Merge branch 'main' into feat/add_ocsf_format

HarishHary · May 22, 2024 · c48c0f2 · c48c0f2
2 parents 5d54461 + b69fbf9
commit c48c0f2
Show file tree

Hide file tree

Showing 142 changed files with 4,628 additions and 2,928 deletions.
diff --git a/AWS/aws-cloudtrail/_meta/fields.yml b/AWS/aws-cloudtrail/_meta/fields.yml
@@ -18,105 +18,91 @@ action.properties.requestParameters.userData:
   name: action.properties.requestParameters.userData
   type: keyword
 
-action.properties.resources:
-  description: A list of resources accessed in the event
-  name: action.properties.resources
+action.properties.resources.ARN:
+  description: A list of resources ARN`s accessed in the event
+  name: action.properties.resources.ARN
   type: list
 
-action.properties.responseElements.pendingModifiedValues.masterUserPassword:
-  description: The new master password for the RDS instance
-  name: action.properties.responseElements.pendingModifiedValues.masterUserPassword
-  type: keyword
-
 action.properties.responseElements.publiclyAccessible:
   description: Whether the requested ressource was public
   name: action.properties.responseElements.publiclyAccessible
   type: boolean
 
-action.properties.userIdentity:
-  description: Information about the user that made the request
-  name: action.properties.userIdentity
-  type: object
+action.properties.userIdentity.accountId:
+  description: User accountId
+  name: action.properties.userIdentity.accountId
+  type: keyword
 
-action.target:
-  description: The target of the action
-  name: action.target
+action.properties.userIdentity.arn:
+  description: User arn
+  name: action.properties.userIdentity.arn
   type: keyword
 
-aws.cloudtrail.cluster_name:
-  description: The name of the cluster
-  name: aws.cloudtrail.cluster_name
+action.properties.userIdentity.invokedBy:
+  description: User invoked by
+  name: action.properties.userIdentity.invokedBy
   type: keyword
 
-aws.cloudtrail.event_version:
-  description: The version of the event
-  name: aws.cloudtrail.event_version
+action.properties.userIdentity.principalId:
+  description: User principal id
+  name: action.properties.userIdentity.principalId
   type: keyword
 
-aws.cloudtrail.flattened.request_parameters:
-  description: The flattened version of the field requestParameters
-  name: aws.cloudtrail.flattened.request_parameters
+action.properties.userIdentity.sessionContext.attributes.mfaAuthenticated:
+  description: User session mfaAuthenticated
+  name: action.properties.userIdentity.sessionContext.attributes.mfaAuthenticated
   type: keyword
 
-aws.cloudtrail.flattened.response_elements:
-  description: The flattened version of the field responseElements
-  name: aws.cloudtrail.flattened.response_elements
+action.properties.userIdentity.sessionContext.sessionIssuer.arn:
+  description: User session issuer arn
+  name: action.properties.userIdentity.sessionContext.sessionIssuer.arn
   type: keyword
 
-aws.cloudtrail.insight_details.context:
-  description: The context of the insight
-  name: aws.cloudtrail.insight_details.context
+action.properties.userIdentity.sessionContext.sessionIssuer.type:
+  description: User session issuer type
+  name: action.properties.userIdentity.sessionContext.sessionIssuer.type
   type: keyword
 
-aws.cloudtrail.insight_details.state:
-  description: The status of the insight
-  name: aws.cloudtrail.insight_details.state
+action.properties.userIdentity.sessionContext.sessionIssuer.userName:
+  description: User session issuer username
+  name: action.properties.userIdentity.sessionContext.sessionIssuer.userName
   type: keyword
 
-aws.cloudtrail.insight_details.type:
-  description: The type of the insight
-  name: aws.cloudtrail.insight_details.type
+action.properties.userIdentity.type:
+  description: User identity type
+  name: action.properties.userIdentity.type
   type: keyword
 
-aws.cloudtrail.recipient_account_id:
-  description: The account ID that received the event
-  name: aws.cloudtrail.recipient_account_id
-  observable:
-    name: Recipient account ID
-    property: account_login
-    type: user-account
+action.properties.userIdentity.userName:
+  description: User username
+  name: action.properties.userIdentity.userName
   type: keyword
 
-aws.cloudtrail.request_parameters.userData:
-  description: The userData parameters sent with the request
-  name: aws.cloudtrail.request_parameters.userData
+action.target:
+  description: The target of the action
+  name: action.target
   type: keyword
 
-aws.cloudtrail.request_parameters.userName:
-  description: The name of the user sent in the request
-  name: aws.cloudtrail.request_parameters.userName
+aws.cloudtrail.cluster_name:
+  description: The name of the cluster
+  name: aws.cloudtrail.cluster_name
   type: keyword
 
-aws.cloudtrail.resources:
-  description: A list of resources accessed in the event
-  name: aws.cloudtrail.resources
-  type: list
+aws.cloudtrail.flattened.request_parameters:
+  description: The flattened version of the field requestParameters
+  name: aws.cloudtrail.flattened.request_parameters
+  type: keyword
+
+aws.cloudtrail.flattened.response_elements:
+  description: The flattened version of the field responseElements
+  name: aws.cloudtrail.flattened.response_elements
+  type: keyword
 
 aws.cloudtrail.response_elements.pendingModifiedValues.masterUserPassword:
   description: The new master password for the RDS instance
   name: aws.cloudtrail.response_elements.pendingModifiedValues.masterUserPassword
   type: keyword
 
-aws.cloudtrail.response_elements.publiclyAccessible:
-  description: Whether the requested ressource was public
-  name: aws.cloudtrail.response_elements.publiclyAccessible
-  type: boolean
-
-aws.cloudtrail.response_elements.user.arn:
-  description: The arn of the user in the response
-  name: aws.cloudtrail.response_elements.user.arn
-  type: keyword
-
 aws.cloudtrail.response_elements.user.userName:
   description: The name of the user in the response
   name: aws.cloudtrail.response_elements.user.userName
@@ -146,10 +132,15 @@ aws.cloudtrail.user_identity.principalId:
   name: aws.cloudtrail.user_identity.principalId
   type: keyword
 
-aws.cloudtrail.user_identity.sessionContext:
-  description: provides information abpout the session
-  name: aws.cloudtrail.user_identity.sessionContext
-  type: object
+aws.cloudtrail.user_identity.sessionContext.sessionIssuer.arn:
+  description: provides information about the session issuer arn
+  name: aws.cloudtrail.user_identity.sessionContext.sessionIssuer.arn
+  type: keyword
+
+aws.cloudtrail.user_identity.sessionContext.sessionIssuer.userName:
+  description: provides information about the session issuer username
+  name: aws.cloudtrail.user_identity.sessionContext.sessionIssuer.userName
+  type: keyword
 
 aws.cloudtrail.user_identity.type:
   description: The type of the identity

diff --git a/AWS/aws-cloudtrail/_meta/smart-descriptions.json b/AWS/aws-cloudtrail/_meta/smart-descriptions.json
@@ -128,7 +128,7 @@
     ]
   },
   {
-    "value": "{source.address} successfully signed in to account {aws.cloudtrail.recipient_account_id}",
+    "value": "{source.address} successfully signed in to account",
     "conditions": [
       {
         "field": "action.type",
@@ -140,21 +140,11 @@
       },
       {
         "field": "source.address"
-      },
-      {
-        "field": "aws.cloudtrail.recipient_account_id"
-      }
-    ],
-    "relationships": [
-      {
-        "source": "source.address",
-        "target": "aws.cloudtrail.recipient_account_id",
-        "type": "signed in to"
       }
     ]
   },
   {
-    "value": "{source.address} failed to sign in to account {aws.cloudtrail.recipient_account_id}",
+    "value": "{source.address} failed to sign in to account",
     "conditions": [
       {
         "field": "action.type",
@@ -166,21 +156,11 @@
       },
       {
         "field": "source.address"
-      },
-      {
-        "field": "aws.cloudtrail.recipient_account_id"
-      }
-    ],
-    "relationships": [
-      {
-        "source": "source.address",
-        "target": "aws.cloudtrail.recipient_account_id",
-        "type": "failed to sign in"
       }
     ]
   },
   {
-    "value": "Insight {aws.cloudtrail.insight_details.type} {aws.cloudtrail.insight_details.state} from {event.provider} for action {event.action}: {event.code}",
+    "value": "Insight from {event.provider} for action {event.action}: {event.code}",
     "conditions": [
       {
         "field": "action.type",
@@ -191,12 +171,6 @@
       },
       {
         "field": "event.code"
-      },
-      {
-        "field": "aws.cloudtrail.insight_details.type"
-      },
-      {
-        "field": "aws.cloudtrail.insight_details.state"
       }
     ],
     "relationships": [

diff --git a/AWS/aws-cloudtrail/ingest/parser.yml b/AWS/aws-cloudtrail/ingest/parser.yml
@@ -28,7 +28,6 @@ stages:
           "@timestamp": "{{parsed_date.datetime}}"
           event.category: ["network"]
           event.type: ["access"]
-          event.dataset: "cloudtrail"
           event.action: "{{json_event.message.eventName or json_event.message.insightDetails.eventName}}"
           event.code: "{{json_event.message.errorCode or json_event.message.insightDetails.errorCode}}"
           event.reason: "{{json_event.message.errorMessage}}"
@@ -82,30 +81,19 @@ stages:
           action.properties.resources: "{{json_event.message.resources}}"
           action.properties.requestParameters.userData: "{{json_event.message.requestParameters.userData}}"
           action.properties.responseElements.publiclyAccessible: "{{json_event.message.responseElements.publiclyAccessible}}"
-      - set:
-          action.properties.responseElements.pendingModifiedValues.masterUserPassword: "{{json_event.message.responseElements.pendingModifiedValues.masterUserPassword}}"
-        filter: '{{json_event.message.get("responseElement", {}).get("pendingModifiedValues") != None}}'
 
   set_aws_fields:
     actions:
       - set:
-          aws.cloudtrail.event_version: "{{json_event.message.eventVersion}}"
-          aws.cloudtrail.recipient_account_id: "{{json_event.message.recipientAccountId}}"
           aws.cloudtrail.user_identity: "{{json_event.message.userIdentity}}"
-          aws.cloudtrail.resources: "{{json_event.message.resources}}"
-          aws.cloudtrail.request_parameters.userData: "{{json_event.message.requestParameters.userData}}"
-          aws.cloudtrail.request_parameters.userName: "{{json_event.message.requestParameters.userName}}"
-          aws.cloudtrail.response_elements.publiclyAccessible: "{{json_event.message.responseElements.publiclyAccessible}}"
           aws.cloudtrail.response_elements.pendingModifiedValues.masterUserPassword: "{{json_event.message.responseElements.pendingModifiedValues.masterUserPassword}}"
-          aws.cloudtrail.insight_details.state: "{{json_event.message.insightDetails.state}}"
-          aws.cloudtrail.insight_details.type: "{{json_event.message.insightDetails.insightType}}"
-          aws.cloudtrail.insight_details.context: "{{json_event.message.insightDetails.insightContext | tojson}}"
           aws.cloudtrail.response_elements.user.userName: "{{json_event.message.responseElements.user.userName}}"
-          aws.cloudtrail.response_elements.user.arn: "{{json_event.message.responseElements.user.arn}}"
           aws.cloudtrail.cluster_name: "{{json_event.message.responseElements.cluster.clusterName}}"
+
       - set:
           aws.cloudtrail.flattened.response_elements: "{{json_event.message.responseElements | tojson}}"
         filter: '{{json_event.message.get("responseElements") != None}}'
+
       - set:
           aws.cloudtrail.flattened.request_parameters: "{{json_event.message.requestParameters | tojson}}"
         filter: '{{json_event.message.get("requestParameters") != None}}'
diff --git a/AWS/aws-cloudtrail/tests/7602ff70-7e5f-42e9-86b2-36803df39183.json b/AWS/aws-cloudtrail/tests/7602ff70-7e5f-42e9-86b2-36803df39183.json
@@ -9,7 +9,6 @@
       "category": [
         "network"
       ],
-      "dataset": "cloudtrail",
       "outcome": "success",
       "provider": "ec2.amazonaws.com",
       "type": [
@@ -26,17 +25,13 @@
           "userData": "<sensitiveDataRemoved>"
         },
         "userIdentity": {
-          "accessKeyId": "ASIA1111111111111",
           "accountId": "1111111111",
           "arn": "arn:aws:iam::1111111111:root",
           "principalId": "1111111111",
           "sessionContext": {
             "attributes": {
-              "creationDate": "2022-08-31T07:20:10Z",
               "mfaAuthenticated": "true"
-            },
-            "sessionIssuer": {},
-            "webIdFederationData": {}
+            }
           },
           "type": "Root"
         }
@@ -46,28 +41,15 @@
     },
     "aws": {
       "cloudtrail": {
-        "event_version": "1.08",
         "flattened": {
           "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"<sensitiveDataRemoved>\"}",
           "response_elements": "{\"_return\": true, \"requestId\": \"5fcae0f1-790c-4a86-85aa-0b3fd120e341\"}"
         },
-        "recipient_account_id": "1111111111",
-        "request_parameters": {
-          "userData": "<sensitiveDataRemoved>"
-        },
         "user_identity": {
           "accessKeyId": "ASIA1111111111111",
           "accountId": "1111111111",
           "arn": "arn:aws:iam::1111111111:root",
           "principalId": "1111111111",
-          "sessionContext": {
-            "attributes": {
-              "creationDate": "2022-08-31T07:20:10Z",
-              "mfaAuthenticated": "true"
-            },
-            "sessionIssuer": {},
-            "webIdFederationData": {}
-          },
           "type": "Root"
         }
       }

diff --git a/AWS/aws-cloudtrail/tests/event_cloudtrail.json b/AWS/aws-cloudtrail/tests/event_cloudtrail.json
@@ -9,7 +9,6 @@
       "category": [
         "network"
       ],
-      "dataset": "cloudtrail",
       "outcome": "success",
       "provider": "cloudtrail.amazonaws.com",
       "type": [
@@ -23,17 +22,13 @@
       "properties": {
         "recipientAccountId": "1111111111",
         "userIdentity": {
-          "accessKeyId": "ASIA1111111111111",
           "accountId": "1111111111",
           "arn": "arn:aws:iam::1111111111:root",
           "principalId": "1111111111",
           "sessionContext": {
             "attributes": {
-              "creationDate": "2020-08-12T07:04:40Z",
               "mfaAuthenticated": "false"
-            },
-            "sessionIssuer": {},
-            "webIdFederationData": {}
+            }
           },
           "type": "Root"
         }
@@ -43,24 +38,14 @@
     },
     "aws": {
       "cloudtrail": {
-        "event_version": "1.05",
         "flattened": {
           "request_parameters": "{\"eventCategory\": \"insight\", \"maxResults\": 50}"
         },
-        "recipient_account_id": "1111111111",
         "user_identity": {
           "accessKeyId": "ASIA1111111111111",
           "accountId": "1111111111",
           "arn": "arn:aws:iam::1111111111:root",
           "principalId": "1111111111",
-          "sessionContext": {
-            "attributes": {
-              "creationDate": "2020-08-12T07:04:40Z",
-              "mfaAuthenticated": "false"
-            },
-            "sessionIssuer": {},
-            "webIdFederationData": {}
-          },
           "type": "Root"
         }
       }