AWS_CONFIG
Overview
This parser code transforms raw AWS Config JSON logs into a unified data model (UDM). It extracts relevant fields like user ID, resource details, security findings, and event type, mapping them to standardized UDM attributes for consistent security analysis. Additionally, it handles different log structures based on the presence of "configurationItem" or "configurationItems" fields, ensuring comprehensive data extraction.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| configurationItem.ARN | read_only_udm.target.resource.id | The value is taken from the configurationItem.ARN field. |
| configurationItem.awsAccountId | read_only_udm.principal.user.userid | The value is taken from the configurationItem.awsAccountId field. |
| configurationItem.awsRegion | read_only_udm.target.asset .location.country_or_region |
The value is taken from the configurationItem.awsRegion field. |
| configurationItem .configurationItemCaptureTime |
read_only_udm.target.asset.attribute.creation_time | The value is parsed from the configurationItem.configurationItemCaptureTime field, converting it to a timestamp. |
| configurationItem .configurationItemStatus |
read_only_udm.target.asset.attribute.labels.value | The value is taken from the configurationItem.configurationItemStatus field. |
| configurationItem.resourceId | read_only_udm.target.resource.id | The value is taken from the configurationItem.resourceId field. |
| configurationItem.resourceName | read_only_udm.target.resource.name | The value is taken from the configurationItem.resourceName field. |
| configurationItem.resourceType | read_only_udm.target.resource.resource_subtype | The value is taken from the configurationItem.resourceType field. |
| configurationItem.tags.Contact | read_only_udm.principal.user.user_display_name OR read_only_udm.principal.user.email_addresses |
If the value is an email address, the email address is extracted and mapped to read_only_udm.principal.user.email_addresses. Otherwise, the value is mapped to read_only_udm.principal.user.user_display_name. |
| configurationItem.tags.OS OR configurationItem.tags.Os |
read_only_udm.target.asset .platform_software.platform |
If the value contains "LINUX" or "Linux", the platform is set to "LINUX". If the value contains "Windows", the platform is set to "WINDOWS". |
| configurationItemDiff.changeType | read_only_udm.metadata.event_type | If the value is "UPDATE", the event type is set to "RESOURCE_WRITTEN". If the value is "CREATE", the event type is set to "RESOURCE_CREATION". |
| configItem.awsAccountId | read_only_udm.principal.user.userid | The value is taken from the configItem.awsAccountId field. |
| configItem.configuration .complianceType |
read_only_udm.security_result.summary | The value is taken from the configItem.configuration.complianceType field. |
| configItem.configuration .configRuleList.configRuleArn |
read_only_udm.security_result.rule_id | The value is taken from the configItem.configuration.configRuleList.configRuleArn field. |
| configItem.configuration .configRuleList.configRuleId |
read_only_udm.security_result.about .labels.value |
The value is taken from the configItem.configuration.configRuleList.configRuleId field. |
| configItem.configuration .configRuleList.configRuleName |
read_only_udm.security_result.rule_name | The value is taken from the configItem.configuration.configRuleList.configRuleName field. |
| configItem.configuration .configRuleList.complianceType |
read_only_udm.security_result.summary | The value is taken from the configItem.configuration.configRuleList.complianceType field. |
| configItem.configuration .privateIpAddress |
read_only_udm.target.ip | The value is taken from the configItem.configuration.privateIpAddress field. |
| configItem.configuration .publicIpAddress |
read_only_udm.target.ip | The value is taken from the configItem.configuration.publicIpAddress field. |
| configItem.configurationItemStatus | read_only_udm.target.asset.attribute.labels.value | The value is taken from the configItem.configurationItemStatus field. |
| configItem.relationships.resourceId | read_only_udm.target.asset.attribute .cloud.vpc.id |
If the resourceId contains "vpc", the value is taken from the configItem.relationships.resourceId field and mapped to read_only_udm.target.asset.attribute.cloud.vpc.id. |
| configItem.resourceName | read_only_udm.target.resource.name | The value is taken from the configItem.resourceName field. |
| configItem.resourceCreationTime | read_only_udm.target.asset.creation_time | The value is parsed from the configItem.resourceCreationTime field, converting it to a timestamp. |
| configItem.resourceType | read_only_udm.target.resource.resource_subtype | The value is taken from the configItem.resourceType field. |
| configItem.awsRegion | read_only_udm.target.asset .location.country_or_region |
The value is taken from the configItem.awsRegion field. |
| N/A | read_only_udm.target.asset.attribute.cloud .environment |
The value is set to "AMAZON_WEB_SERVICES". |
| N/A | read_only_udm.metadata.vendor_name | The value is set to "AMAZON". |
| N/A | read_only_udm.metadata.product_name | The value is set to "AWS Config". |
| N/A | read_only_udm.target.asset.attribute.labels.key | The value is set to "Configuration Item Status". |
| N/A | read_only_udm.target.resource.resource_type | The value is set to "VIRTUAL_MACHINE". |
| N/A | read_only_udm.target.asset.attribute.cloud .vpc.resource_type |
The value is set to "VPC_NETWORK". |
| N/A | read_only_udm.security_result.about .labels.key |
The value is set to "configRuleId". |
Changes
2024-06-09
- Added "on_error" to "configItem.configuration.configRuleList" fields before mapping it to UDM.
2024-02-22
- Mapped "configurationItem.relationships[n].resourceId", "configurationItem.relationships[n].resourceType" and "configurationItem.relationships[n].name" to "additional.fields".
2022-05-27
- Enhancement - Modified the value stored in "metadata.product_name" to 'AWS Config'.
2022-03-30
- Enhancement-Corrected mapping for relationship.resourceId to parse for all log types and improve parsing percentage.