Change log for AWS_CLOUDTRAIL

Date Changes
2024-10-03 Enhancement:
- Added validation check for "metadata.event_type" with value "USER_UNCATEGORIZED".
2024-09-18 Enhancement:
- Mapped "readOnly" to "additional.fields".
2024-07-30 Enhancement:
- Fixed the mapping of "src_ip" and "event_type" to parse the new logs.
2024-07-29 Bug-Fix:
- When "eventName" is "GetLoginProfile", "metadata.event_type" is mapped to "RESOURCE_READ".
2024-07-24 Enhancement:
- Changed the mapping from "recipientAccountId" to "userIdentity.accountId" and mapped it to "additional.fields".
2024-07-23 Enhancement:
- Mapped "alert_emails" and "owner_names" to "target.resource.attribute.labels".
2024-07-09 Enhancement:
- Mapped "eventVersion" to "metadata.product_version".
- Mapped "userIdentity.principalId" to "principal.user.attribute.labels".
- Mapped "userIdentity.sessionContext.attributes.creationDate" to "principal.user.attribute.creation_time".
- Mapped "userIdentity.sessionContext.sessionIssuer.type" to "target.user.attribute.labels".
- Mapped "additionalEventData.bytesTransferredIn" to "network.received_bytes".
- Mapped "additionalEventData.bytesTransferredOut" to "network.sent_bytes".
- Mapped "managementEvent", "readOnly", "sharedEventID", "apiVersion", "additionalEventData.x-amz-id-2", "additionalEventData.SignatureVersion", "additionalEventData.AuthenticationMethod", "additionalEventData.CipherSuite", and "additionalEventData.sub" to "additional.fields".
2024-06-24 Enhancement:
- Updated the mapping from "principal.resource.type" to "principal.resource.resource_subtype" since the field "principal.resource.type" is a deprecated field.
2024-06-24 Enhancement:
- Updated the mapping from "principal.resource.type" to "principal.resource.resource_subtype" since the field "principal.resource.type" is a deprecated field.
2024-05-21 Enhancement:
- When "requestParameters.bucketPolicy.Statement.n.Resource" is an array, then mapped "requestParameters.bucketPolicy.Statement.n.Resource" to "additional.fields".
2024-05-09 Enhancement:
- Mapped the "groupid" part from "principal.user.userid" to "principal.user.groupid" and "principal.user.group_identifiers" when the "userid" matches the format "^arn:aws:sts::\d+:assumed-role\/\w+\/\w+$".
2024-04-30 Enhancement:
- Mapped "req.requestParameters.networkInterfaceSet.items.associatePublicIpAddress" to "target.resource.attribute.labels".
2024-03-22 Enhancement:
- Mapped "Noun.user.userid" to "Noun.user.product_object_id".
- Mapped "RoleName" from "userIdentity.arn" to "principal.user.role_name" and "principal.user.attribute.roles.name".
- Mapped "PoicyName" from "requestParameters.policyArn" to "security_result.rule_name".
2024-03-04 Enhancement:
- For logs having "eventName" as "TerminateInstances":
- Mapped "responseElements" JSON Object to "target.resource.attribute.labels".
- Mapped "sessionCredentialFromConsole" to "target.resource.attribute.labels".
- For logs where "eventName" is "CreateDomain","DeleteDomain","CreateCollection",
"DeleteCollection","CreateDBCluster","DeleteDBCluster","StopDBCluster","StartDBCluster",
"CreateCluster","DeleteCluster", "ListClusters", "CreateNodegroup", "DeleteNodegroup",
"RegisterCluster", "DeregisterCluster", "DescribeCluster", "DescribeNodegroup", "ListNodegroups".
- Set "target.resource.resource_type" to "CLUSTER".
2023-11-21 Enhancement:
- Mapped "awsRegion" to "target.location.name".
- For logs having "eventName" as "PutBucketAcl", when "userIdentity.arn" is not present, then modify "metadata.event_type" to "STATUS_UPDATE".
- For logs having "eventName" as prefix "Get", "List", "Describe", "Detect", "Query", "Check", "Decode",
"Decrypt", "Download", "Retrieve", "Read", "Discover", "Lookup", "Preview", "Scan", "Select", "Classify", "Show", "View":
- Set "metadata.event_type" to "RESOURCE_READ".
- For logs having "eventName" as prefix "Delete", "Terminate":
- Set "metadata.event_type" to "RESOURCE_DELETION".
- For logs having "eventName" as prefix "Create", "Put", "Import", "Generate", "Allocate":
- Set "metadata.event_type" to "RESOURCE_CREATION".
- For logs having "eventName" as prefix "Start", "Activate", "Reboot", "Initialize", "New":
- Set "metadata.event_type" to "STATUS_STARTUP".
- For logs having "eventName" as prefix "Stop", "Cancel", "Disconnect":
- Set "metadata.event_type" to "STATUS_SHUTDOWN".
- For logs having "eventName" as prefix "Test", "Accept", "Notify", "Request", "Validate", "Confirm", "Reject", "Verify", "Authorize", "Complete":
- Set "metadata.event_type" to "STATUS_UPDATE".
- For logs having "eventName" as prefix "Assume", "ConsoleLogin":
- Set "metadata.event_type" to "USER_LOGIN".
- For logs having "eventName" as "SendHeartbeat":
- Set "metadata.event_type" to "STATUS_HEARTBEAT".
- For logs haveing "eventName" as prefix "Initiate", "Publish", "Replace", "Resume", "Run", "Submit", "Suspend",
"Alter", "Increase", "Invite", "Provision", "Refresh", "Report", "Upgrade", "Abort", "Apply", "Backup", "Decrease",
"Merge", "Retry", "Rotate", "Rotation", "Transfer", "Unassign", "Analyze", "Archive", "Beta_", "Clear", "Configure",
"Confirm_", "Do", "Evaluate", "Failover", "Forgot", "Lock", "Migrate", "O", "Process", "Promote", "Release", "Renew",
"Sign", "Unarchive", "Undeprecate", "Unlock", "Acknowledge", "Approve", "Connect", "Continue", "Decline", "Deploy",
"Diagnostic", "Drop", "Exit", "Finalize", "Flush", "Forget", "Grant", "Issue", "Logout", "Move", "Opt", "Pause",
"Rebuild", "Redeem", "Replicate", "Restart", "S", "Save", "Subscribe", "Sync", "Unlink", "Unsubscribe", "Unsuspend",
"Allow", "Ato", "Back", "Backtrack", "Bid", "Bind", "Build", "Bundle", "Clone", "Close", "Cognito", "Console", "Dispose",
"Dissociate", "End", "Enroll", "Enter", "Environment", "Event_", "Exclude", "Global", "Include", "Index", "Insert", "Install",
"Invalidate", "Join", "Leave", "Load", "Managed", "Mark", "Monitor", "Peer", "Persist", "Prepare", "Pubkey", "Purge", "Push",
"Rebalance", "Record", "Recovery", "Redact", "Refuse", "Reinvite", "Reload", "Rename", "Respond", "Resync", "Retire", "Reverse",
"Rollback", "Schedule", "Secret", "Shutdown", "Signal", "Skip", "Split", "Stream", "Swap", "Switch", "Toggle", "Token_",
"Translate", "Trim", "Unauthorize", "Undeploy", "Unmonitor", "Unpeer", "Use":
- Set "metadata.event_type" to "RESOURCE_WRITTEN".
- For logs haveing "eventName" as prefix "Update", "Associate", "Disassociate", "Modify", "Set", "Register", "Deregister",
"Add", "Remove", "Enable", "Disable", "Send", "Restore", "Reset", "Attach", "Detach", "Export", "Copy", "Tag",
"Untag", "Execute", "Purchase", "Allocate", "Deactivate", "Post", "Resend", "Upload", "Assign", "Change", "Define",
"Deprecate", "Invoke", "Revoke:
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
2023-11-11 Enhancement:
- Initialize variables to null or empty, to avoid duplicate mappings.
- When "requestParameters.tagSpecificationSet.items.key" is "Hostname" , map to "target.hostname".
2023-10-27 Enhancement:
For logs having "eventName" as "AssociateIamInstanceProfile":
- Mapped "responseElements.AssociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name".
- Mapped "responseElements.AssociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id".
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- Set "target.resource.resource_type" to "ACCESS_POLICY".
For logs having "eventName" as "DisassociateIamInstanceProfile":
- Mapped "responseElements.DisassociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name".
- Mapped "responseElements.DisassociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id".
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- Set "target.resource.resource_type" to "ACCESS_POLICY".
For logs having "eventName" as "ReplaceIamInstanceProfileAssociation":
- Mapped "responseElements.ReplaceIamInstanceProfileAssociationResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name".
- Mapped "responseElements.ReplaceIamInstanceProfileAssociationResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id".
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- Set "target.resource.resource_type" to "ACCESS_POLICY".
Mapped "requestParameters" and "responseElements" JSON Object to "target.resource.attribute.labels".
Corrected typo error for "req.userIdentity.userName" from "req.userIdentity.username".
2023-10-13 Enhancement:
- For logs having "eventName" as "UpdateDetector":
- Mapped "requestParameters.features.name" and "requestParameters.features.status" to "target.resource.attribute.labels".
- For logs having "eventName" as "SendCommand":
- Mapped "requestParameters.documentName" to "target.resource.product_object_id".
- Mapped "responseElements.command.commandId" to "target.process.product_specific_object.id".
- Mapped "metadata.event_type" to "PROCESS_LAUNCH".
- Mapped "requestParameters.documentName" to "target.resource.name".
- Mapped all the parameters in "requestParameters" and "responseElements" to "target.resource.attribute.labels".
- For logs having "eventName" as "createAccountResult" map "event_type" as "USER_RESOURCE_ACCESS".
- For logs having "eventName" as "createAccount" map "event_type" as "RESOURCE_CREATION".
2023-09-30 Enhancement: Add new mappings for the following fields:
- Mapped "req.requestParameters.durationSeconds" to "target.resource.attribute.labels".
- Mapped "req.requestParameters.policyArns" to "target.resource.attribute.labels".
- For logs having "eventName" as "GetParameter", "GetParameters", "GetParameterHistory", "GetParametersByPath", "DescribeParameters":
- Mapped "metadata.event_type" to "RESOURCE_READ".
- Mapped "req.requestParameters.withDecryption" to "security_result.detection_fields".
- For logs having "eventName" as "DeleteParameters","DeleteParameter", set "metadata.event_type" to "RESOURCE_DELETION".
- For logs having "eventName" as "PutParameter", set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
- For logs having "eventName" as "EnableRegion" or "DisableRegion", set "target.resource.name" from "req.requestParameters.map.RegionName".
- For logs having "eventName" as "GetFederationToken":
- Mapped "metadata.event_type" to "RESOURCE_READ".
- Mapped "req.responseElements.federatedUser.arn" to "target.resource.name".
- Mapped "req.responseElements.federatedUser.federatedUserId" to "target.user.userid".
- Mapped "req.responseElements.packedPolicySize" to "security_result.detection_fields".
- Mapped "req.responseElements.credentials.sessionToken" to "security_result.detection_fields".
2023-09-15 Enhancement: Add new mappings for the following fields:
- Mapped "requestParameters.userName" to "target.user.user_display_name".
- Mapped "additionalEventData.SamlProviderArn" to "additional.fields".
- Mapped "eventSource" to "metadata.ingestion_labels".
- When value of "requestParameters.tagSpecificationSet.items.tags.key" is "Name", then mapped "requestParameters.tagSpecificationSet.items.tags.value" to "target.resource.name".
2023-08-24 Enhancement:
- For logs having "eventName" as "CreateSubnet", set "metadata.event_type" to "RESOURCE_CREATION".
- Mapped "req.responseElements.subnet.subnetId" to "target.resource.attribute.labels".
- Mapped "req.requestParameters.cidrBlock" to "target.resource.attribute.labels".
- For logs having "eventName" as "DeleteSubnet", set "metadata.event_type" to "RESOURCE_DELETION".
- Mapped "req.requestParameters.subnetId" to "target.resource.attribute.labels".
2023-08-24 Enhancement:
- For logs having "eventName" as "CreateSubnet", set "metadata.event_type" to "RESOURCE_CREATION".
- Mapped "req.responseElements.subnet.subnetId" to "target.resource.attribute.labels".
- Mapped "req.requestParameters.cidrBlock" to "target.resource.attribute.labels".
- For logs having "eventName" as "DeleteSubnet", set "metadata.event_type" to "RESOURCE_DELETION".
- Mapped "req.requestParameters.subnetId" to "target.resource.attribute.labels".
2023-08-16 Enhancement:
- For logs having "eventName" as "DeleteSecret", mapped "responseElements.arn" to "target.resource.name".
2023-08-02 Enhancement:
- For logs having "eventName" as "CreateTags", mapped "metadata.event_type" to "RESOURCE_WRITTEN".
- Mapped "responseElements.description" ,"requestParameters.name","requestParameters.tagSet.items", "requestParameters.attributeType" to "target.resource.attribute.labels".
- Set "metadata.event_type" to "RESOURCE_CREATION" for logs having the following "eventName":
"CreateNetworkAcl","CreateVolume","CreatePublishingDestination","CreateIPSet","CreateThreatIntelSet",
"CreateAddon","CreateRepository","CreateStack","CreateDomain","CreateCollection","CreateTable",
"CreateDBInstance","CreateDBCluster","CreateDBSnapshot","CreateDBClusterSnapshot","PutConfigRule",
"PutDeliveryChannel","CreateListener","CreateLoadBalancer","PutLoggingConfiguration","CreateTargetGroup",
"CreateWebACL","RequestCertificate","CreateCluster"
- Set "metadata.event_type" to "RESOURCE_WRITTEN for logs having the follow "eventName":
"MoveAccount","PutEventSelectors","PutInsightSelectors","UpdateIPSet","UpdateThreatIntelSet","CreateTags",
"UpdateTable","ModifyDBInstance","StopDBInstance","StartDBInstance","RebootDBInstance",
"StartDBCluster","StopDBCluster","ModifyDBSnapshotAttribute","ModifyDBClusterSnapshotAttribute",
"AddListenerCertificates","ModifyLoadBalancerAttributes","SetSubnets","SetSecurityGroups",
"ModifyListener","UpdateWebACL","ResendValidationEmail","ModifyInstanceAttribute",
"StopInstances","StartInstances","RebootInstances"
- Set "metadata.event_type" to "RESOURCE_WRITTEN" for logs having the following "eventName".
"DeletePublishingDestination","DeleteIPSet","DeleteThreatIntelSet","DeleteRepository",
"DeleteStack","DeleteCollection","DeleteDomain","DeleteTable","DeleteDBInstance","DeleteDBCluster",
"DeleteDBSnapshot","DeleteDBClusterSnapshot","DeleteConfigRule","DeleteEvaluationResults",
"DeleteTargetGroup","DeleteLoadBalancer","DeleteListener","DeleteLoggingConfiguration",
"DeleteWebACL","DeleteCertificate","DeleteCluster"
- Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE" for logs having the following "eventName":
"AssociateWebACL","DisassociateWebACL","AttachGroupPolicy","PutBucketAcl"
- Set "metadata.event_type" to "RESOURCE_READ" for logs having the following "eventName":
"GetPasswordData","GetSessionToken"
- Mapped "target.resource.resource_type" and other unmapped fields for the above mentioned event names.
2023-07-18 Enhancement:
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_CREATION".
"EnableMacie","ConnectDirectory","RunInstances","CreateImage","CreateOrganization", "CreateNetworkInterface",
"StartSSO","CreateEmailIdentity","VerifyDomainIdentity","VerifyDomainDkim","VerifyEmailIdentity",
"CreateConfigurationSet","CreateSecret","ImportKeyPair","CreateAlias","CreateKey","CreateOrganizationalUnit",
"CreateNetworkAcl","CreateVolume","CreatePublishingDestination","CreateIPSet","CreateThreatIntelSet"
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_WRITTEN".
"UpdateMacieSession","PutAccountSendingAttributes","PutConfigurationSetSendingOptions","UpdateAccountSendingEnabled",
"UpdateConfigurationSetSendingEnabled","UpdateSecret","DisableKey","EnableKey","CancelKeyDeletion",
"MoveAccount","PutEventSelectors","PutInsightSelectors","UpdateIPSet","UpdateThreatIntelSet"
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_DELETION".
"DeleteSnapshot","DeleteDetector","DeleteFlowLogs","DeregisterImage","TerminateInstances", "RESOURCE_DELETION",
"DeleteNetworkInterface","DeleteSSO","DeleteBucketPublicAccessBlock","DeleteAccountPublicAccessBlock",
"RemoveAccountFromOrganization","DeleteEmailIdentity","LeaveOrganization","DeleteConfigurationSet",
"DeleteSecret","DeleteKeyPair","DeleteAlias","ScheduleKeyDeletion","DeleteNetworkAcl",
"DeletePublishingDestination","DeleteIPSet","DeleteThreatIntelSet"
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
"DetachRolePolicy","PutRolePolicy","PutResourcePolicy","PutCredentials","DeleteDirectory",
"AuthorizeSecurityGroupEgress","AuthorizeSecurityGroupIngress","RevokeSecurityGroupEgress","RevokeSecurityGroupIngress",
"ModifySnapshotAttribute","ModifyImageAttribute","CreateNetworkAclEntry","ReplaceNetworkAclAssociation","DeleteNetworkAclEntry"
- Mapped "target.resource.resource_type" and other unmapped fields for the above mentioned eventNames.
- Added a null check before mapping field "userIdentity.invokedBy".
2023-07-06 Enhancement:
- Added null check before mapping field "userIdentity.invokedBy".
- Mapped "requestParameters.instanceType","requestParameters.instancesSet.items.0.minCount","requestParameters.instancesSet.items.0.maxCount" to "target.resource.attribute.labels".
2023-06-23 Enhancement: Mapped logs to more specific "metadata.event_type" based on the field "eventName".
- Mapped "target.resource.resource_type" as "VIRTUAL_MACHINE".
- Mapped "requestParameters.status", "responseElements.certificate.status" to "target.resource.attribute.labels".
- Mapped "requestParameters.instanceId" to "target.resource_ancestors.product_object_id".
- Mapped "requestParameters.userName" to "target.user.userid".
- Mapped "target.resource.name" and "target.resource.product_object_id" based upon keys present under each "eventName".
- Mapped "userIdentity.arn" to "principal.resource.name".
- Mapped "userIdentity.accountId" to "principal.resource.product_object_id".
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_CREATION".
"CreateTrail","AllocateAddress","CreateVolume","CreateVirtualMFADevice","UploadSigningCertificate",
"CreateAccessKey","UploadSSHPublicKey","CreateServiceSpecificCredential","UploadCloudFrontPublicKey",
"CreateAnalyzer","CreateSAMLProvider","PutConfigurationRecorder","CreateRole","CreateInstanceProfile",
"CreateExportTask","CreateLogGroup","EnableSecurityHub","CreateEnvironment","CreateSession","CreateServiceLinkedRole",
"CreateSnapshot","CreateKeyPair","CreateSecurityGroup","CreateDetector","CreateFlowLogs",
"EnableMacie","ConnectDirectory","RunInstances","CreateImage","CreateOrganization"
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_WRITTEN".
"StartLogging","StopLogging","AssociateAddress","DisassociateAddress","DetachVolume",
"AttachVolume","ModifyVolume","EnableMFADevice","ResyncMFADevice","UpdateSigningCertificate",
"UpdateAccessKey","UpdateSSHPublicKey","ResetServiceSpecificCredential","UpdateServiceSpecificCredential",
"UpdateCloudFrontPublicKey","DisableRegion","EnableRegion","UpdateSAMLProvider","StartConfigurationRecorder",
"StopConfigurationRecorder","PutRetentionPolicy","PutDataProtectionPolicy","UpdateDetector","UpdateMacieSession"
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_DELETION".
"DeleteTrail","ReleaseAddress","DeleteVolume","DeactivateMFADevice","DeleteVirtualMFADevice",
"DeleteSigningCertificate","DeleteAccessKey","DeleteSSHPublicKey","DeleteServiceSpecificCredential",
"DeleteCloudFrontPublicKey","DeleteAnalyzer","DeleteSAMLProvider","DeleteConfigurationRecorder",
"DeletePolicy","DeleteRole","DeleteInstanceProfile","DeleteLogGroup","DisableSecurityHub","DisableMacie",
"DeleteSnapshot","DeleteDetector","DeleteFlowLogs","DeregisterImage","TerminateInstances"
- For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE".
"AttachUserPolicy","DetachUserPolicy","PutUserPolicy","DeleteUserPolicy",
"PutUserPermissionsBoundary","DeleteUserPermissionsBoundary","AttachRolePolicy",
"DetachRolePolicy","PutRolePolicy","PutResourcePolicy","PutCredentials","DeleteDirectory"
2023-06-09 Enhancement:
- Modified the regex to identify the JSON Array logs.
2023-06-07 Enhancement:
- Mapped all the "principal.user" fields to "target.user" for "eventName" as "ConsoleLogin".
2023-05-26 Enhancement:
Parsed logs of different josn pattern.
- Mapped "cipherSuite" to "network.tls.cipher".
- Mapped "requestID" to "target.resource.attribute.labels".
- Mapped "assumedRoleId" to "security_result.about.resource.name".
- Mapped "roleSessionName" to "target.resource.name".
- Mapped "roleArn" to "target.resource.product_object_id".
- Mapped "userAgent" to "network.http.user_agent".
- Mapped "sourceIPAddress" to "principal.ip".
- Mapped "sessionIssuer.userName" to "target.user.user_display_name".
- Mapped "sessionIssuer.principalId" to "target.user.userid".
- Mapped "userIdentity.accessKeyId" to "target.resource.product_object_id".
- Mapped "userIdentity.arn" to "security_result.about.resource.id".
- Mapped "req.detail.Longitude" to "_principal.location.region_longitude".
- Mapped "req.detail.Latitude" to "_principal.location.region_latitude".
- Mapped "detail.resourceType" to "target.resource.resource_subtype".
- Set "security_result.alert_state" to "ALERTING".
- Mapped "req.detail.recommendRemediation" to "security_result.action_details".
- Mapped "eventLog.detail.eventName" to "metadata.product_event_type".
2023-02-23 Enhancement:
- Mapped "requestParameters.principalArn" to "principal.resource.name".
- Mapped "resources.ARN" to "about.resource.name".
2022-11-24 Fix:
- Parsed new format logs that has configurationItem by mapping following fields.
- Mapped "configurationItem.awsAccountId" to "principal.user.userid".
- Mapped "configurationItem.resourceId" to "target.resource.id".
- Mapped "configurationItem.resourceType" to "target.resource.resource_subtype"
- Mapped "configurationItem.awsRegion" to "target.location.country_or_region".
- Mapped "configurationItem.configurationItemCaptureTime" to "target.asset.attribute.creation_time".
- Mapped "configurationItem.configurationItemStatus" to "target.asset.attribute.labels".
- Mapped "configurationItems.ARN" to "target.resource.attribute.labels".
- Mapped "configurationItems.availabilityZone" to "target.resource.attribute.cloud.availability_zone".
- Mapped "configurationItems.awsRegion" to "target.location.country_or_region".
- Mapped "configurationItems.awsAccountId" to "principal.user.userid".
- Mapped "configurationItems.configuration.activityStreamStatus" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.allocatedStorage" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.autoMinorVersionUpgrade" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.backupRetentionPeriod" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.copyTagsToSnapshot" to "target.resource.attribute.labels".
- Mapped "configurationItems.configuration.dbClusterResourceId" to "target.resource.product_object_id".
- Mapped "configurationItems.configuration.masterUsername" to "principal.user.user_display_name".
- Mapped "configurationItems.resourceName" to "target.resource.name".
2022-10-13 Enhancement:
- For "eventName": "CreateAccessKey" mapped the field "responseElements.accessKey.accessKeyId" to "target.resource.product_object_id".
- For "eventName": "UpdateAccessKey" mapped the field "requestParameters.accessKeyId" to "target.resource.product_object_id".
- For "eventName": "DeleteAccessKey" mapped the field "requestParameters.accessKeyId" to "target.resource.product_object_id".
- For "eventName": "CreateUser" mapped the field "responseElements.user.userId" to "target.user.product_object_id".
- Mapped the field "eventTime" to "metadata.collected_timestamp".
2022-07-27 Enhancement:
- Added eventType "QueryDatabase" and mapped it"s fields.
- Modified conditions for principal.ip or principal.host for handling new logs.
- Changed the mapping of "requestParameters.roleArn", "requestParameters.registryId", "resources.accountId" from "target.resource.id" to "target.resource.product_object_id".
- Modified the parsing condition for "req_params" to extract the values.
2022-07-08 Enhancement:
- Modified mapping for "req.requestParameters.roleName" from "target.user.role_name" to "target.user.attribute.roles".
2022-07-06 - Changed mapping of "req.awsRegion" from "_principal.location.country_or_region" to "_principal.location.name".
- Modified event_type from "GENERIC_EVENT" to "USER_LOGIN" for eventName "AssumeRole".
- Modified event_type from "GENERIC_EVENT" to "USER_RESOURCE_ACCESS" for eventNAme "PutImage" or "GetDownloadUrlForLayer" or "BatchGetImage".
- Modified event_type from "GENERIC_EVENT" to "USER_RESOURCE_DELETION" for eventName "DeleteNetworkInterface".
2022-06-06 For eventName "CreateUser/DeleteUser", modified condition for handling src mapping as existing one failed for new logs.
Modified puserId field to handle new unparsed log.
2022-05-27 Enhancement - Modified the value stored in metadata.product_name to "AWS CloudTrail".
2022-05-27 Enhancement - Modified the value stored in metadata.product_name to "AWS CloudTrail".
2022-04-13 Enhancement to map following raw logs elements to UDM elements:
Mapped field "requestParameters.PublicAccessBlockConfiguration.IgnorePublicAcls", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.RestrictPublicBuckets", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicPolicy", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicAcls", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.IgnorePublicAcls", "additionalEventData.configRuleInputParameters.RestrictPublicBuckets", "additionalEventData.configRuleInputParameters.BlockPublicPolicy", "additionalEventData.configRuleInputParameters.BlockPublicAcls", "additionalEventData.configRuleInputParameters.IgnorePublicAcls" to "target.resource.attribute.labels".