Skip to content

Commit

Permalink
Merge pull request #531 from Cargill/cloudwatch_update
Browse files Browse the repository at this point in the history 
Remapped user fields
  • Loading branch information
@MehaSal
MehaSal authored Sep 9, 2024
2 parents 134c28d + 5f8e3ff commit e45c351
Showing 1 changed file with 19 additions and 7 deletions.
26 changes: 19 additions & 7 deletions config/processors/api_audit_aws.cloudtrail.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,10 @@ filter {
add_field => { "[cloud][provider]" => "aws" }
add_field => { "[event][module]" => "aws" }
add_field => { "[event][dataset]" => "aws.cloudtrail" }

add_field => { "[aws][userIdentity][principalId]" => "[cloud][service][name]" }
add_field => { "[aws][userIdentity][arn]" => "[service][name]" }

rename => { "[aws][eventVersion]" => "[service][version]" }
rename => { "[aws][eventTime]" => "[event][created]" }
rename => { "[aws][eventSource]" => "[event][kind]" }
rename => { "[aws][eventName]" => "[event][action]" }
rename => { "[aws][eventName]" => "[event][category]" }
rename => { "[aws][awsRegion]" => "[cloud][region]" }
rename => { "[aws][recipientAccountId]" => "[cloud][account][id]" }
rename => { "[aws][sourceIPAddress]" => "[source][ip]" }
Expand All @@ -35,23 +31,39 @@ filter {
rename => { "[aws][eventType]" => "[event][type]" }
rename => { "[aws][errorCode]" => "[error][code]" }
rename => { "[aws][errorMessage]" => "[error][message]" }
rename => { "[aws][requestParameters][target]" => "[destination][address]" }
rename => { "[aws][userIdentity][Type]" => "[user][target][name]" }
# userIdentity
rename => { "[aws][userIdentity][type]" => "[service][type]" }
rename => { "[aws][userIdentity][accessKeyId]" => "[transaction][id]" }
# requestParameters
rename => { "[aws][requestParameters][bucketName]" => "[file][directory]" }
rename => { "[aws][requestParameters][key]" => "[file][name]" }
rename => { "[aws][requestParameters][username]" => "[source][user][name]" }
rename => { "[aws][requestParameters][userName]" => "[source][user][name]" }
rename => { "[aws][requestParameters][policyName]" => "[source][user][roles]" }
# Insights Field to ECS 1.6
rename => { "[aws][insightDetails][eventCategory]" => "[event][category]" }
rename => { "[aws][insightDetails][eventCategory]" => "[log][origin][function]" }
rename => { "[aws][insightDetails][state]" => "[service][state]" }
rename => { "[aws][insightDetails][insightType]" => "[event][type]" }
rename => { "[aws][insightDetails][statistics]" => "[error][message]" }
rename => { "[aws][insightDetails][baseline]" => "[rule][name]" }
rename => { "[aws][insightDetails][insight]" => "[rule][description]" }
rename => { "[aws][insightDetails][insightDuration]" => "[event][duration]" }
}
grok {
match => {
"[aws][userIdentity][arn]" => [
'^.*\/(?<[user][name]>.*?)$'
]
}
}
grok {
match => {
"[aws][userIdentity][principalId]" => [
'^.*:(?<user_name>.*?)$'
]
}
}
mutate {
remove_field => ["aws"]
}
Expand Down

0 comments on commit e45c351

Please sign in to comment.