Change log for AWS_CLOUDTRAIL

Date Changes
2024-11-25 Enhancement:
- Mapped "Metadata.Product.Version" to "metadata.product_version".
- Mapped "Event_code" to "security_result.detection_fields".
- Mapped "Metadata.Uid" to "metadata.product_log_id".
- Mapped "Cloud.Region" to "principal.location.country_or_region".
- Mapped "target.resource.attribute.cloud.environment" to "AMAZON_WEB_SERVICES" when "Cloud.Provider" is "AWS".
- Mapped "credentials.sessionToken" to "security_result.detection_fields".
- Mapped "Api.Operation" to "additional.fields".
- Mapped "Api.Service.Name" to "principal.resource.name".
- Mapped "roleArn" to "target.url".
- Mapped "roleSessionName" to "target.resource.name".
- Mapped "Api.Request.Uid" to "additional.fields".
- Mapped "Actor.User.Type" to "principal.resource.resource_subtype" and "principal.resource.type".
- Mapped "Actor.User.Uid_alt" to "additional.fields".
- Mapped "Actor.User.Uid" to "principal.user.userid".
- Mapped "Actor.User.Account.Uid" to "additional.fields".
- Mapped "Actor.User.Credential_uid" to "additional.fields".
- Mapped "Actor.Session.Issuer" to "security_result.detection_fields".
- Mapped "Session.Credential_uid" to "additional.fields".
- Mapped "Actor.Invoked_by" to "principal.user.userid".
- Mapped "Http_request.User_agent" to "network.http.user_agent".
- Mapped "Src_endpoint.Ip" to "principal.ip" and "principal.asset.ip".
- Mapped "Src_endpoint.Domain" to "principal.domain.name".
- Mapped "Class_name" to "additional.fields".
- Mapped "Class_uid" to "security_result.detection_fields".
- Mapped "Category_name" to "security_result.detection_fields".
- Mapped "security_result.severity" to "INFORMATIONAL" when "Severity" is "Informational".
- Mapped "Activity_name" to "metadata.product_event_type".
- Mapped "Activity_id" to "security_result.detection_fields".
- Mapped "Type_uid" to "security_result.detection_fields".
- Mapped "Type_name" to "security_result.detection_fields".
- Mapped "Unmapped.managementEvent" to "additional.fields".
- Mapped "Unmapped.readOnly" to "additional.fields".
- Mapped "Unmapped.recipientAccountId" to "target.resource.id".
- Mapped "Unmapped.resources[].ARN" to "additional.fields".
- Mapped "Unmapped.resources[].type" to "target.resource.type".
- Mapped "credentials.accessKeyId" to "target.resource.product_object_id".
- Mapped "credentials.expiration" to "security_result.detection_fields".
- Mapped "Unmapped.tlsDetails.cipherSuite" to "network.tls.cipher".
- Mapped "Unmapped.tlsDetails.clientProvidedHostHeader" to "security_result.detection_fields".
- Mapped "Unmapped.sharedEventID" to "target.resource.attribute.labels".
- Mapped "Unmapped.tlsDetails.tlsVersion" to "network.tls.version".
- Mapped "Unmapped.userIdentity.sessionContext.sessionIssuer.principalId" to "target.user.userid".
- Mapped "Unmapped.userIdentity.sessionContext.sessionIssuer.type" to "target.user.attribute.labels".
- Mapped "Unmapped.userIdentity.sessionContext.sessionIssuer.userName" to "target.user.user_display_name".
- Depending on the "arr.Type_id" value, the value of each array element is assigned to different properties of the observer object: "observer.hostname" for 1, "observer.ip" for 2, "observer.user.user_display_name" for 4, and "observer.resource.product_object_id" for 10.
2024-11-14 Enhancement:
- Added support to handle new JSON log format.
2024-11-14 Enhancement:
- Added support to handle new JSON log format.
2024-11-07 Enhancement:
- When "eventName" is "DeleteBackupSelection", and then "metadata.event_type" is mapped to "RESOURCE_DELETION".
2024-10-03 Enhancement:
- Added validation check for "metadata.event_type" with value "USER_UNCATEGORIZED".
2024-09-18 Enhancement:
- Mapped "readOnly" to "additional.fields".
2024-07-30 Enhancement:
- Fixed the mapping of "src_ip" and "event_type" to parse the new logs.
2024-07-29 Bug-Fix:
- When "eventName" is "GetLoginProfile", "metadata.event_type" is mapped to "RESOURCE_READ".
2024-07-24 Enhancement:
- Changed the mapping from "recipientAccountId" to "userIdentity.accountId" and mapped it to "additional.fields".
2024-07-23 Enhancement:
- Mapped "alert_emails" and "owner_names" to "target.resource.attribute.labels".
2024-07-09 Enhancement:
- Mapped "eventVersion" to "metadata.product_version".
- Mapped "userIdentity.principalId" to "principal.user.attribute.labels".
- Mapped "userIdentity.sessionContext.attributes.creationDate" to "principal.user.attribute.creation_time".
- Mapped "userIdentity.sessionContext.sessionIssuer.type" to "target.user.attribute.labels".
- Mapped "additionalEventData.bytesTransferredIn" to "network.received_bytes".
- Mapped "additionalEventData.bytesTransferredOut" to "network.sent_bytes".
- Mapped "managementEvent", "readOnly", "sharedEventID", "apiVersion", "additionalEventData.x-amz-id-2", "additionalEventData.SignatureVersion", "additionalEventData.AuthenticationMethod", "additionalEventData.CipherSuite", and "additionalEventData.sub" to "additional.fields".
2024-06-24 Enhancement:
- Updated the mapping from "principal.resource.type" to "principal.resource.resource_subtype" since the field "principal.resource.type" is a deprecated field.
2024-06-24 Enhancement:
- Updated the mapping from "principal.resource.type" to "principal.resource.resource_subtype" since the field "principal.resource.type" is a deprecated field.
2024-05-21 Enhancement:
- When "requestParameters.bucketPolicy.Statement.n.Resource" is an array, then mapped "requestParameters.bucketPolicy.Statement.n.Resource" to "additional.fields".
2024-05-09 Enhancement:
- Mapped the "groupid" part from "principal.user.userid" to "principal.user.groupid" and "principal.user.group_identifiers" when the "userid" matches the format "^arn:aws:sts::\d+:assumed-role\/\w+\/\w+$".
2024-04-30 Enhancement:
- Mapped "req.requestParameters.networkInterfaceSet.items.associatePublicIpAddress" to "target.resource.attribute.labels".
2024-03-22 Enhancement:
- Mapped "Noun.user.userid" to "Noun.user.product_object_id".
- Mapped "RoleName" from "userIdentity.arn" to "principal.user.role_name" and "principal.user.attribute.roles.name".
- Mapped "PoicyName" from "requestParameters.policyArn" to "security_result.rule_name".
2024-03-04 Enhancement:
- For logs having "eventName" as "TerminateInstances":
- Mapped "responseElements" JSON Object to "target.resource.attribute.labels".
- Mapped "sessionCredentialFromConsole" to "target.resource.attribute.labels".
- For logs where "eventName" is "CreateDomain","DeleteDomain","CreateCollection",
"DeleteCollection","CreateDBCluster","DeleteDBCluster","StopDBCluster","StartDBCluster",
"CreateCluster","DeleteCluster", "ListClusters", "CreateNodegroup", "DeleteNodegroup",
"RegisterCluster", "DeregisterCluster", "DescribeCluster", "DescribeNodegroup", "ListNodegroups".
- Set "target.resource.resource_type" to "CLUSTER".
2023-11-21 Enhancement:
- Mapped "awsRegion" to "target.location.name".
- For logs having "eventName" as "PutBucketAcl", when "userIdentity.arn" is not present, then modify "metadata.event_type" to "STATUS_UPDATE".
- For logs having "eventName" as prefix "Get", "List", "Describe", "Detect", "Query", "Check", "Decode",
"Decrypt", "Download", "Retrieve", "Read", "Discover", "Lookup", "Preview", "Scan", "Select", "Classify", "Show", "View":
- Set "metadata.event_type" to "RESOURCE_READ".
- For logs having "eventName" as prefix "Delete", "Terminate":
- Set "metadata.event_type" to "RESOURCE_DELETION".
- For logs having "eventName" as prefix "Create", "Put", "Import", "Generate", "Allocate":
- Set "metadata.event_type" to "RESOURCE_CREATION".
- For logs having "eventName" as prefix "Start", "Activate", "Reboot", "Initialize", "New":
- Set "metadata.event_type" to "STATUS_STARTUP".
- For logs having "eventName" as prefix "Stop", "Cancel", "Disconnect":
- Set "metadata.event_type" to "STATUS_SHUTDOWN".
- For logs having "eventName" as prefix "Test", "Accept", "Notify", "Request", "Validate", "Confirm", "Reject", "Verify", "Authorize", "Complete":
- Set "metadata.event_type" to "STATUS_UPDATE".
- For logs having "eventName" as prefix "Assume", "ConsoleLogin":
- Set "metadata.event_type" to "USER_LOGIN".
- For logs having "eventName" as "SendHeartbeat":
- Set "metadata.event_type" to "STATUS_HEARTBEAT".
- For logs haveing "eventName" as prefix "Initiate", "Publish", "Replace", "Resume", "Run", "Submit", "Suspend",
"Alter", "Increase", "Invite", "Provision", "Refresh", "Report", "Upgrade", "Abort", "Apply", "Backup", "Decrease",
"Merge", "Retry", "Rotate", "Rotation", "Transfer", "Unassign", "Analyze", "Archive", "Beta_", "Clear", "Configure",
"Confirm_", "Do", "Evaluate", "Failover", "Forgot", "Lock", "Migrate", "O", "Process", "Promote", "Release", "Renew",
"Sign", "Unarchive", "Undeprecate", "Unlock", "Acknowledge", "Approve", "Connect", "Continue", "Decline", "Deploy",
"Diagnostic", "Drop", "Exit", "Finalize", "Flush", "Forget", "Grant", "Issue", "Logout", "Move", "Opt", "Pause",
"Rebuild", "Redeem", "Replicate", "Restart", "S", "Save", "Subscribe", "Sync", "Unlink", "Unsubscribe", "Unsuspend",
"Allow", "Ato", "Back", "Backtrack", "Bid", "Bind", "Build", "Bundle", "Clone", "Close", "Cognito", "Console", "Dispose",
"Dissociate", "End", "Enroll", "Enter", "Environment", "Event_", "Exclude", "Global", "Include", "Index", "Insert", "Install",
"Invalidate", "Join", "Leave", "Load", "Managed", "Mark", "Monitor", "Peer", "Persist", "Prepare", "Pubkey", "Purge", "Push",
"Rebalance", "Record", "Recovery", "Redact", "Refuse", "Reinvite", "Reload", "Rename", "Respond", "Resync", "Retire", "Reverse",
"Rollback", "Schedule", "Secret", "Shutdown", "Signal", "Skip", "Split", "Stream", "Swap", "Switch", "Toggle", "Token_",
"Translate", "Trim", "Unauthorize", "Undeploy", "Unmonitor", "Unpeer", "Use":
- Set "metadata.event_type" to "RESOURCE_WRITTEN".
- For logs haveing "eventName" as prefix "Update", "Associate", "Disassociate", "Modify", "Set", "Register", "Deregister",
"Add", "Remove", "Enable", "Disable", "Send", "Restore", "Reset", "Attach", "Detach", "Export", "Copy", "Tag",
"Untag", "Execute", "Purchase", "Allocate", "Deactivate", "Post", "Resend", "Upload", "Assign", "Change", "Define",
"Deprecate", "Invoke", "Revoke:
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
2023-11-11 Enhancement:
- Initialize variables to null or empty, to avoid duplicate mappings.
- When "requestParameters.tagSpecificationSet.items.key" is "Hostname" , map to "target.hostname".
2023-10-27 Enhancement:
For logs having "eventName" as "AssociateIamInstanceProfile":
- Mapped "responseElements.AssociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name".
- Mapped "responseElements.AssociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id".
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- Set "target.resource.resource_type" to "ACCESS_POLICY".
For logs having "eventName" as "DisassociateIamInstanceProfile":
- Mapped "responseElements.DisassociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name".
- Mapped "responseElements.DisassociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id".
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- Set "target.resource.resource_type" to "ACCESS_POLICY".
For logs having "eventName" as "ReplaceIamInstanceProfileAssociation":
- Mapped "responseElements.ReplaceIamInstanceProfileAssociationResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name".
- Mapped "responseElements.ReplaceIamInstanceProfileAssociationResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id".
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- Set "target.resource.resource_type" to "ACCESS_POLICY".
Mapped "requestParameters" and "responseElements" JSON Object to "target.resource.attribute.labels".
Corrected typo error for "req.userIdentity.userName" from "req.userIdentity.username".
2023-10-13 Enhancement:
- For logs having "eventName" as "UpdateDetector":
- Mapped "requestParameters.features.name" and "requestParameters.features.status" to "target.resource.attribute.labels".
- For logs having "eventName" as "SendCommand":
- Mapped "requestParameters.documentName" to "target.resource.product_object_id".
- Mapped "responseElements.command.commandId" to "target.process.product_specific_object.id".
- Mapped "metadata.event_type" to "PROCESS_LAUNCH".
- Mapped "requestParameters.documentName" to "target.resource.name".
- Mapped all the parameters in "requestParameters" and "responseElements" to "target.resource.attribute.labels".
- For logs having "eventName" as "createAccountResult" map "event_type" as "USER_RESOURCE_ACCESS".
- For logs having "eventName" as "createAccount" map "event_type" as "RESOURCE_CREATION".
2023-09-30 Enhancement: Add new mappings for the following fields:
- Mapped "req.requestParameters.durationSeconds" to "target.resource.attribute.labels".
- Mapped "req.requestParameters.policyArns" to "target.resource.attribute.labels".
- For logs having "eventName" as "GetParameter", "GetParameters", "GetParameterHistory", "GetParametersByPath", "DescribeParameters":
- Mapped "metadata.event_type" to "RESOURCE_READ".
- Mapped "req.requestParameters.withDecryption" to "security_result.detection_fields".
- For logs having "eventName" as "DeleteParameters","DeleteParameter", set "metadata.event_type" to "RESOURCE_DELETION".
- For logs having "eventName" as "PutParameter", set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- For logs having "eventName" as "EnableRegion" or "DisableRegion", set "target.resource.name" from "req.requestParameters.map.RegionName".
- For logs having "eventName" as "GetFederationToken":
- Mapped "metadata.event_type" to "RESOURCE_READ".
- Mapped "req.responseElements.federatedUser.arn" to "target.resource.name".
- Mapped "req.responseElements.federatedUser.federatedUserId" to "target.user.userid".
- Mapped "req.responseElements.packedPolicySize" to "security_result.detection_fields".
- Mapped "req.responseElements.credentials.sessionToken" to "security_result.detection_fields".
2023-09-15 Enhancement: Add new mappings for the following fields:
- Mapped "requestParameters.userName" to "target.user.user_display_name".
- Mapped "additionalEventData.SamlProviderArn" to "additional.fields".
- Mapped "eventSource" to "metadata.ingestion_labels".
- When value of "requestParameters.tagSpecificationSet.items.tags.key" is "Name", then mapped "requestParameters.tagSpecificationSet.items.tags.value" to "target.resource.name".
2023-08-24 Enhancement:
- For logs having "eventName" as "CreateSubnet", set "metadata.event_type" to "RESOURCE_CREATION".
- Mapped "req.responseElements.subnet.subnetId" to "target.resource.attribute.labels".
- Mapped "req.requestParameters.cidrBlock" to "target.resource.attribute.labels".
- For logs having "eventName" as "DeleteSubnet", set "metadata.event_type" to "RESOURCE_DELETION".
- Mapped "req.requestParameters.subnetId" to "target.resource.attribute.labels".
2023-08-24 Enhancement:
- For logs having "eventName" as "CreateSubnet", set "metadata.event_type" to "RESOURCE_CREATION".
- Mapped "req.responseElements.subnet.subnetId" to "target.resource.attribute.labels".
- Mapped "req.requestParameters.cidrBlock" to "target.resource.attribute.labels".
- For logs having "eventName" as "DeleteSubnet", set "metadata.event_type" to "RESOURCE_DELETION".
- Mapped "req.requestParameters.subnetId" to "target.resource.attribute.labels".
2023-08-16 Enhancement:
- For logs having "eventName" as "DeleteSecret", mapped "responseElements.arn" to "target.resource.name".
2023-08-02 Enhancement:
- For logs having "eventName" as "CreateTags", mapped "metadata.event_type" to "RESOURCE_WRITTEN".
- Mapped "responseElements.description" ,"requestParameters.name","requestParameters.tagSet.items", "requestParameters.attributeType" to "target.resource.attribute.labels".
- Set "metadata.event_type" to "RESOURCE_CREATION" for logs having the following "eventName":
"CreateNetworkAcl","CreateVolume","CreatePublishingDestination","CreateIPSet","CreateThreatIntelSet",
"CreateAddon","CreateRepository","CreateStack","CreateDomain","CreateCollection","CreateTable",
"CreateDBInstance","CreateDBCluster","CreateDBSnapshot","CreateDBClusterSnapshot","PutConfigRule",
"PutDeliveryChannel","CreateListener","CreateLoadBalancer","PutLoggingConfiguration","CreateTargetGroup",
"CreateWebACL","RequestCertificate","CreateCluster"
- Set "metadata.event_type" to "RESOURCE_WRITTEN for logs having the follow "eventName":
"MoveAccount","PutEventSelectors","PutInsightSelectors","UpdateIPSet","UpdateThreatIntelSet","CreateTags",
"UpdateTable","ModifyDBInstance","StopDBInstance","StartDBInstance","RebootDBInstance",
"StartDBCluster","StopDBCluster","ModifyDBSnapshotAttribute","ModifyDBClusterSnapshotAttribute",
"AddListenerCertificates","ModifyLoadBalancerAttributes","SetSubnets","SetSecurityGroups",
"ModifyListener","UpdateWebACL","ResendValidationEmail","ModifyInstanceAttribute",
"StopInstances","StartInstances","RebootInstances"
- Set "metadata.event_type" to "RESOURCE_WRITTEN" for logs having the following "eventName".
"DeletePublishingDestination","DeleteIPSet","DeleteThreatIntelSet","DeleteRepository",
"DeleteStack","DeleteCollection","DeleteDomain","DeleteTable","DeleteDBInstance","DeleteDBCluster",
"DeleteDBSnapshot","DeleteDBClusterSnapshot","DeleteConfigRule","DeleteEvaluationResults",
"DeleteTargetGroup","DeleteLoadBalancer","DeleteListener","DeleteLoggingConfiguration",
"DeleteWebACL","DeleteCertificate","DeleteCluster"
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE" for logs having the following "eventName":
"AssociateWebACL","DisassociateWebACL","AttachGroupPolicy","PutBucketAcl"
- Set "metadata.event_type" to "RESOURCE_READ" for logs having the following "eventName":
"GetPasswordData","GetSessionToken"
- Mapped "target.resource.resource_type" and other unmapped fields for the above mentioned event names.
2023-07-18 Enhancement:
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_CREATION".
"EnableMacie","ConnectDirectory","RunInstances","CreateImage","CreateOrganization", "CreateNetworkInterface",
"StartSSO","CreateEmailIdentity","VerifyDomainIdentity","VerifyDomainDkim","VerifyEmailIdentity",
"CreateConfigurationSet","CreateSecret","ImportKeyPair","CreateAlias","CreateKey","CreateOrganizationalUnit",
"CreateNetworkAcl","CreateVolume","CreatePublishingDestination","CreateIPSet","CreateThreatIntelSet"
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_WRITTEN".
"UpdateMacieSession","PutAccountSendingAttributes","PutConfigurationSetSendingOptions","UpdateAccountSendingEnabled",
"UpdateConfigurationSetSendingEnabled","UpdateSecret","DisableKey","EnableKey","CancelKeyDeletion",
"MoveAccount","PutEventSelectors","PutInsightSelectors","UpdateIPSet","UpdateThreatIntelSet"
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_DELETION".
"DeleteSnapshot","DeleteDetector","DeleteFlowLogs","DeregisterImage","TerminateInstances", "RESOURCE_DELETION",
"DeleteNetworkInterface","DeleteSSO","DeleteBucketPublicAccessBlock","DeleteAccountPublicAccessBlock",
"RemoveAccountFromOrganization","DeleteEmailIdentity","LeaveOrganization","DeleteConfigurationSet",
"DeleteSecret","DeleteKeyPair","DeleteAlias","ScheduleKeyDeletion","DeleteNetworkAcl",
"DeletePublishingDestination","DeleteIPSet","DeleteThreatIntelSet"
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
"DetachRolePolicy","PutRolePolicy","PutResourcePolicy","PutCredentials","DeleteDirectory",
"AuthorizeSecurityGroupEgress","AuthorizeSecurityGroupIngress","RevokeSecurityGroupEgress","RevokeSecurityGroupIngress",
"ModifySnapshotAttribute","ModifyImageAttribute","CreateNetworkAclEntry","ReplaceNetworkAclAssociation","DeleteNetworkAclEntry"
- Mapped "target.resource.resource_type" and other unmapped fields for the above mentioned eventNames.
- Added a null check before mapping field "userIdentity.invokedBy".
2023-07-06 Enhancement:
- Added null check before mapping field "userIdentity.invokedBy".
- Mapped "requestParameters.instanceType","requestParameters.instancesSet.items.0.minCount","requestParameters.instancesSet.items.0.maxCount" to "target.resource.attribute.labels".
2023-06-23 Enhancement: Mapped logs to more specific "metadata.event_type" based on the field "eventName".
- Mapped "target.resource.resource_type" as "VIRTUAL_MACHINE".
- Mapped "requestParameters.status", "responseElements.certificate.status" to "target.resource.attribute.labels".
- Mapped "requestParameters.instanceId" to "target.resource_ancestors.product_object_id".
- Mapped "requestParameters.userName" to "target.user.userid".
- Mapped "target.resource.name" and "target.resource.product_object_id" based upon keys present under each "eventName".
- Mapped "userIdentity.arn" to "principal.resource.name".
- Mapped "userIdentity.accountId" to "principal.resource.product_object_id".
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_CREATION".
"CreateTrail","AllocateAddress","CreateVolume","CreateVirtualMFADevice","UploadSigningCertificate",
"CreateAccessKey","UploadSSHPublicKey","CreateServiceSpecificCredential","UploadCloudFrontPublicKey",
"CreateAnalyzer","CreateSAMLProvider","PutConfigurationRecorder","CreateRole","CreateInstanceProfile",
"CreateExportTask","CreateLogGroup","EnableSecurityHub","CreateEnvironment","CreateSession","CreateServiceLinkedRole",
"CreateSnapshot","CreateKeyPair","CreateSecurityGroup","CreateDetector","CreateFlowLogs",
"EnableMacie","ConnectDirectory","RunInstances","CreateImage","CreateOrganization"
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_WRITTEN".
"StartLogging","StopLogging","AssociateAddress","DisassociateAddress","DetachVolume",
"AttachVolume","ModifyVolume","EnableMFADevice","ResyncMFADevice","UpdateSigningCertificate",
"UpdateAccessKey","UpdateSSHPublicKey","ResetServiceSpecificCredential","UpdateServiceSpecificCredential",
"UpdateCloudFrontPublicKey","DisableRegion","EnableRegion","UpdateSAMLProvider","StartConfigurationRecorder",
"StopConfigurationRecorder","PutRetentionPolicy","PutDataProtectionPolicy","UpdateDetector","UpdateMacieSession"
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_DELETION".
"DeleteTrail","ReleaseAddress","DeleteVolume","DeactivateMFADevice","DeleteVirtualMFADevice",
"DeleteSigningCertificate","DeleteAccessKey","DeleteSSHPublicKey","DeleteServiceSpecificCredential",
"DeleteCloudFrontPublicKey","DeleteAnalyzer","DeleteSAMLProvider","DeleteConfigurationRecorder",
"DeletePolicy","DeleteRole","DeleteInstanceProfile","DeleteLogGroup","DisableSecurityHub","DisableMacie",
"DeleteSnapshot","DeleteDetector","DeleteFlowLogs","DeregisterImage","TerminateInstances"
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
"AttachUserPolicy","DetachUserPolicy","PutUserPolicy","DeleteUserPolicy",
"PutUserPermissionsBoundary","DeleteUserPermissionsBoundary","AttachRolePolicy",
"DetachRolePolicy","PutRolePolicy","PutResourcePolicy","PutCredentials","DeleteDirectory"
2023-06-09 Enhancement:
- Modified the regex to identify the JSON Array logs.
2023-06-07 Enhancement:
- Mapped all the "principal.user" fields to "target.user" for "eventName" as "ConsoleLogin".
2023-05-26 Enhancement:
Parsed logs of different josn pattern.
- Mapped "cipherSuite" to "network.tls.cipher".
- Mapped "requestID" to "target.resource.attribute.labels".
- Mapped "assumedRoleId" to "security_result.about.resource.name".
- Mapped "roleSessionName" to "target.resource.name".
- Mapped "roleArn" to "target.resource.product_object_id".
- Mapped "userAgent" to "network.http.user_agent".
- Mapped "sourceIPAddress" to "principal.ip".
- Mapped "sessionIssuer.userName" to "target.user.user_display_name".
- Mapped "sessionIssuer.principalId" to "target.user.userid".
- Mapped "userIdentity.accessKeyId" to "target.resource.product_object_id".
- Mapped "userIdentity.arn" to "security_result.about.resource.id".
- Mapped "req.detail.Longitude" to "_principal.location.region_longitude".
- Mapped "req.detail.Latitude" to "_principal.location.region_latitude".
- Mapped "detail.resourceType" to "target.resource.resource_subtype".
- Set "security_result.alert_state" to "ALERTING".
- Mapped "req.detail.recommendRemediation" to "security_result.action_details".
- Mapped "eventLog.detail.eventName" to "metadata.product_event_type".
2023-02-23 Enhancement:
- Mapped "requestParameters.principalArn" to "principal.resource.name".
- Mapped "resources.ARN" to "about.resource.name".
2022-11-24 Fix:
- Parsed new format logs that has configurationItem by mapping following fields.
- Mapped "configurationItem.awsAccountId" to "principal.user.userid".
- Mapped "configurationItem.resourceId" to "target.resource.id".
- Mapped "configurationItem.resourceType" to "target.resource.resource_subtype"
- Mapped "configurationItem.awsRegion" to "target.location.country_or_region".
- Mapped "configurationItem.configurationItemCaptureTime" to "target.asset.attribute.creation_time".
- Mapped "configurationItem.configurationItemStatus" to "target.asset.attribute.labels".
- Mapped "configurationItems.ARN" to "target.resource.attribute.labels".
- Mapped "configurationItems.availabilityZone" to "target.resource.attribute.cloud.availability_zone".
- Mapped "configurationItems.awsRegion" to "target.location.country_or_region".
- Mapped "configurationItems.awsAccountId" to "principal.user.userid".
- Mapped "configurationItems.configuration.activityStreamStatus" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.allocatedStorage" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.autoMinorVersionUpgrade" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.backupRetentionPeriod" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.copyTagsToSnapshot" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.dbClusterResourceId" to "target.resource.product_object_id".
- Mapped "configurationItems.configuration.masterUsername" to "principal.user.user_display_name".
- Mapped "configurationItems.resourceName" to "target.resource.name".
2022-10-13 Enhancement:
- For "eventName": "CreateAccessKey" mapped the field "responseElements.accessKey.accessKeyId" to "target.resource.product_object_id".
- For "eventName": "UpdateAccessKey" mapped the field "requestParameters.accessKeyId" to "target.resource.product_object_id".
- For "eventName": "DeleteAccessKey" mapped the field "requestParameters.accessKeyId" to "target.resource.product_object_id".
- For "eventName": "CreateUser" mapped the field "responseElements.user.userId" to "target.user.product_object_id".
- Mapped the field "eventTime" to "metadata.collected_timestamp".
2022-07-27 Enhancement:
- Added eventType "QueryDatabase" and mapped it"s fields.
- Modified conditions for principal.ip or principal.host for handling new logs.
- Changed the mapping of "requestParameters.roleArn", "requestParameters.registryId", "resources.accountId" from "target.resource.id" to "target.resource.product_object_id".
- Modified the parsing condition for "req_params" to extract the values.
2022-07-08 Enhancement:
- Modified mapping for "req.requestParameters.roleName" from "target.user.role_name" to "target.user.attribute.roles".
2022-07-06 - Changed mapping of "req.awsRegion" from "_principal.location.country_or_region" to "_principal.location.name".
- Modified event_type from "GENERIC_EVENT" to "USER_LOGIN" for eventName "AssumeRole".
- Modified event_type from "GENERIC_EVENT" to "USER_RESOURCE_ACCESS" for eventNAme "PutImage" or "GetDownloadUrlForLayer" or "BatchGetImage".
- Modified event_type from "GENERIC_EVENT" to "USER_RESOURCE_DELETION" for eventName "DeleteNetworkInterface".
2022-06-06 For eventName "CreateUser/DeleteUser", modified condition for handling src mapping as existing one failed for new logs.
Modified puserId field to handle new unparsed log.
2022-05-27 Enhancement - Modified the value stored in metadata.product_name to "AWS CloudTrail".
2022-05-27 Enhancement - Modified the value stored in metadata.product_name to "AWS CloudTrail".
2022-04-13 Enhancement to map following raw logs elements to UDM elements:
Mapped field "requestParameters.PublicAccessBlockConfiguration.IgnorePublicAcls", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.RestrictPublicBuckets", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicPolicy", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicAcls", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.IgnorePublicAcls", "additionalEventData.configRuleInputParameters.RestrictPublicBuckets", "additionalEventData.configRuleInputParameters.BlockPublicPolicy", "additionalEventData.configRuleInputParameters.BlockPublicAcls", "additionalEventData.configRuleInputParameters.IgnorePublicAcls" to "target.resource.attribute.labels".