add aws_cloudtrail for elastic esql

nazargesyk · nazargesyk · commit b026ddacee15 · 2024-09-18T15:58:47.000+03:00
diff --git a/uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml
@@ -0,0 +1,57 @@
+platform: ElasticSearch ES|QL
+source: aws_cloudtrail
+log_source:
+  index: [logs-*]
+default_log_source:
+  index: logs-*
+field_mapping:
+  additionalEventdata: aws.cloudtrail.additional_eventdata
+  apiVersion: aws.cloudtrail.api_version
+  awsRegion: cloud.region
+  errorCode: aws.cloudtrail.error_code
+  errorMessage: aws.cloudtrail.error_message
+  eventID: event.id
+  eventName: event.action
+  eventSource: event.provider
+  eventTime: '@timestamp'
+  eventType: aws.cloudtrail.event_type
+  eventVersion: aws.cloudtrail.event_version
+  managementEvent: aws.cloudtrail.management_event
+  readOnly: aws.cloudtrail.read_only
+  requestID: aws.cloudtrail.request_id
+  requestParameters: aws.cloudtrail.request_parameters
+  resources.accountId: aws.cloudtrail.resources.account_id
+  resources.ARN: aws.cloudtrail.resources.arn
+  resources.type: aws.cloudtrail.resources.type
+  responseElements: aws.cloudtrail.response_elements
+  serviceEventDetails: aws.cloudtrail.service_event_details
+  sharedEventId: aws.cloudtrail.shared_event_id
+  sourceIPAddress: source.address
+  userAgent: user_agent
+  userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
+  userIdentity.accountId: cloud.account.id
+  userIdentity.arn: aws.cloudtrail.user_identity.arn
+  userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
+  userIdentity.principalId: user.id
+  userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
+  userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
+  userIdentity.sessionContext.sessionIssuer.userName: role.name
+  userIdentity.type: aws.cloudtrail.user_identity.type
+  userIdentity.userName: user.name
+  vpcEndpointId: aws.cloudtrail.vpc_endpoint_id
+overrides:
+  - field: event.outcome
+    value: failure
+    regexes:
+      - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
+      - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
+      - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
+      - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
+      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
+      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
+      - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
+      - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))
+  - field: event.outcome
+    value: success
+    literals:
+      - 'NOT (event.outcome:failure)'
