventSource == "s3.amazonaws.com") { - addEntity(entities, 'json.requestParameters.bucketName'); + addField(target, 'json.requestParameters.bucketName'); } else if (eventSource == "cloudtrail.amazonaws.com") { - addEntity(entities, 'json.requestParameters.name'); - addEntity(entities, 'json.requestParameters.s3BucketName'); - addEntity(entities, 'json.responseElements.cloudWatchLogsLogGroupArn'); - addEntity(entities, 'json.responseElements.cloudWatchLogsRoleArn'); - addEntity(entities, 'json.responseElements.kmsKeyId'); - addEntity(entities, 'json.responseElements.snsTopicARN'); - addEntity(entities, 'json.responseElements.trailARN'); - addEntity(entities, 'json.responseElements.name'); + addField(target, 'json.requestParameters.name'); + addField(target, 'json.requestParameters.s3BucketName'); + addField(target, 'json.responseElements.cloudWatchLogsLogGroupArn'); + addField(target, 'json.responseElements.cloudWatchLogsRoleArn'); + addField(target, 'json.responseElements.kmsKeyId'); + addField(target, 'json.responseElements.snsTopicARN'); + addField(target, 'json.responseElements.trailARN'); + addField(target, 'json.responseElements.name'); } else if (eventSource == "kms.amazonaws.com") { - addEntity(entities, 'json.requestParameters.keyId'); - addEntity(entities, 'json.responseElements.keyId'); - addEntity(entities, 'json.responseElements.keyMetadata.arn'); - addEntity(entities, 'json.responseElements.keyMetadata.keyId'); + addField(target, 'json.requestParameters.keyId'); + addField(target, 'json.responseElements.keyId'); + addField(target, 'json.responseElements.keyMetadata.arn'); + addField(target, 'json.responseElements.keyMetadata.keyId'); } else if (eventSource == "config.amazonaws.com") { - addEntity(entities, 'json.requestParameters.configurationRecorderName'); + addField(target, 'json.requestParameters.configurationRecorderName'); } else if (eventSource == "lambda.amazonaws.com") { - addEntity(entities, 'json.requestParameters.functionName'); - addEntity(entities, 'json.responseElements.functionArn'); - addEntity(entities, 'json.responseElements.functionName'); - addEntity(entities, 'json.responseElements.role'); - addEntity(entities, 'json.responseElements.vpcConfig.securityGroupIds'); - addEntity(entities, 'json.responseElements.vpcConfig.subnetIds'); + addField(target, 'json.requestParameters.functionName'); + addField(target, 'json.responseElements.functionArn'); + addField(target, 'json.responseElements.functionName'); + addField(target, 'json.responseElements.role'); + addField(target, 'json.responseElements.vpcConfig.securityGroupIds'); + addField(target, 'json.responseElements.vpcConfig.subnetIds'); } else if (eventSource == "rds.amazonaws.com") { - addEntity(entities, 'json.requestParameters.dBInstanceIdentifier'); - addEntity(entities, 'json.requestParameters.dBInstanceArn'); - addEntity(entities, 'json.responseElements.dBInstanceIdentifier'); - addEntity(entities, 'json.responseElements.dbInstanceArn'); - addEntity(entities, 'json.responseElements.dBSubnetGroup.vpcId'); - addEntity(entities, 'json.responseElements.vpcSecurityGroups.vpcSecurityGroupId'); + addField(target, 'json.requestParameters.dBInstanceIdentifier'); + addField(target, 'json.requestParameters.dBInstanceArn'); + addField(target, 'json.responseElements.dBInstanceIdentifier'); + addField(target, 'json.responseElements.dbInstanceArn'); + addField(target, 'json.responseElements.dBSubnetGroup.vpcId'); + addField(target, 'json.responseElements.vpcSecurityGroups.vpcSecurityGroupId'); field("json.responseElements.dBSubnetGroup.subnets").get(new ArrayList()).stream().forEach(i -> { - entities.add(i.subnetIdentifier); + addValue(target, i.subnetIdentifier); }); field("json.responseElements.vpcSecurityGroups").get(new ArrayList()).stream().forEach(i -> { - entities.add(i.vpcSecurityGroupId); + addValue(target, i.vpcSecurityGroupId); }); } - entities.remove(""); - entities.remove(null); + field("entity.origin").set(origin); + + TreeSet related = origin.clone(); - List sortedList = new ArrayList(entities); - Collections.sort(sortedList); // sort for testing purposes - field("related.entity").set(sortedList); + if (!target.isEmpty()) { + field("entity.target").set(target); + related.addAll(target); + } + + field("related.entity").set(related); + - rename: field: json.eventVersion target_field: aws.cloudtrail.event_version diff --git a/packages/aws/data_stream/cloudtrail/fields/fields.yml b/packages/aws/data_stream/cloudtrail/fields/fields.yml index 7b202166ffba..6803fe37335f 100644 --- a/packages/aws/data_stream/cloudtrail/fields/fields.yml +++ b/packages/aws/data_stream/cloudtrail/fields/fields.yml @@ -193,4 +193,12 @@ contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. - type: keyword \ No newline at end of file + type: keyword + +- name: entity + type: group + fields: + - name: origin + type: keyword + - name: target + type: keyword \ No newline at end of file