From eb15834d049877b3d41b6d0aecbb0be68aedb745 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 10 Feb 2021 13:25:26 +0100 Subject: [PATCH] Filebeat: Update aws/cloudtrail dataset to ECS 1.8 (#23911) Updates aws/cloudtrail to map multiuser events to ECS 1.8. --- CHANGELOG.next.asciidoc | 1 + .../module/aws/cloudtrail/config/aws-s3.yml | 2 +- .../module/aws/cloudtrail/config/file.yml | 2 +- .../module/aws/cloudtrail/ingest/pipeline.yml | 63 ++++++++++++------- .../add-user-to-group-json.log-expected.json | 3 + .../change-password-json.log-expected.json | 6 ++ .../test/console-login-json.log-expected.json | 6 ++ .../create-access-key-json.log-expected.json | 2 + .../test/create-group-json.log-expected.json | 9 +++ .../create-key-pair-json.log-expected.json | 3 + .../test/create-trail-json.log-expected.json | 3 + .../test/create-user-json.log-expected.json | 3 + ...-virtual-mfa-device-json.log-expected.json | 3 + ...activate-mfa-device-json.log-expected.json | 1 + .../delete-access-key-json.log-expected.json | 2 + .../test/delete-group-json.log-expected.json | 8 +++ ...lete-ssh-public-key-json.log-expected.json | 2 + .../test/delete-trail-json.log-expected.json | 3 + .../test/delete-user-json.log-expected.json | 2 + ...-virtual-mfa-device-json.log-expected.json | 3 + ...iguration_recorders-json.log-expected.json | 3 + .../enable-mfa-device-json.log-expected.json | 2 + ...ove-user-from-group-json.log-expected.json | 3 + .../test/start-logging-json.log-expected.json | 3 + .../test/stop-logging-json.log-expected.json | 3 + .../update-access-key-json.log-expected.json | 2 + ...out-password-policy-json.log-expected.json | 3 + .../test/update-group-json.log-expected.json | 8 +++ ...pdate-login-profile-json.log-expected.json | 2 + ...date-ssh-public-key-json.log-expected.json | 4 ++ .../test/update-trail-json.log-expected.json | 6 ++ .../test/update-user-json.log-expected.json | 3 + ...load-ssh-public-key-json.log-expected.json | 1 + 33 files changed, 146 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 317f9a63ded..2ef3c008545 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -840,6 +840,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927] - Update aws/s3access to ECS 1.8. {issue}23118[23118] {pull}23920[23920] - Upgrade panw module to ecs 1.8 {issue}23118[23118] {pull}23931[23931] +- Updated aws/cloudtrail fileset to ECS 1.8. {issue}23118[23118] {pull}23911[23911] *Heartbeat* diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml index 4cc64e9e561..fc501fd4705 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml @@ -66,4 +66,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml index 6339940d432..8e04baa3395 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 76cf0f936b6..c2a46c88090 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -27,6 +27,11 @@ processors: field: "json.userIdentity.type" target_field: "aws.cloudtrail.user_identity.type" ignore_failure: true + - append: + field: related.user + value: '{{json.userIdentity.userName}}' + allow_duplicates: false + if: 'ctx.json?.userIdentity?.userName != null' - rename: field: "json.userIdentity.userName" target_field: "user.name" @@ -225,28 +230,16 @@ processors: field: "json.vpcEndpointId" target_field: "aws.cloudtrail.vpc_endpoint_id" ignore_failure: true - - script: - lang: painless - ignore_failure: true - source: >- - void addRelatedUser(def ctx, String userName) { - if (ctx.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx.related.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.related.user.add(userName); - } - if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.userName != null) { - addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.userName); - } - if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null) { - addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.newUserName); - } - + - append: + field: related.user + value: '{{aws.cloudtrail.flattened.request_parameters.userName}}' + allow_duplicates: false + if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.userName != null' + - append: + field: related.user + value: '{{aws.cloudtrail.flattened.request_parameters.newUserName}}' + allow_duplicates: false + if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null' - script: lang: painless ignore_failure: true @@ -685,6 +678,32 @@ processors: field: "json.insightDetails" target_field: "aws.cloudtrail.insight_details" ignore_failure: true + - set: + field: group.id + value: '{{aws.cloudtrail.flattened.response_elements.group.groupId}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: user.target.id + value: '{{aws.cloudtrail.flattened.response_elements.user.userId}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: user.changes.name + value: '{{aws.cloudtrail.flattened.request_parameters.newUserName}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: group.name + value: '{{aws.cloudtrail.flattened.request_parameters.groupName}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: user.target.name + value: '{{aws.cloudtrail.flattened.request_parameters.userName}}' + ignore_empty_value: true + ignore_failure: true + - remove: field: - "json" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index 2f49aa15134..50253665f08 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -27,9 +27,11 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "admin", "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -40,6 +42,7 @@ ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "AWSConsole" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json index 886d94486ad..f6bb959a8d6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -29,6 +29,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -70,6 +73,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 720, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index 4d715f61769..ca6b38754cb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -32,6 +32,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "JohnDoe" + ], "service.type": "aws", "source.address": "192.0.2.110", "source.ip": "192.0.2.110", @@ -82,6 +85,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 658, + "related.user": [ + "JaneDoe" + ], "service.type": "aws", "source.address": "192.0.2.100", "source.ip": "192.0.2.100", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index 9736605a6b2..bfce5b07ccb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -38,6 +38,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -48,6 +49,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index c3a33c948e4..7487c6d6581 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -36,8 +36,13 @@ "creation" ], "fileset.name": "cloudtrail", + "group.id": "EXAMPLE_ID", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -80,8 +85,12 @@ "creation" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 903, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 41cca74d099..f2ce56d3683 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -32,6 +32,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "72.21.198.64", "source.as.number": 16509, diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json index e358d16bc72..66e126a2da2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -41,6 +41,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index 2fee7445e82..65b0db2d293 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,8 @@ ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.id": "EXAMPLEUSERID", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "aws-cli", "user_agent.original": "aws-cli/1.3.2 Python/2.7.5 Windows/7", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index aa2b7a2bc63..5ab34b15c5f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -34,6 +34,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index 3c062a8ef23..2639ed8a490 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -44,6 +44,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Alice", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index 2ea8b42fa6c..8146718df72 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -34,6 +34,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -44,6 +45,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index 687e4602194..d1c2ab6f9e7 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -30,8 +30,12 @@ "deletion" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -74,8 +78,12 @@ "deletion" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 747, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index 8c3897af795..d1f4415d4cd 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -34,6 +34,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -44,6 +45,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json index 09ad2ddf9d4..58a7d7a36ad 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -24,6 +24,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index b97cdbab3df..ac0c0163b5d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,7 @@ ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index d770587f648..ec713a1c41b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -32,6 +32,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json index ae3605a03a0..f89c1b5ab53 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json @@ -25,6 +25,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "REDACTED" + ], "service.type": "aws", "source.address": "REDACTED", "tags": [ diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index 1f9d3a519bb..253bf3d4523 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "console.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index c4ce4c167be..419a86799cc 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -31,9 +31,11 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "Admin", "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -44,6 +46,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json index 586c1ee9421..5d7299ae4c2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -27,6 +27,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json index b3670ee5fac..266cded86f2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -27,6 +27,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index 0c517b2c688..4b30eaed7ae 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -35,6 +35,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -45,6 +46,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json index e08eea3d071..edb7444604b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -37,6 +37,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index 09c00b8d57b..95827327cec 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -28,8 +28,12 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -74,8 +78,12 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP2", "input.type": "log", "log.offset": 683, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index 174bae15aa1..6992dc1a978 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index 204ae7e2e1e..12efc4cf071 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -35,6 +35,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -45,6 +46,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" @@ -85,6 +87,7 @@ "input.type": "log", "log.offset": 800, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -95,6 +98,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index 1531a7c1e5a..1d00ae0c171 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -25,6 +25,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "205.251.233.182", "source.as.number": 16509, @@ -92,6 +95,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 766, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index 08769b6dcca..068c1db631a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -31,6 +31,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob", "Robert" ], @@ -40,8 +41,10 @@ "tags": [ "forwarded" ], + "user.changes.name": "Robert", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json index 0464fe184a8..d81ec8fa25b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -45,6 +45,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Alice", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com"