Merge pull request #536 from Cargill/cloudtrail_mappings

Updated Cloud trail Parsing to mapp out addtional needed data
Cargill · Sep 12, 2024 · 9dd8539 · 9dd8539
2 parents 84463cf + 2a5a5d0
commit 9dd8539
Showing 1 changed file with 18 additions and 12 deletions.
diff --git a/config/processors/api_audit_aws.cloudtrail.conf b/config/processors/api_audit_aws.cloudtrail.conf
@@ -50,18 +50,24 @@ filter {
     rename => { "[aws][insightDetails][insight]" => "[rule][description]" }
     rename => { "[aws][insightDetails][insightDuration]" => "[event][duration]" }
   }
-  grok {
-    match => {
-      "[aws][userIdentity][arn]" => [
-         '^.*\/(?<[user][name]>.*?)$'
-      ]
+  if [aws][userIdentity][arn] {
+    grok {
+      match => {
+        "[aws][userIdentity][arn]" => [
+          '^(?<[user][roles]>.*\/(?<[user][name]>.*?))$'
+        ]
+      }
+      tag_on_failure => "_grokparsefailure_1"
     }
   }
-  grok {
-    match => {
-      "[aws][userIdentity][principalId]" => [
-         '^.*:(?<user_name>.*?)$'
-      ]
+  if [aws][userIdentity][principalId] {
+    grok {
+      match => {
+        "[aws][userIdentity][principalId]" => [
+         '^.*:(?<[user][id]>.*?)$'
+        ]
+      }
+      tag_on_failure => "_grokparsefailure_2"
     }
   }
   mutate {
@@ -73,8 +79,8 @@ filter {
     }
   }
   translate {
-    source => "[event][category]"
-    target => "[event][category]"
+    source => "[log][origin][function]"
+    target => "[log][origin][function]"
     dictionary => {
       "management" => "configuration"
       "Data" => "database"