Change log for AWS_CLOUDTRAIL
Date | Changes |
---|---|
2024-11-25 | Enhancement:
- Mapped "Metadata.Product.Version" to "metadata.product_version". - Mapped "Event_code" to "security_result.detection_fields". - Mapped "Metadata.Uid" to "metadata.product_log_id". - Mapped "Cloud.Region" to "principal.location.country_or_region". - Mapped "target.resource.attribute.cloud.environment" to "AMAZON_WEB_SERVICES" when "Cloud.Provider" is "AWS". - Mapped "credentials.sessionToken" to "security_result.detection_fields". - Mapped "Api.Operation" to "additional.fields". - Mapped "Api.Service.Name" to "principal.resource.name". - Mapped "roleArn" to "target.url". - Mapped "roleSessionName" to "target.resource.name". - Mapped "Api.Request.Uid" to "additional.fields". - Mapped "Actor.User.Type" to "principal.resource.resource_subtype" and "principal.resource.type". - Mapped "Actor.User.Uid_alt" to "additional.fields". - Mapped "Actor.User.Uid" to "principal.user.userid". - Mapped "Actor.User.Account.Uid" to "additional.fields". - Mapped "Actor.User.Credential_uid" to "additional.fields". - Mapped "Actor.Session.Issuer" to "security_result.detection_fields". - Mapped "Session.Credential_uid" to "additional.fields". - Mapped "Actor.Invoked_by" to "principal.user.userid". - Mapped "Http_request.User_agent" to "network.http.user_agent". - Mapped "Src_endpoint.Ip" to "principal.ip" and "principal.asset.ip". - Mapped "Src_endpoint.Domain" to "principal.domain.name". - Mapped "Class_name" to "additional.fields". - Mapped "Class_uid" to "security_result.detection_fields". - Mapped "Category_name" to "security_result.detection_fields". - Mapped "security_result.severity" to "INFORMATIONAL" when "Severity" is "Informational". - Mapped "Activity_name" to "metadata.product_event_type". - Mapped "Activity_id" to "security_result.detection_fields". - Mapped "Type_uid" to "security_result.detection_fields". - Mapped "Type_name" to "security_result.detection_fields". - Mapped "Unmapped.managementEvent" to "additional.fields". - Mapped "Unmapped.readOnly" to "additional.fields". - Mapped "Unmapped.recipientAccountId" to "target.resource.id". - Mapped "Unmapped.resources[].ARN" to "additional.fields". - Mapped "Unmapped.resources[].type" to "target.resource.type". - Mapped "credentials.accessKeyId" to "target.resource.product_object_id". - Mapped "credentials.expiration" to "security_result.detection_fields". - Mapped "Unmapped.tlsDetails.cipherSuite" to "network.tls.cipher". - Mapped "Unmapped.tlsDetails.clientProvidedHostHeader" to "security_result.detection_fields". - Mapped "Unmapped.sharedEventID" to "target.resource.attribute.labels". - Mapped "Unmapped.tlsDetails.tlsVersion" to "network.tls.version". - Mapped "Unmapped.userIdentity.sessionContext.sessionIssuer.principalId" to "target.user.userid". - Mapped "Unmapped.userIdentity.sessionContext.sessionIssuer.type" to "target.user.attribute.labels". - Mapped "Unmapped.userIdentity.sessionContext.sessionIssuer.userName" to "target.user.user_display_name". - Depending on the "arr.Type_id" value, the value of each array element is assigned to different properties of the observer object: "observer.hostname" for 1, "observer.ip" for 2, "observer.user.user_display_name" for 4, and "observer.resource.product_object_id" for 10. |
2024-11-14 | Enhancement:
- Added support to handle new JSON log format. |
2024-11-14 | Enhancement:
- Added support to handle new JSON log format. |
2024-11-07 | Enhancement:
- When "eventName" is "DeleteBackupSelection", and then "metadata.event_type" is mapped to "RESOURCE_DELETION". |
2024-10-03 | Enhancement:
- Added validation check for "metadata.event_type" with value "USER_UNCATEGORIZED". |
2024-09-18 | Enhancement:
- Mapped "readOnly" to "additional.fields". |
2024-07-30 | Enhancement:
- Fixed the mapping of "src_ip" and "event_type" to parse the new logs. |
2024-07-29 | Bug-Fix:
- When "eventName" is "GetLoginProfile", "metadata.event_type" is mapped to "RESOURCE_READ". |
2024-07-24 | Enhancement:
- Changed the mapping from "recipientAccountId" to "userIdentity.accountId" and mapped it to "additional.fields". |
2024-07-23 | Enhancement:
- Mapped "alert_emails" and "owner_names" to "target.resource.attribute.labels". |
2024-07-09 | Enhancement:
- Mapped "eventVersion" to "metadata.product_version". - Mapped "userIdentity.principalId" to "principal.user.attribute.labels". - Mapped "userIdentity.sessionContext.attributes.creationDate" to "principal.user.attribute.creation_time". - Mapped "userIdentity.sessionContext.sessionIssuer.type" to "target.user.attribute.labels". - Mapped "additionalEventData.bytesTransferredIn" to "network.received_bytes". - Mapped "additionalEventData.bytesTransferredOut" to "network.sent_bytes". - Mapped "managementEvent", "readOnly", "sharedEventID", "apiVersion", "additionalEventData.x-amz-id-2", "additionalEventData.SignatureVersion", "additionalEventData.AuthenticationMethod", "additionalEventData.CipherSuite", and "additionalEventData.sub" to "additional.fields". |
2024-06-24 | Enhancement:
- Updated the mapping from "principal.resource.type" to "principal.resource.resource_subtype" since the field "principal.resource.type" is a deprecated field. |
2024-06-24 | Enhancement:
- Updated the mapping from "principal.resource.type" to "principal.resource.resource_subtype" since the field "principal.resource.type" is a deprecated field. |
2024-05-21 | Enhancement:
- When "requestParameters.bucketPolicy.Statement.n.Resource" is an array, then mapped "requestParameters.bucketPolicy.Statement.n.Resource" to "additional.fields". |
2024-05-09 | Enhancement:
- Mapped the "groupid" part from "principal.user.userid" to "principal.user.groupid" and "principal.user.group_identifiers" when the "userid" matches the format "^arn:aws:sts::\d+:assumed-role\/\w+\/\w+$". |
2024-04-30 | Enhancement:
- Mapped "req.requestParameters.networkInterfaceSet.items.associatePublicIpAddress" to "target.resource.attribute.labels". |
2024-03-22 | Enhancement:
- Mapped "Noun.user.userid" to "Noun.user.product_object_id". - Mapped "RoleName" from "userIdentity.arn" to "principal.user.role_name" and "principal.user.attribute.roles.name". - Mapped "PoicyName" from "requestParameters.policyArn" to "security_result.rule_name". |
2024-03-04 | Enhancement:
- For logs having "eventName" as "TerminateInstances": - Mapped "responseElements" JSON Object to "target.resource.attribute.labels". - Mapped "sessionCredentialFromConsole" to "target.resource.attribute.labels". - For logs where "eventName" is "CreateDomain","DeleteDomain","CreateCollection", "DeleteCollection","CreateDBCluster","DeleteDBCluster","StopDBCluster","StartDBCluster", "CreateCluster","DeleteCluster", "ListClusters", "CreateNodegroup", "DeleteNodegroup", "RegisterCluster", "DeregisterCluster", "DescribeCluster", "DescribeNodegroup", "ListNodegroups". - Set "target.resource.resource_type" to "CLUSTER". |
2023-11-21 | Enhancement:
- Mapped "awsRegion" to "target.location.name". - For logs having "eventName" as "PutBucketAcl", when "userIdentity.arn" is not present, then modify "metadata.event_type" to "STATUS_UPDATE". - For logs having "eventName" as prefix "Get", "List", "Describe", "Detect", "Query", "Check", "Decode", "Decrypt", "Download", "Retrieve", "Read", "Discover", "Lookup", "Preview", "Scan", "Select", "Classify", "Show", "View": - Set "metadata.event_type" to "RESOURCE_READ". - For logs having "eventName" as prefix "Delete", "Terminate": - Set "metadata.event_type" to "RESOURCE_DELETION". - For logs having "eventName" as prefix "Create", "Put", "Import", "Generate", "Allocate": - Set "metadata.event_type" to "RESOURCE_CREATION". - For logs having "eventName" as prefix "Start", "Activate", "Reboot", "Initialize", "New": - Set "metadata.event_type" to "STATUS_STARTUP". - For logs having "eventName" as prefix "Stop", "Cancel", "Disconnect": - Set "metadata.event_type" to "STATUS_SHUTDOWN". - For logs having "eventName" as prefix "Test", "Accept", "Notify", "Request", "Validate", "Confirm", "Reject", "Verify", "Authorize", "Complete": - Set "metadata.event_type" to "STATUS_UPDATE". - For logs having "eventName" as prefix "Assume", "ConsoleLogin": - Set "metadata.event_type" to "USER_LOGIN". - For logs having "eventName" as "SendHeartbeat": - Set "metadata.event_type" to "STATUS_HEARTBEAT". - For logs haveing "eventName" as prefix "Initiate", "Publish", "Replace", "Resume", "Run", "Submit", "Suspend", "Alter", "Increase", "Invite", "Provision", "Refresh", "Report", "Upgrade", "Abort", "Apply", "Backup", "Decrease", "Merge", "Retry", "Rotate", "Rotation", "Transfer", "Unassign", "Analyze", "Archive", "Beta_", "Clear", "Configure", "Confirm_", "Do", "Evaluate", "Failover", "Forgot", "Lock", "Migrate", "O", "Process", "Promote", "Release", "Renew", "Sign", "Unarchive", "Undeprecate", "Unlock", "Acknowledge", "Approve", "Connect", "Continue", "Decline", "Deploy", "Diagnostic", "Drop", "Exit", "Finalize", "Flush", "Forget", "Grant", "Issue", "Logout", "Move", "Opt", "Pause", "Rebuild", "Redeem", "Replicate", "Restart", "S", "Save", "Subscribe", "Sync", "Unlink", "Unsubscribe", "Unsuspend", "Allow", "Ato", "Back", "Backtrack", "Bid", "Bind", "Build", "Bundle", "Clone", "Close", "Cognito", "Console", "Dispose", "Dissociate", "End", "Enroll", "Enter", "Environment", "Event_", "Exclude", "Global", "Include", "Index", "Insert", "Install", "Invalidate", "Join", "Leave", "Load", "Managed", "Mark", "Monitor", "Peer", "Persist", "Prepare", "Pubkey", "Purge", "Push", "Rebalance", "Record", "Recovery", "Redact", "Refuse", "Reinvite", "Reload", "Rename", "Respond", "Resync", "Retire", "Reverse", "Rollback", "Schedule", "Secret", "Shutdown", "Signal", "Skip", "Split", "Stream", "Swap", "Switch", "Toggle", "Token_", "Translate", "Trim", "Unauthorize", "Undeploy", "Unmonitor", "Unpeer", "Use": - Set "metadata.event_type" to "RESOURCE_WRITTEN". - For logs haveing "eventName" as prefix "Update", "Associate", "Disassociate", "Modify", "Set", "Register", "Deregister", "Add", "Remove", "Enable", "Disable", "Send", "Restore", "Reset", "Attach", "Detach", "Export", "Copy", "Tag", "Untag", "Execute", "Purchase", "Allocate", "Deactivate", "Post", "Resend", "Upload", "Assign", "Change", "Define", "Deprecate", "Invoke", "Revoke: - Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE". |
2023-11-11 | Enhancement:
- Initialize variables to null or empty, to avoid duplicate mappings. - When "requestParameters.tagSpecificationSet.items.key" is "Hostname" , map to "target.hostname". |
2023-10-27 | Enhancement:
For logs having "eventName" as "AssociateIamInstanceProfile": - Mapped "responseElements.AssociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name". - Mapped "responseElements.AssociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id". - Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE". - Set "target.resource.resource_type" to "ACCESS_POLICY". For logs having "eventName" as "DisassociateIamInstanceProfile": - Mapped "responseElements.DisassociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name". - Mapped "responseElements.DisassociateIamInstanceProfileResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id". - Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE". - Set "target.resource.resource_type" to "ACCESS_POLICY". For logs having "eventName" as "ReplaceIamInstanceProfileAssociation": - Mapped "responseElements.ReplaceIamInstanceProfileAssociationResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.name". - Mapped "responseElements.ReplaceIamInstanceProfileAssociationResponse.iamInstanceProfileAssociation.instanceid" to "target.resource.product_object_id". - Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE". - Set "target.resource.resource_type" to "ACCESS_POLICY". Mapped "requestParameters" and "responseElements" JSON Object to "target.resource.attribute.labels". Corrected typo error for "req.userIdentity.userName" from "req.userIdentity.username". |
2023-10-13 | Enhancement:
- For logs having "eventName" as "UpdateDetector": - Mapped "requestParameters.features.name" and "requestParameters.features.status" to "target.resource.attribute.labels". - For logs having "eventName" as "SendCommand": - Mapped "requestParameters.documentName" to "target.resource.product_object_id". - Mapped "responseElements.command.commandId" to "target.process.product_specific_object.id". - Mapped "metadata.event_type" to "PROCESS_LAUNCH". - Mapped "requestParameters.documentName" to "target.resource.name". - Mapped all the parameters in "requestParameters" and "responseElements" to "target.resource.attribute.labels". - For logs having "eventName" as "createAccountResult" map "event_type" as "USER_RESOURCE_ACCESS". - For logs having "eventName" as "createAccount" map "event_type" as "RESOURCE_CREATION". |
2023-09-30 | Enhancement: Add new mappings for the following fields:
- Mapped "req.requestParameters.durationSeconds" to "target.resource.attribute.labels". - Mapped "req.requestParameters.policyArns" to "target.resource.attribute.labels". - For logs having "eventName" as "GetParameter", "GetParameters", "GetParameterHistory", "GetParametersByPath", "DescribeParameters": - Mapped "metadata.event_type" to "RESOURCE_READ". - Mapped "req.requestParameters.withDecryption" to "security_result.detection_fields". - For logs having "eventName" as "DeleteParameters","DeleteParameter", set "metadata.event_type" to "RESOURCE_DELETION". - For logs having "eventName" as "PutParameter", set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE". - For logs having "eventName" as "EnableRegion" or "DisableRegion", set "target.resource.name" from "req.requestParameters.map.RegionName". - For logs having "eventName" as "GetFederationToken": - Mapped "metadata.event_type" to "RESOURCE_READ". - Mapped "req.responseElements.federatedUser.arn" to "target.resource.name". - Mapped "req.responseElements.federatedUser.federatedUserId" to "target.user.userid". - Mapped "req.responseElements.packedPolicySize" to "security_result.detection_fields". - Mapped "req.responseElements.credentials.sessionToken" to "security_result.detection_fields". |
2023-09-15 | Enhancement: Add new mappings for the following fields:
- Mapped "requestParameters.userName" to "target.user.user_display_name". - Mapped "additionalEventData.SamlProviderArn" to "additional.fields". - Mapped "eventSource" to "metadata.ingestion_labels". - When value of "requestParameters.tagSpecificationSet.items.tags.key" is "Name", then mapped "requestParameters.tagSpecificationSet.items.tags.value" to "target.resource.name". |
2023-08-24 | Enhancement:
- For logs having "eventName" as "CreateSubnet", set "metadata.event_type" to "RESOURCE_CREATION". - Mapped "req.responseElements.subnet.subnetId" to "target.resource.attribute.labels". - Mapped "req.requestParameters.cidrBlock" to "target.resource.attribute.labels". - For logs having "eventName" as "DeleteSubnet", set "metadata.event_type" to "RESOURCE_DELETION". - Mapped "req.requestParameters.subnetId" to "target.resource.attribute.labels". |
2023-08-24 | Enhancement:
- For logs having "eventName" as "CreateSubnet", set "metadata.event_type" to "RESOURCE_CREATION". - Mapped "req.responseElements.subnet.subnetId" to "target.resource.attribute.labels". - Mapped "req.requestParameters.cidrBlock" to "target.resource.attribute.labels". - For logs having "eventName" as "DeleteSubnet", set "metadata.event_type" to "RESOURCE_DELETION". - Mapped "req.requestParameters.subnetId" to "target.resource.attribute.labels". |
2023-08-16 | Enhancement:
- For logs having "eventName" as "DeleteSecret", mapped "responseElements.arn" to "target.resource.name". |
2023-08-02 | Enhancement:
- For logs having "eventName" as "CreateTags", mapped "metadata.event_type" to "RESOURCE_WRITTEN". - Mapped "responseElements.description" ,"requestParameters.name","requestParameters.tagSet.items", "requestParameters.attributeType" to "target.resource.attribute.labels". - Set "metadata.event_type" to "RESOURCE_CREATION" for logs having the following "eventName": "CreateNetworkAcl","CreateVolume","CreatePublishingDestination","CreateIPSet","CreateThreatIntelSet", "CreateAddon","CreateRepository","CreateStack","CreateDomain","CreateCollection","CreateTable", "CreateDBInstance","CreateDBCluster","CreateDBSnapshot","CreateDBClusterSnapshot","PutConfigRule", "PutDeliveryChannel","CreateListener","CreateLoadBalancer","PutLoggingConfiguration","CreateTargetGroup", "CreateWebACL","RequestCertificate","CreateCluster" - Set "metadata.event_type" to "RESOURCE_WRITTEN for logs having the follow "eventName": "MoveAccount","PutEventSelectors","PutInsightSelectors","UpdateIPSet","UpdateThreatIntelSet","CreateTags", "UpdateTable","ModifyDBInstance","StopDBInstance","StartDBInstance","RebootDBInstance", "StartDBCluster","StopDBCluster","ModifyDBSnapshotAttribute","ModifyDBClusterSnapshotAttribute", "AddListenerCertificates","ModifyLoadBalancerAttributes","SetSubnets","SetSecurityGroups", "ModifyListener","UpdateWebACL","ResendValidationEmail","ModifyInstanceAttribute", "StopInstances","StartInstances","RebootInstances" - Set "metadata.event_type" to "RESOURCE_WRITTEN" for logs having the following "eventName". "DeletePublishingDestination","DeleteIPSet","DeleteThreatIntelSet","DeleteRepository", "DeleteStack","DeleteCollection","DeleteDomain","DeleteTable","DeleteDBInstance","DeleteDBCluster", "DeleteDBSnapshot","DeleteDBClusterSnapshot","DeleteConfigRule","DeleteEvaluationResults", "DeleteTargetGroup","DeleteLoadBalancer","DeleteListener","DeleteLoggingConfiguration", "DeleteWebACL","DeleteCertificate","DeleteCluster" - Set "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE" for logs having the following "eventName": "AssociateWebACL","DisassociateWebACL","AttachGroupPolicy","PutBucketAcl" - Set "metadata.event_type" to "RESOURCE_READ" for logs having the following "eventName": "GetPasswordData","GetSessionToken" - Mapped "target.resource.resource_type" and other unmapped fields for the above mentioned event names. |
2023-07-18 | Enhancement:
- For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_CREATION". "EnableMacie","ConnectDirectory","RunInstances","CreateImage","CreateOrganization", "CreateNetworkInterface", "StartSSO","CreateEmailIdentity","VerifyDomainIdentity","VerifyDomainDkim","VerifyEmailIdentity", "CreateConfigurationSet","CreateSecret","ImportKeyPair","CreateAlias","CreateKey","CreateOrganizationalUnit", "CreateNetworkAcl","CreateVolume","CreatePublishingDestination","CreateIPSet","CreateThreatIntelSet" - For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_WRITTEN". "UpdateMacieSession","PutAccountSendingAttributes","PutConfigurationSetSendingOptions","UpdateAccountSendingEnabled", "UpdateConfigurationSetSendingEnabled","UpdateSecret","DisableKey","EnableKey","CancelKeyDeletion", "MoveAccount","PutEventSelectors","PutInsightSelectors","UpdateIPSet","UpdateThreatIntelSet" - For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_DELETION". "DeleteSnapshot","DeleteDetector","DeleteFlowLogs","DeregisterImage","TerminateInstances", "RESOURCE_DELETION", "DeleteNetworkInterface","DeleteSSO","DeleteBucketPublicAccessBlock","DeleteAccountPublicAccessBlock", "RemoveAccountFromOrganization","DeleteEmailIdentity","LeaveOrganization","DeleteConfigurationSet", "DeleteSecret","DeleteKeyPair","DeleteAlias","ScheduleKeyDeletion","DeleteNetworkAcl", "DeletePublishingDestination","DeleteIPSet","DeleteThreatIntelSet" - For logs with the following "eventName", mapped "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE". "DetachRolePolicy","PutRolePolicy","PutResourcePolicy","PutCredentials","DeleteDirectory", "AuthorizeSecurityGroupEgress","AuthorizeSecurityGroupIngress","RevokeSecurityGroupEgress","RevokeSecurityGroupIngress", "ModifySnapshotAttribute","ModifyImageAttribute","CreateNetworkAclEntry","ReplaceNetworkAclAssociation","DeleteNetworkAclEntry" - Mapped "target.resource.resource_type" and other unmapped fields for the above mentioned eventNames. - Added a null check before mapping field "userIdentity.invokedBy". |
2023-07-06 | Enhancement:
- Added null check before mapping field "userIdentity.invokedBy". - Mapped "requestParameters.instanceType","requestParameters.instancesSet.items.0.minCount","requestParameters.instancesSet.items.0.maxCount" to "target.resource.attribute.labels". |
2023-06-23 | Enhancement: Mapped logs to more specific "metadata.event_type" based on the field "eventName".
- Mapped "target.resource.resource_type" as "VIRTUAL_MACHINE". - Mapped "requestParameters.status", "responseElements.certificate.status" to "target.resource.attribute.labels". - Mapped "requestParameters.instanceId" to "target.resource_ancestors.product_object_id". - Mapped "requestParameters.userName" to "target.user.userid". - Mapped "target.resource.name" and "target.resource.product_object_id" based upon keys present under each "eventName". - Mapped "userIdentity.arn" to "principal.resource.name". - Mapped "userIdentity.accountId" to "principal.resource.product_object_id". - For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_CREATION". "CreateTrail","AllocateAddress","CreateVolume","CreateVirtualMFADevice","UploadSigningCertificate", "CreateAccessKey","UploadSSHPublicKey","CreateServiceSpecificCredential","UploadCloudFrontPublicKey", "CreateAnalyzer","CreateSAMLProvider","PutConfigurationRecorder","CreateRole","CreateInstanceProfile", "CreateExportTask","CreateLogGroup","EnableSecurityHub","CreateEnvironment","CreateSession","CreateServiceLinkedRole", "CreateSnapshot","CreateKeyPair","CreateSecurityGroup","CreateDetector","CreateFlowLogs", "EnableMacie","ConnectDirectory","RunInstances","CreateImage","CreateOrganization" - For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_WRITTEN". "StartLogging","StopLogging","AssociateAddress","DisassociateAddress","DetachVolume", "AttachVolume","ModifyVolume","EnableMFADevice","ResyncMFADevice","UpdateSigningCertificate", "UpdateAccessKey","UpdateSSHPublicKey","ResetServiceSpecificCredential","UpdateServiceSpecificCredential", "UpdateCloudFrontPublicKey","DisableRegion","EnableRegion","UpdateSAMLProvider","StartConfigurationRecorder", "StopConfigurationRecorder","PutRetentionPolicy","PutDataProtectionPolicy","UpdateDetector","UpdateMacieSession" - For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_DELETION". "DeleteTrail","ReleaseAddress","DeleteVolume","DeactivateMFADevice","DeleteVirtualMFADevice", "DeleteSigningCertificate","DeleteAccessKey","DeleteSSHPublicKey","DeleteServiceSpecificCredential", "DeleteCloudFrontPublicKey","DeleteAnalyzer","DeleteSAMLProvider","DeleteConfigurationRecorder", "DeletePolicy","DeleteRole","DeleteInstanceProfile","DeleteLogGroup","DisableSecurityHub","DisableMacie", "DeleteSnapshot","DeleteDetector","DeleteFlowLogs","DeregisterImage","TerminateInstances" - For logs having "eventName" as following, mapped "metadata.event_type" to "RESOURCE_PERMISSIONS_CHANGE". "AttachUserPolicy","DetachUserPolicy","PutUserPolicy","DeleteUserPolicy", "PutUserPermissionsBoundary","DeleteUserPermissionsBoundary","AttachRolePolicy", "DetachRolePolicy","PutRolePolicy","PutResourcePolicy","PutCredentials","DeleteDirectory" |
2023-06-09 | Enhancement:
- Modified the regex to identify the JSON Array logs. |
2023-06-07 | Enhancement:
- Mapped all the "principal.user" fields to "target.user" for "eventName" as "ConsoleLogin". |
2023-05-26 | Enhancement:
Parsed logs of different josn pattern. - Mapped "cipherSuite" to "network.tls.cipher". - Mapped "requestID" to "target.resource.attribute.labels". - Mapped "assumedRoleId" to "security_result.about.resource.name". - Mapped "roleSessionName" to "target.resource.name". - Mapped "roleArn" to "target.resource.product_object_id". - Mapped "userAgent" to "network.http.user_agent". - Mapped "sourceIPAddress" to "principal.ip". - Mapped "sessionIssuer.userName" to "target.user.user_display_name". - Mapped "sessionIssuer.principalId" to "target.user.userid". - Mapped "userIdentity.accessKeyId" to "target.resource.product_object_id". - Mapped "userIdentity.arn" to "security_result.about.resource.id". - Mapped "req.detail.Longitude" to "_principal.location.region_longitude". - Mapped "req.detail.Latitude" to "_principal.location.region_latitude". - Mapped "detail.resourceType" to "target.resource.resource_subtype". - Set "security_result.alert_state" to "ALERTING". - Mapped "req.detail.recommendRemediation" to "security_result.action_details". - Mapped "eventLog.detail.eventName" to "metadata.product_event_type". |
2023-02-23 | Enhancement:
- Mapped "requestParameters.principalArn" to "principal.resource.name". - Mapped "resources.ARN" to "about.resource.name". |
2022-11-24 | Fix:
- Parsed new format logs that has configurationItem by mapping following fields. - Mapped "configurationItem.awsAccountId" to "principal.user.userid". - Mapped "configurationItem.resourceId" to "target.resource.id". - Mapped "configurationItem.resourceType" to "target.resource.resource_subtype" - Mapped "configurationItem.awsRegion" to "target.location.country_or_region". - Mapped "configurationItem.configurationItemCaptureTime" to "target.asset.attribute.creation_time". - Mapped "configurationItem.configurationItemStatus" to "target.asset.attribute.labels". - Mapped "configurationItems.ARN" to "target.resource.attribute.labels". - Mapped "configurationItems.availabilityZone" to "target.resource.attribute.cloud.availability_zone". - Mapped "configurationItems.awsRegion" to "target.location.country_or_region". - Mapped "configurationItems.awsAccountId" to "principal.user.userid". - Mapped "configurationItems.configuration.activityStreamStatus" to "target.resource.attribute.labels". - Mapped "configurationItems.configuration.allocatedStorage" to "target.resource.attribute.labels". - Mapped "configurationItems.configuration.autoMinorVersionUpgrade" to "target.resource.attribute.labels". - Mapped "configurationItems.configuration.backupRetentionPeriod" to "target.resource.attribute.labels". - Mapped "configurationItems.configuration.copyTagsToSnapshot" to "target.resource.attribute.labels". - Mapped "configurationItems.configuration.dbClusterResourceId" to "target.resource.product_object_id". - Mapped "configurationItems.configuration.masterUsername" to "principal.user.user_display_name". - Mapped "configurationItems.resourceName" to "target.resource.name". |
2022-10-13 | Enhancement:
- For "eventName": "CreateAccessKey" mapped the field "responseElements.accessKey.accessKeyId" to "target.resource.product_object_id". - For "eventName": "UpdateAccessKey" mapped the field "requestParameters.accessKeyId" to "target.resource.product_object_id". - For "eventName": "DeleteAccessKey" mapped the field "requestParameters.accessKeyId" to "target.resource.product_object_id". - For "eventName": "CreateUser" mapped the field "responseElements.user.userId" to "target.user.product_object_id". - Mapped the field "eventTime" to "metadata.collected_timestamp". |
2022-07-27 | Enhancement:
- Added eventType "QueryDatabase" and mapped it"s fields. - Modified conditions for principal.ip or principal.host for handling new logs. - Changed the mapping of "requestParameters.roleArn", "requestParameters.registryId", "resources.accountId" from "target.resource.id" to "target.resource.product_object_id". - Modified the parsing condition for "req_params" to extract the values. |
2022-07-08 | Enhancement:
- Modified mapping for "req.requestParameters.roleName" from "target.user.role_name" to "target.user.attribute.roles". |
2022-07-06 | - Changed mapping of "req.awsRegion" from "_principal.location.country_or_region" to "_principal.location.name".
- Modified event_type from "GENERIC_EVENT" to "USER_LOGIN" for eventName "AssumeRole". - Modified event_type from "GENERIC_EVENT" to "USER_RESOURCE_ACCESS" for eventNAme "PutImage" or "GetDownloadUrlForLayer" or "BatchGetImage". - Modified event_type from "GENERIC_EVENT" to "USER_RESOURCE_DELETION" for eventName "DeleteNetworkInterface". |
2022-06-06 | For eventName "CreateUser/DeleteUser", modified condition for handling src mapping as existing one failed for new logs.
Modified puserId field to handle new unparsed log. |
2022-05-27 | Enhancement - Modified the value stored in metadata.product_name to "AWS CloudTrail".
|
2022-05-27 | Enhancement - Modified the value stored in metadata.product_name to "AWS CloudTrail".
|
2022-04-13 | Enhancement to map following raw logs elements to UDM elements:
Mapped field "requestParameters.PublicAccessBlockConfiguration.IgnorePublicAcls", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.RestrictPublicBuckets", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicPolicy", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicAcls", "requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.IgnorePublicAcls", "additionalEventData.configRuleInputParameters.RestrictPublicBuckets", "additionalEventData.configRuleInputParameters.BlockPublicPolicy", "additionalEventData.configRuleInputParameters.BlockPublicAcls", "additionalEventData.configRuleInputParameters.IgnorePublicAcls" to "target.resource.attribute.labels". |