aws.cloudtrail: improve CloudTrail user identity processing (#15601)

AWS Cloudtrail: it has been updated how IAM users are handled. In particular, for the user identity IAMUser type, the user.name and user.id are populated with the user fields that made the action/request. For the user identity AssumedRole type, AWS SIEM rules need roles to be treated as IAMUsers in order to work fine. So the role identifies inside sessionIssuer populate user.* fields. Then, the session name is being mapped as user.changes.name as it can be interpreted as the name the user is taking for that particular session, and it's the closest approach in ECS.

Author: chemamartinez

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "5.2.0"
+ changes:
+ - description: Normalize user fields for AWS CloudTrail events.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15601
 - version: "5.1.0"
  changes:
  - description: Set `event.kind` to `alert` on AWS WAF events.

packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-http.log-expected.json

@@ -122,4 +122,4 @@
  ]
  }
  ]
-}
+}

packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-rest.log-expected.json

@@ -132,4 +132,4 @@
  ]
  }
  ]
-}
+}

packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-websocket.log-expected.json

@@ -103,4 +103,4 @@
  ]
  }
  ]
-}
+}

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json

@@ -113,7 +113,8 @@
  ],
  "user": [
  "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
- "JohnDoe"
+ "JohnDoe",
+ "JohnRole1"
  ]
  },
  "source": {
@@ -144,6 +145,9 @@
  }
  },
  "user": {
+ "changes": {
+ "name": "JohnRole1"
+ },
  "entity": {
  "id": [
  "arn:aws:iam::111111111111:role/JohnRole1"
@@ -290,7 +294,8 @@
  ],
  "user": [
  "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
- "JohnDoe"
+ "JohnDoe",
+ "JohnRole1"
  ]
  },
  "source": {
@@ -321,6 +326,9 @@
  }
  },
  "user": {
+ "changes": {
+ "name": "JohnRole1"
+ },
  "entity": {
  "id": [
  "arn:aws:iam::111111111111:role/JohnRole1"

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json

@@ -57,15 +57,6 @@
  ]
  }
  },
- "service": {
- "target": {
- "entity": {
- "id": [
- "arn:aws:iam::aws:policy/AdministratorAccess"
- ]
- }
- }
- },
  "event": {
  "action": "AttachUserPolicy",
  "category": [
@@ -94,9 +85,19 @@
  "user": [
  "pwncloud-backdoor-user",
  "PRINCIPALID:i-06815aa7cf7d21f8f",
- "ec2-instance-role"
+ "ec2-instance-role",
+ "i-06815aa7cf7d21f8f"
  ]
  },
+ "service": {
+ "target": {
+ "entity": {
+ "id": [
+ "arn:aws:iam::aws:policy/AdministratorAccess"
+ ]
+ }
+ }
+ },
  "source": {
  "address": "216.160.83.56",
  "as": {
@@ -137,6 +138,9 @@
  "version_protocol": "tls"
  },
  "user": {
+ "changes": {
+ "name": "i-06815aa7cf7d21f8f"
+ },
  "entity": {
  "id": [
  "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f"

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log-expected.json

@@ -77,6 +77,15 @@
  "test@elastic.co"
  ]
  },
+ "service": {
+ "target": {
+ "entity": {
+ "id": [
+ "arn:aws:iam::aws:policy/SecurityAudit"
+ ]
+ }
+ }
+ },
  "source": {
  "address": "216.160.83.56",
  "as": {
@@ -108,15 +117,6 @@
  ]
  }
  },
- "service": {
- "target": {
- "entity": {
- "id": [
- "arn:aws:iam::aws:policy/SecurityAudit"
- ]
- }
- }
- },
  "tls": {
  "cipher": "TLS_AES_128_GCM_SHA256",
  "client": {

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json

@@ -108,7 +108,8 @@
  ],
  "user": [
  "PRINCIPALID:i-06815aa7cf7d21f8f",
- "ec2-instance-role"
+ "ec2-instance-role",
+ "i-06815aa7cf7d21f8f"
  ]
  },
  "service": {
@@ -161,6 +162,9 @@
  "version_protocol": "tls"
  },
  "user": {
+ "changes": {
+ "name": "i-06815aa7cf7d21f8f"
+ },
  "entity": {
  "id": [
  "arn:aws:sts::000000000:assumed-role/ec2-instance-role/i-06815aa7cf7d21f8f"

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json

@@ -322,7 +322,8 @@
  ],
  "user": [
  "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
- "RoleToBeAssumed"
+ "RoleToBeAssumed",
+ "MySessionName"
  ]
  },
  "source": {
@@ -352,6 +353,9 @@
  "actor_target_mapping"
  ],
  "user": {
+ "changes": {
+ "name": "MySessionName"
+ },
  "entity": {
  "id": [
  "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName"

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json

@@ -78,7 +78,8 @@
  ],
  "user": [
  "PRINCIPALID:i-03cd6b2a7eb4bf3ae",
- "private-ec2-instance-role"
+ "private-ec2-instance-role",
+ "i-03cd6b2a7eb4bf3ae"
  ]
  },
  "source": {
@@ -120,6 +121,9 @@
  "version_protocol": "tls"
  },
  "user": {
+ "changes": {
+ "name": "i-03cd6b2a7eb4bf3ae"
+ },
  "entity": {
  "id": [
  "arn:aws:sts::00000000000:assumed-role/private-ec2-instance-role/i-03cd6b2a7eb4bf3ae"