From b9e08ad9c10de52302d35ca7524f32609c8278dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=B4mulo=20Farias?= <romulo.farias@elastic.co>
Date: Thu, 17 Oct 2024 17:38:58 +0200
Subject: [PATCH] Refactor config.amazonaws.com events

---
 .../elasticsearch/ingest_pipeline/default.yml | 25 +++++++++++--------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
index 3e6f6637c855..b0e266450d29 100644
--- a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
@@ -130,6 +130,19 @@ processors:
           }
         }
 
+        void enrichConfig(def eventSource, def eventName, def target, def related) {
+          if (eventSource != "config.amazonaws.com") {
+            return;
+          }
+
+          addField(related, "json.requestParameters.configurationRecorderName");
+
+          if (eventName == "StopConfigurationRecorder" 
+                  || eventName == "StartConfigurationRecorder") {
+            addField(target, "json.requestParameters.configurationRecorderName");
+          }
+        }
+
         void enrichEc2(def eventSource, def eventName, def target, def related) {
           if (eventSource != "ec2.amazonaws.com") {
               return;
@@ -571,6 +584,7 @@ processors:
 
         enrichCloudformation(eventSource, eventName, target, related);
         enrichCloudtrail(eventSource, eventName, target, related);
+        enrichConfig(eventSource, eventName, target, related);
         enrichEc2InstanceConnect(eventSource, eventName, target, related);
         enrichEc2(eventSource, eventName, target, related);
         enrichElasticFileSystem(eventSource, eventName, target, related);
@@ -590,17 +604,6 @@ processors:
         enrichSsm(eventSource, eventName, target, related);
         enrichSts(eventSource, eventName, target, related);
         enrichWafv2(eventSource, eventName, target, related);
-
-        if (eventSource == "config.amazonaws.com") {
-          addField(related, "json.requestParameters.configurationRecorderName");
-
-        }
-
-        if (eventName == "StopConfigurationRecorder" 
-                || eventName == "StartConfigurationRecorder") {
-          addField(target, "json.requestParameters.configurationRecorderName");
-
-        }
         
         if (!target.isEmpty()) {
           field("target.entity.id").set(target);