diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f36c71d469aa..e66a73a1c3e8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -134,6 +134,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Release aws elb fileset as GA. {pull}15426[15426] {issue}15380[15380] - Integrate the azure-eventhub with filebeat azure module (replace the kafka input). {pull}15480[15480] - Release aws s3access fileset to GA. {pull}15431[15431] {issue}15430[15430] +- Add cloudtrail fileset to AWS module. {issue}14657[14657] {pull}15227[15227] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index aa2b645b9247..dbf1bfae9002 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1070,6 +1070,249 @@ Fields from AWS logs. +[float] +=== cloudtrail + +Fields for AWS CloudTrail logs. + + + +*`aws.cloudtrail.event_version`*:: ++ +-- +The CloudTrail version of the log event format. + + +type: keyword + +-- + +[float] +=== user_identity + +The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained. + + +*`aws.cloudtrail.user_identity.type`*:: ++ +-- +The type of the identity + + +type: keyword + +-- + +*`aws.cloudtrail.user_identity.arn`*:: ++ +-- +The Amazon Resource Name (ARN) of the principal that made the call. + +type: keyword + +-- + +*`aws.cloudtrail.user_identity.access_key_id`*:: ++ +-- +The access key ID that was used to sign the request. + +type: keyword + +-- + +[float] +=== session_context + +If the request was made with temporary security credentials, an element that provides information about the session that was created for those credentials + + +*`aws.cloudtrail.user_identity.session_context.mfa_authenticated`*:: ++ +-- +The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false. + +type: keyword + +-- + +*`aws.cloudtrail.user_identity.session_context.creation_date`*:: ++ +-- +The date and time when the temporary security credentials were issued. + +type: date + +-- + +*`aws.cloudtrail.user_identity.invoked_by`*:: ++ +-- +The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk. + +type: keyword + +-- + +*`aws.cloudtrail.error_code`*:: ++ +-- +The AWS service error if the request returns an error. + +type: keyword + +-- + +*`aws.cloudtrail.error_message`*:: ++ +-- +If the request returns an error, the description of the error. + +type: keyword + +-- + +*`aws.cloudtrail.request_parameters`*:: ++ +-- +The parameters, if any, that were sent with the request. + +type: keyword + +-- + +*`aws.cloudtrail.response_elements`*:: ++ +-- +The response element for actions that make changes (create, update, or delete actions). + +type: keyword + +-- + +*`aws.cloudtrail.additional_eventdata`*:: ++ +-- +Additional data about the event that was not part of the request or response. + +type: keyword + +-- + +*`aws.cloudtrail.request_id`*:: ++ +-- +The value that identifies the request. The service being called generates this value. + +type: keyword + +-- + +*`aws.cloudtrail.event_type`*:: ++ +-- +Identifies the type of event that generated the event record. + +type: keyword + +-- + +*`aws.cloudtrail.api_version`*:: ++ +-- +Identifies the API version associated with the AwsApiCall eventType value. + +type: keyword + +-- + +*`aws.cloudtrail.management_event`*:: ++ +-- +A Boolean value that identifies whether the event is a management event. + +type: keyword + +-- + +*`aws.cloudtrail.read_only`*:: ++ +-- +Identifies whether this operation is a read-only operation. + +type: keyword + +-- + +[float] +=== resources + +A list of resources accessed in the event. + + +*`aws.cloudtrail.resources.arn`*:: ++ +-- +Resource ARNs + +type: keyword + +-- + +*`aws.cloudtrail.resources.account_id`*:: ++ +-- +Account ID of the resource owner + +type: keyword + +-- + +*`aws.cloudtrail.resources.type`*:: ++ +-- +Resource type identifier in the format: AWS::aws-service-name::data-type-name + +type: keyword + +-- + +*`aws.cloudtrail.recipient_account_id`*:: ++ +-- +Represents the account ID that received this event. + +type: keyword + +-- + +*`aws.cloudtrail.service_event_details`*:: ++ +-- +Identifies the service event, including what triggered the event and the result. + +type: keyword + +-- + +*`aws.cloudtrail.shared_event_id`*:: ++ +-- +GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. + +type: keyword + +-- + +*`aws.cloudtrail.vpc_endpoint_id`*:: ++ +-- +Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. + +type: keyword + +-- + [float] === elb diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc index b58cd934b532..f07c013b77cf 100644 --- a/filebeat/docs/modules/aws.asciidoc +++ b/filebeat/docs/modules/aws.asciidoc @@ -14,12 +14,13 @@ beta[] This is a module for aws logs. It uses filebeat s3 input to get log files from AWS S3 buckets with SQS notification. This module supports reading s3 server -access logs with `s3access` fileset, ELB access logs with `elb` fileset and VPC -flow logs with `vpc` fileset. +access logs with `s3access` fileset, ELB access logs with `elb` fileset, VPC +flow logs with `vpc` fileset, and CloudTrail logs with `cloudtrail` fileset. Access logs contain detailed information about the requests made to these services. VPC flow logs captures information about the IP traffic going to and -from network interfaces in AWS VPC. +from network interfaces in AWS VPC. CloudTrail logs contain events +that represent actions taken by a user, role or AWS service. [float] === Example dashboard @@ -62,6 +63,15 @@ Example config: # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + # Profile name for aws credential + #var.credential_profile_name: fb-aws + + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + # Profile name for aws credential #var.credential_profile_name: fb-aws ---- @@ -74,6 +84,12 @@ AWS SQS queue url. AWS credential profile name. +=== CloudTrail fileset + +The `cloudtrail` fileset does not read the CloudTrail Digest files +that are delivered to the S3 bucket when Log File Integrity is turned +on, it only reads the CloudTrail logs. + [float] === Fields diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index d4ba4fa26659..45a2c918c831 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -123,6 +123,15 @@ filebeat.modules: # Profile name for aws credential #var.credential_profile_name: fb-aws + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Profile name for aws credential + #var.credential_profile_name: fb-aws + #-------------------------------- Azure Module -------------------------------- - module: azure # All logs diff --git a/x-pack/filebeat/module/aws/_meta/config.yml b/x-pack/filebeat/module/aws/_meta/config.yml index 492a7c6455f4..98ab79d69f52 100644 --- a/x-pack/filebeat/module/aws/_meta/config.yml +++ b/x-pack/filebeat/module/aws/_meta/config.yml @@ -25,3 +25,12 @@ # Profile name for aws credential #var.credential_profile_name: fb-aws + + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Profile name for aws credential + #var.credential_profile_name: fb-aws diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc index e06f6d2c9278..f35c2e9e4d5f 100644 --- a/x-pack/filebeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/aws/_meta/docs.asciidoc @@ -9,12 +9,13 @@ beta[] This is a module for aws logs. It uses filebeat s3 input to get log files from AWS S3 buckets with SQS notification. This module supports reading s3 server -access logs with `s3access` fileset, ELB access logs with `elb` fileset and VPC -flow logs with `vpc` fileset. +access logs with `s3access` fileset, ELB access logs with `elb` fileset, VPC +flow logs with `vpc` fileset, and CloudTrail logs with `cloudtrail` fileset. Access logs contain detailed information about the requests made to these services. VPC flow logs captures information about the IP traffic going to and -from network interfaces in AWS VPC. +from network interfaces in AWS VPC. CloudTrail logs contain events +that represent actions taken by a user, role or AWS service. [float] === Example dashboard @@ -57,6 +58,15 @@ Example config: # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + # Profile name for aws credential + #var.credential_profile_name: fb-aws + + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + # Profile name for aws credential #var.credential_profile_name: fb-aws ---- @@ -68,3 +78,9 @@ AWS SQS queue url. *`var.credential_profile_name`*:: AWS credential profile name. + +=== CloudTrail fileset + +The `cloudtrail` fileset does not read the CloudTrail Digest files +that are delivered to the S3 bucket when Log File Integrity is turned +on, it only reads the CloudTrail logs. diff --git a/x-pack/filebeat/module/aws/cloudtrail/README.md b/x-pack/filebeat/module/aws/cloudtrail/README.md new file mode 100644 index 000000000000..e415c4967acc --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/README.md @@ -0,0 +1,39 @@ +Filebeat module for AWS CloudTrail Logs +=== + +Module for AWS CloudTrail logs which captures information about +actions taken by a user, role or an AWS service. Events include +actions taken in the AWS Management Console, AWS Command Line +interface and AWS SDKs and APIs. These logs can +help with: + +* Governance +* Compliance +* Operational and risk auditing + +Implementation based on the description of CloudTrail from the +documentation that can be found in: + +* CloudTrail Record Contents: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html +* CloudTrail Log File Examples: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html + +It should be noted that the `cloudtrail` fileset does not read the +CloudTrail Digest files that are delivered to the S3 bucket when Log +File Integrity is turned on, it only reads the CloudTrail logs. + +How to manual test this module +=== + +* Create a CloudTrail with a S3 bucket as the storage location +* Configure this S3 bucket to send "All object create events" to a SQS queue +* Configure filebeat, using the SQS queue url with s3 notification setup in +previous step. +``` +filebeat.modules: +- module: aws + cloudtrail: + enabled: true + var.queue_url: + var.credential_profile_name: +``` +* Check parsed logs diff --git a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml new file mode 100644 index 000000000000..c9ed891f6d26 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml @@ -0,0 +1,135 @@ +- name: cloudtrail + type: group + release: beta + default_field: false + description: > + Fields for AWS CloudTrail logs. + fields: + - name: event_version + type: keyword + description: > + The CloudTrail version of the log event format. + - name: user_identity + type: group + description: >- + The userIdentity element contains details about the type of + IAM identity that made the request, and which credentials were + used. If temporary credentials were used, the element shows how the + credentials were obtained. + fields: + - name: type + type: keyword + description: > + The type of the identity + - name: arn + type: keyword + description: >- + The Amazon Resource Name (ARN) of the principal that made the call. + - name: access_key_id + type: keyword + description: >- + The access key ID that was used to sign the request. + - name: session_context + type: group + description: >- + If the request was made with temporary security + credentials, an element that provides information about the session + that was created for those credentials + fields: + - name: mfa_authenticated + type: keyword + description: >- + The value is true if the root user or IAM user whose + credentials were used for the request also was authenticated with an + MFA device; otherwise, false. + - name: creation_date + type: date + description: >- + The date and time when the temporary security credentials were issued. + - name: invoked_by + type: keyword + description: >- + The name of the AWS service that made the request, such as + Amazon EC2 Auto Scaling or AWS Elastic Beanstalk. + - name: error_code + type: keyword + description: >- + The AWS service error if the request returns an error. + - name: error_message + type: keyword + description: >- + If the request returns an error, the description of the error. + - name: request_parameters + type: keyword + description: >- + The parameters, if any, that were sent with the request. + - name: response_elements + type: keyword + description: >- + The response element for actions that make changes (create, + update, or delete actions). + - name: additional_eventdata + type: keyword + description: >- + Additional data about the event that was not part of the + request or response. + - name: request_id + type: keyword + description: >- + The value that identifies the request. The service being + called generates this value. + - name: event_type + type: keyword + description: >- + Identifies the type of event that generated the event record. + - name: api_version + type: keyword + description: >- + Identifies the API version associated with the AwsApiCall + eventType value. + - name: management_event + type: keyword + description: >- + A Boolean value that identifies whether the event is a + management event. + - name: read_only + type: keyword + description: >- + Identifies whether this operation is a read-only operation. + - name: resources + type: group + description: >- + A list of resources accessed in the event. + fields: + - name: arn + type: keyword + description: >- + Resource ARNs + - name: account_id + type: keyword + description: >- + Account ID of the resource owner + - name: type + type: keyword + description: >- + Resource type identifier in the format: AWS::aws-service-name::data-type-name + - name: recipient_account_id + type: keyword + description: >- + Represents the account ID that received this event. + - name: service_event_details + type: keyword + description: >- + Identifies the service event, including what triggered the + event and the result. + - name: shared_event_id + type: keyword + description: >- + GUID generated by CloudTrail to uniquely identify CloudTrail + events from the same AWS action that is sent to different AWS + accounts. + - name: vpc_endpoint_id + type: keyword + description: >- + Identifies the VPC endpoint in which requests were made from a + VPC to another AWS service, such as Amazon S3. diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/cloudtrail.yml b/x-pack/filebeat/module/aws/cloudtrail/config/cloudtrail.yml new file mode 100644 index 000000000000..2b1c3b8551b7 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/config/cloudtrail.yml @@ -0,0 +1,17 @@ +{{ if eq .input "s3" }} + +type: s3 +queue_url: {{ .queue_url }} +credential_profile_name: {{ .credential_profile_name }} +expand_event_list_from_field: Records + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml new file mode 100644 index 000000000000..0c40e0188beb --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -0,0 +1,214 @@ +--- +description: Pipeline for AWS CloudTrail Logs +processors: + - rename: + field: "message" + target_field: "event.original" + - json: + field: "event.original" + target_field: "json" + - date: + field: "json.eventTime" + target_field: "@timestamp" + ignore_failure: true + formats: + - ISO8601 + - rename: + field: "json.eventVersion" + target_field: "aws.cloudtrail.event_version" + ignore_failure: true + - rename: + field: "json.userIdentity.type" + target_field: "aws.cloudtrail.user_identity.type" + ignore_failure: true + - rename: + field: "json.userIdentity.userName" + target_field: "user.name" + ignore_failure: true + - rename: + field: "json.userIdentity.principalId" + target_field: "user.id" + ignore_failure: true + - rename: + field: "json.userIdentity.arn" + target_field: "aws.cloudtrail.user_identity.arn" + ignore_failure: true + - rename: + field: "json.userIdentity.accountId" + target_field: "cloud.account.id" + ignore_failure: true + - rename: + field: "json.userIdentity.accessKeyId" + target_field: "aws.cloudtrail.user_identity.access_key_id" + ignore_failure: true + - rename: + field: "json.userIdentity.sessionContext.attributes.mfaAuthenticated" + target_field: "aws.cloudtrail.user_identity.session_context.mfa_authenticated" + ignore_failure: true + - date: + field: "json.userIdentity.sessionContext.attributes.creationDate" + target_field: "aws.cloudtrail.user_identity.session_context.creation_date" + ignore_failure: true + formats: + - ISO8601 + - rename: + field: "json.userIdentity.invokedBy" + target_field: "aws.cloudtrail.user_identity.invoked_by" + ignore_failure: true + - rename: + field: "json.eventSource" + target_field: "event.provider" + ignore_failure: true + - set: + field: "event.action" + value: "{{json.eventName}}" + ignore_failure: true + - rename: + field: "json.awsRegion" + target_field: "cloud.region" + ignore_failure: true + - geoip: + field: "json.sourceIPAddress" + target_field: "source.geo" + ignore_failure: true + - rename: + field: "json.sourceIPAddress" + target_field: "source.address" + ignore_failure: true + - user_agent: + field: "json.userAgent" + target_field: "user_agent" + on_failure: + - rename: + field: "json.userAgent" + target_field: "user_agent.original" + ignore_failure: true + - rename: + field: "json.errorCode" + target_field: "aws.cloudtrail.error_code" + ignore_failure: true + - rename: + field: "json.errorMessage" + target_field: "aws.cloudtrail.error_message" + ignore_failure: true + - script: + lang: painless + source: | + if (ctx.json.requestParameters != null) { + ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); + } + ignore_failure: true + - script: + lang: painless + source: | + if (ctx.json.responseElements != null) { + ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); + } + ignore_failure: true + - script: + lang: painless + source: | + if (ctx.json.additionalEventdata != null) { + ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventdata.toString(); + } + ignore_failure: true + - rename: + field: "json.requestId" + target_field: "aws.cloudtrail.request_id" + ignore_failure: true + - rename: + field: "json.eventID" + target_field: event.id + ignore_failure: true + - rename: + field: "json.eventType" + target_field: "aws.cloudtrail.event_type" + ignore_failure: true + - rename: + field: "json.apiVersion" + target_field: "aws.cloudtrail.api_version" + ignore_failure: true + - rename: + field: "json.managementEvent" + target_field: "aws.cloudtrail.management_event" + ignore_failure: true + - rename: + field: "json.readOnly" + target_field: "aws.cloudtrail.read_only" + ignore_failure: true + - rename: + field: "json.resources.ARN" + target_field: "aws.cloudtrail.resources.arn" + ignore_failure: true + - rename: + field: "json.resources.accountId" + target_field: "aws.cloudtrail.resources.account_id" + ignore_failure: true + - rename: + field: "json.resources.type" + target_field: "aws.cloudtrail.resources.type" + ignore_failure: true + - rename: + field: "json.recipientAccountId" + target_field: "aws.cloudtrail.recipient_account_id" + ignore_failure: true + - script: + lang: painless + source: | + if (ctx.json.serviceEventDetails != null) { + ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); + } + ignore_failure: true + - rename: + field: "json.sharedEventId" + target_field: "aws.cloudtrail.shared_event_id" + ignore_failure: true + - rename: + field: "json.vpcEndpointId" + target_field: "aws.cloudtrail.vpc_endpoint_id" + ignore_failure: true + - script: + lang: painless + ignore_failure: true + source: >- + void addRelatedUser(def ctx, String userName) { + if (ctx.related == null) { + Map map = new HashMap(); + ctx.put("related", map); + } + if (ctx.related.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.related.user.add(userName); + } + + ctx.event.type = 'info'; + ctx.event.kind = 'event'; + if (ctx.aws.cloudtrail.error_code != null || ctx.aws.cloudtrail.error_message != null) { + ctx.event.outcome = 'failure' + } else { + ctx.event.outcome = 'success' + } + + if (ctx.json?.eventName == 'ConsoleLogin') { + ctx.event.category = 'authentication'; + if (ctx.json?.responseElements.ConsoleLogin != null) { + ctx.event.outcome = Processors.lowercase(ctx.json.responseElements.ConsoleLogin); + } + } + + if (ctx.json?.requestParameters.userName != null) { + addRelatedUser(ctx, ctx.json.requestParameters.userName); + } + if (ctx.json?.requestParameters.newUserName != null) { + addRelatedUser(ctx, ctx.json.requestParameters.newUserName); + } + - remove: + field: + - "json" + ignore_missing: true +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml new file mode 100644 index 000000000000..915da46a368c --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml @@ -0,0 +1,8 @@ +module_version: 1.0 + +var: + - name: input + default: s3 + +ingest_pipeline: ingest/pipeline.yml +input: config/cloudtrail.yml diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log new file mode 100644 index 000000000000..4c067668bedb --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-25T18:45:11Z"}}},"eventTime":"2014-03-25T21:08:14Z","eventSource":"iam.amazonaws.com","eventName":"AddUserToGroup","awsRegion":"us-east-2","sourceIPAddress":"127.0.0.1","userAgent":"AWSConsole","requestParameters":{"userName":"Bob","groupName":"admin"},"responseElements":null} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json new file mode 100644 index 000000000000..8d4de2e8d851 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -0,0 +1,35 @@ +[ + { + "@timestamp": "2014-03-25T21:08:14.000Z", + "aws.cloudtrail.event_version": "1.0", + "aws.cloudtrail.request_parameters": "{groupName=admin, userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice", + "aws.cloudtrail.user_identity.session_context.creation_date": "2014-03-25T18:45:11.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "123456789012", + "cloud.region": "us-east-2", + "event.action": "AddUserToGroup", + "event.dataset": "aws.cloudtrail", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-25T18:45:11Z\"}}},\"eventTime\":\"2014-03-25T21:08:14Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"AddUserToGroup\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"AWSConsole\",\"requestParameters\":{\"userName\":\"Bob\",\"groupName\":\"admin\"},\"responseElements\":null}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EX_PRINCIPAL_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "AWSConsole" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log new file mode 100644 index 000000000000..c2a4a5e884bb --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIN5ATK5U7KEXAMPLE:JohnRole1","arn":"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1","accountId":"111111111111","accessKeyId":"AKIAI44QH8DHBEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-10-02T21:50:54Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIN5ATK5U7KEXAMPLE","arn":"arn:aws:iam::111111111111:role/JohnRole1","accountId":"111111111111","userName":"JohnDoe"}}},"eventTime":"2019-10-02T22:12:29Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-east-2","sourceIPAddress":"123.145.67.89","userAgent":"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239","requestParameters":{"incomingTransitiveTags":{"Department":"Engineering"},"tags":[{"value":"johndoe@example.com","key":"Email"},{"value":"12345","key":"CostCenter"}],"roleArn":"arn:aws:iam::111111111111:role/JohnRole2","roleSessionName":"Role2WithTags","transitiveTagKeys":["Email","CostCenter"],"durationSeconds":3600},"responseElements":{"credentials":{"accessKeyId":"ASIAWHOJDLGPOEXAMPLE","expiration":"Oct 2, 2019 11:12:29 PM","sessionToken":"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"},"assumedRoleUser":{"assumedRoleId":"AROAIFR7WHDTSOYQYHFUE:Role2WithTags","arn":"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"}},"requestID":"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE","eventID":"1917948f-3042-46ec-98e2-62865EXAMPLE","resources":[{"ARN":"arn:aws:iam::111122223333:role/JohnRole2","accountId":"111111111111","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"111111111111"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json new file mode 100644 index 000000000000..5764198ad935 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -0,0 +1,45 @@ +[ + { + "@timestamp": "2019-10-02T22:12:29.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "111111111111", + "aws.cloudtrail.request_parameters": "{incomingTransitiveTags={Department=Engineering}, transitiveTagKeys=[Email, CostCenter], durationSeconds=3600, roleArn=arn:aws:iam::111111111111:role/JohnRole2, roleSessionName=Role2WithTags, tags=[{value=johndoe@example.com, key=Email}, {value=12345, key=CostCenter}]}", + "aws.cloudtrail.response_elements": "{assumedRoleUser={assumedRoleId=AROAIFR7WHDTSOYQYHFUE:Role2WithTags, arn=arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags}, credentials={accessKeyId=ASIAWHOJDLGPOEXAMPLE, sessionToken=AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN, expiration=Oct 2, 2019 11:12:29 PM}}", + "aws.cloudtrail.user_identity.access_key_id": "AKIAI44QH8DHBEXAMPLE", + "aws.cloudtrail.user_identity.arn": "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1", + "aws.cloudtrail.user_identity.session_context.creation_date": "2019-10-02T21:50:54.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false", + "aws.cloudtrail.user_identity.type": "AssumedRole", + "cloud.account.id": "111111111111", + "cloud.region": "us-east-2", + "event.action": "AssumeRole", + "event.dataset": "aws.cloudtrail", + "event.id": "1917948f-3042-46ec-98e2-62865EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1\",\"accountId\":\"111111111111\",\"accessKeyId\":\"AKIAI44QH8DHBEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-10-02T21:50:54Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE\",\"arn\":\"arn:aws:iam::111111111111:role/JohnRole1\",\"accountId\":\"111111111111\",\"userName\":\"JohnDoe\"}}},\"eventTime\":\"2019-10-02T22:12:29Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"123.145.67.89\",\"userAgent\":\"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\",\"requestParameters\":{\"incomingTransitiveTags\":{\"Department\":\"Engineering\"},\"tags\":[{\"value\":\"johndoe@example.com\",\"key\":\"Email\"},{\"value\":\"12345\",\"key\":\"CostCenter\"}],\"roleArn\":\"arn:aws:iam::111111111111:role/JohnRole2\",\"roleSessionName\":\"Role2WithTags\",\"transitiveTagKeys\":[\"Email\",\"CostCenter\"],\"durationSeconds\":3600},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAWHOJDLGPOEXAMPLE\",\"expiration\":\"Oct 2, 2019 11:12:29 PM\",\"sessionToken\":\"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"}},\"requestID\":\"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\"eventID\":\"1917948f-3042-46ec-98e2-62865EXAMPLE\",\"resources\":[{\"ARN\":\"arn:aws:iam::111122223333:role/JohnRole2\",\"accountId\":\"111111111111\",\"type\":\"AWS::IAM::Role\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"111111111111\"}", + "event.outcome": "success", + "event.provider": "sts.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "123.145.67.89", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 29.5569, + "source.geo.location.lon": 106.5531, + "source.geo.region_iso_code": "CN-CQ", + "source.geo.region_name": "Chongqing", + "user.id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239", + "user_agent.os.full": "Linux 4.9.184", + "user_agent.os.name": "Linux", + "user_agent.os.version": "4.9.184", + "user_agent.version": "1.16.248" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log new file mode 100644 index 000000000000..b3c1f2a10d31 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"0123456789012","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice"},"eventTime":"2020-01-09T00:09:33Z","eventSource":"iam.amazonaws.com","eventName":"ChangePassword","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","errorCode":"AccessDeniedException","errorMessage":"An unknown error occurred","requestParameters":null,"responseElements":null,"requestID":"EXAMPLE-5204-4fed-9c60-9c6EXAMPLE","eventID":"EXAMPLE-b92f-48bb-8c4c-efeEXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"0123456789012","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice"},"eventTime":"2020-01-09T00:03:36Z","eventSource":"iam.amazonaws.com","eventName":"ChangePassword","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":null,"responseElements":null,"requestID":"EXAMPLE-5c16-4eda-9724-EXAMPLE","eventID":"EXAMPLE-35a7-4c25-9fc7-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json new file mode 100644 index 000000000000..d967399e83f0 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -0,0 +1,66 @@ +[ + { + "@timestamp": "2020-01-09T00:09:33.000Z", + "aws.cloudtrail.error_code": "AccessDeniedException", + "aws.cloudtrail.error_message": "An unknown error occurred", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "ChangePassword", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-b92f-48bb-8c4c-efeEXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T00:09:33Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"ChangePassword\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"AccessDeniedException\",\"errorMessage\":\"An unknown error occurred\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"EXAMPLE-5204-4fed-9c60-9c6EXAMPLE\",\"eventID\":\"EXAMPLE-b92f-48bb-8c4c-efeEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "failure", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "0123456789012", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + }, + { + "@timestamp": "2020-01-09T00:03:36.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "ChangePassword", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-35a7-4c25-9fc7-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T00:03:36Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"ChangePassword\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"EXAMPLE-5c16-4eda-9724-EXAMPLE\",\"eventID\":\"EXAMPLE-35a7-4c25-9fc7-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 720, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "0123456789012", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log new file mode 100644 index 000000000000..8ba60a6408cc --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JohnDoe","accountId":"111122223333","userName":"JohnDoe"},"eventTime":"2014-07-16T15:49:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.110","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/s3/","MFAUsed":"No"},"eventID":"3fcfb182-98f8-4744-bd45-10aEXAMPLE"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JaneDoe","accountId":"111122223333","userName":"JaneDoe"},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json new file mode 100644 index 000000000000..ea7052e9a03a --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -0,0 +1,69 @@ +[ + { + "@timestamp": "2014-07-16T15:49:27.000Z", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.response_elements": "{ConsoleLogin=Success}", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "111122223333", + "cloud.region": "us-east-2", + "event.action": "ConsoleLogin", + "event.category": "authentication", + "event.dataset": "aws.cloudtrail", + "event.id": "3fcfb182-98f8-4744-bd45-10aEXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JohnDoe\",\"accountId\":\"111122223333\",\"userName\":\"JohnDoe\"},\"eventTime\":\"2014-07-16T15:49:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.110\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/s3/\",\"MFAUsed\":\"No\"},\"eventID\":\"3fcfb182-98f8-4744-bd45-10aEXAMPLE\"}", + "event.outcome": "success", + "event.provider": "signin.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "192.0.2.110", + "user.id": "AIDACKCEVSQ6C2EXAMPLE", + "user.name": "JohnDoe", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0", + "user_agent.os.full": "Windows 7", + "user_agent.os.name": "Windows", + "user_agent.os.version": "7", + "user_agent.version": "24.0." + }, + { + "@timestamp": "2014-07-08T17:35:27.000Z", + "aws.cloudtrail.error_message": "Failed authentication", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JaneDoe", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "111122223333", + "cloud.region": "us-east-2", + "event.action": "ConsoleLogin", + "event.category": "authentication", + "event.dataset": "aws.cloudtrail", + "event.id": "11ea990b-4678-4bcd-8fbe-625EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JaneDoe\",\"accountId\":\"111122223333\",\"userName\":\"JaneDoe\"},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.100\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}", + "event.outcome": "failure", + "event.provider": "signin.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 658, + "service.type": "aws", + "source.address": "192.0.2.100", + "user.id": "AIDACKCEVSQ6C2EXAMPLE", + "user.name": "JaneDoe", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0", + "user_agent.os.full": "Windows 7", + "user_agent.os.name": "Windows", + "user_agent.os.version": "7", + "user_agent.version": "24.0." + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log new file mode 100644 index 000000000000..d18fcffb9336 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T20:43:06Z","eventSource":"iam.amazonaws.com","eventName":"CreateAccessKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"userName":"Bob"},"responseElements":{"accessKey":{"accessKeyId":"EXAMPLE_KEY_ID","status":"Active","userName":"Bob","createDate":"Jan 8, 2020 8:43:06 PM"}},"requestID":"EXAMPLE-823a-48dc-8fa9-EXAMPLE","eventID":"EXAMPLE-3cab-40f8-938b-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json new file mode 100644 index 000000000000..d186d96fd9c0 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2020-01-08T20:43:06.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{userName=Bob}", + "aws.cloudtrail.response_elements": "{accessKey={accessKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Active, createDate=Jan 8, 2020 8:43:06 PM}}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-08T15:12:16.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "CreateAccessKey", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-3cab-40f8-938b-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T20:43:06Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":{\"accessKey\":{\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"status\":\"Active\",\"userName\":\"Bob\",\"createDate\":\"Jan 8, 2020 8:43:06 PM\"}},\"requestID\":\"EXAMPLE-823a-48dc-8fa9-EXAMPLE\",\"eventID\":\"EXAMPLE-3cab-40f8-938b-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log new file mode 100644 index 000000000000..f46f6d474c6a --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"0123456789012","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-09T01:48:44Z","eventSource":"iam.amazonaws.com","eventName":"CreateGroup","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"groupName":"TEST-GROUP"},"responseElements":{"group":{"createDate":"Jan 9, 2020 1:48:44 AM","path":"/","arn":"arn:aws:iam::0123456789012:group/TEST-GROUP","groupName":"TEST-GROUP","groupId":"EXAMPLE_ID"}},"requestID":"EXAMPLE-769d-4a61-b731-EXAMPLE","eventID":"EXAMPLE-37ec-425a-a7ef-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"0123456789012","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice"},"eventTime":"2020-01-09T02:22:03Z","eventSource":"iam.amazonaws.com","eventName":"CreateGroup","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","errorCode":"EntityAlreadyExistsException","errorMessage":"Group with name TEST-GROUP already exists.","requestParameters":{"groupName":"TEST-GROUP"},"responseElements":null,"requestID":"EXAMPLE-c8ae-44dc-8114-EXAMPLE","eventID":"EXAMPLE-09c6-4745-af70-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json new file mode 100644 index 000000000000..389a0c3cacdc --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2020-01-09T01:48:44.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", + "aws.cloudtrail.response_elements": "{group={path=/, groupName=TEST-GROUP, groupId=EXAMPLE_ID, arn=arn:aws:iam::0123456789012:group/TEST-GROUP, createDate=Jan 9, 2020 1:48:44 AM}}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-08T15:12:16.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "CreateGroup", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-37ec-425a-a7ef-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-09T01:48:44Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":{\"group\":{\"createDate\":\"Jan 9, 2020 1:48:44 AM\",\"path\":\"/\",\"arn\":\"arn:aws:iam::0123456789012:group/TEST-GROUP\",\"groupName\":\"TEST-GROUP\",\"groupId\":\"EXAMPLE_ID\"}},\"requestID\":\"EXAMPLE-769d-4a61-b731-EXAMPLE\",\"eventID\":\"EXAMPLE-37ec-425a-a7ef-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "0123456789012", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + }, + { + "@timestamp": "2020-01-09T02:22:03.000Z", + "aws.cloudtrail.error_code": "EntityAlreadyExistsException", + "aws.cloudtrail.error_message": "Group with name TEST-GROUP already exists.", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "CreateGroup", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-09c6-4745-af70-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:22:03Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"EntityAlreadyExistsException\",\"errorMessage\":\"Group with name TEST-GROUP already exists.\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-c8ae-44dc-8114-EXAMPLE\",\"eventID\":\"EXAMPLE-09c6-4745-af70-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "failure", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 903, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "0123456789012", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log new file mode 100644 index 000000000000..5b9c40ad40c4 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-06T15:15:06Z"}}},"eventTime":"2014-03-06T17:10:34Z","eventSource":"ec2.amazonaws.com","eventName":"CreateKeyPair","awsRegion":"us-east-2","sourceIPAddress":"72.21.198.64","userAgent":"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters":{"keyName":"mykeypair"},"responseElements":{"keyName":"mykeypair","keyFingerprint":"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21","keyMaterial":""}} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json new file mode 100644 index 000000000000..e5009e5eff79 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -0,0 +1,41 @@ +[ + { + "@timestamp": "2014-03-06T17:10:34.000Z", + "aws.cloudtrail.event_version": "1.0", + "aws.cloudtrail.request_parameters": "{keyName=mykeypair}", + "aws.cloudtrail.response_elements": "{keyMaterial=, keyFingerprint=30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21, keyName=mykeypair}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice", + "aws.cloudtrail.user_identity.session_context.creation_date": "2014-03-06T15:15:06.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "123456789012", + "cloud.region": "us-east-2", + "event.action": "CreateKeyPair", + "event.dataset": "aws.cloudtrail", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"72.21.198.64\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"\"}}", + "event.outcome": "success", + "event.provider": "ec2.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "72.21.198.64", + "source.geo.city_name": "Ashburn", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 39.0481, + "source.geo.location.lon": -77.4728, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "user.id": "EX_PRINCIPAL_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx", + "user_agent.os.name": "Linux" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log new file mode 100644 index 000000000000..ebc0c708b042 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T15:30:25Z","eventSource":"cloudtrail.amazonaws.com","eventName":"CreateTrail","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"name":"TEST-trail","s3BucketName":"TEST-cloudtrail-bucket","includeGlobalServiceEvents":true,"isMultiRegionTrail":true,"enableLogFileValidation":true,"kmsKeyId":"","isOrganizationTrail":false},"responseElements":{"name":"TEST-trail","s3BucketName":"TEST-cloudtrail-bucket","includeGlobalServiceEvents":true,"isMultiRegionTrail":true,"trailARN":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","logFileValidationEnabled":true,"isOrganizationTrail":false},"requestID":"EXAMPLE-5149-4cf2-be99-EXAMPLE","eventID":"EXAMPLE-d04b-4eff-833a-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json new file mode 100644 index 000000000000..215f12dc6cd0 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2020-01-08T15:30:25.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.read_only": false, + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{isMultiRegionTrail=true, s3BucketName=TEST-cloudtrail-bucket, name=TEST-trail, enableLogFileValidation=true, kmsKeyId=, isOrganizationTrail=false, includeGlobalServiceEvents=true}", + "aws.cloudtrail.response_elements": "{logFileValidationEnabled=true, isMultiRegionTrail=true, s3BucketName=TEST-cloudtrail-bucket, name=TEST-trail, trailARN=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail, isOrganizationTrail=false, includeGlobalServiceEvents=true}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-08T15:12:16.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-west-2", + "event.action": "CreateTrail", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-d04b-4eff-833a-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T15:30:25Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"CreateTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"TEST-cloudtrail-bucket\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"enableLogFileValidation\":true,\"kmsKeyId\":\"\",\"isOrganizationTrail\":false},\"responseElements\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"TEST-cloudtrail-bucket\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"trailARN\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"logFileValidationEnabled\":true,\"isOrganizationTrail\":false},\"requestID\":\"EXAMPLE-5149-4cf2-be99-EXAMPLE\",\"eventID\":\"EXAMPLE-d04b-4eff-833a-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "cloudtrail.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log new file mode 100644 index 000000000000..37e60f3f86cb --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2014-03-24T21:11:59Z","eventSource":"iam.amazonaws.com","eventName":"CreateUser","awsRegion":"us-east-2","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.3.2 Python/2.7.5 Windows/7","requestParameters":{"userName":"Bob"},"responseElements":{"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}}} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json new file mode 100644 index 000000000000..fa4ae8748682 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -0,0 +1,36 @@ +[ + { + "@timestamp": "2014-03-24T21:11:59.000Z", + "aws.cloudtrail.event_version": "1.0", + "aws.cloudtrail.request_parameters": "{userName=Bob}", + "aws.cloudtrail.response_elements": "{user={path=/, userName=Bob, arn=arn:aws:iam::123456789012:user/Bob, userId=EXAMPLEUSERID, createDate=Mar 24, 2014 9:11:59 PM}}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "123456789012", + "cloud.region": "us-east-2", + "event.action": "CreateUser", + "event.dataset": "aws.cloudtrail", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2014-03-24T21:11:59Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateUser\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.3.2 Python/2.7.5 Windows/7\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":{\"user\":{\"createDate\":\"Mar 24, 2014 9:11:59 PM\",\"userName\":\"Bob\",\"arn\":\"arn:aws:iam::123456789012:user/Bob\",\"path\":\"/\",\"userId\":\"EXAMPLEUSERID\"}}}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EX_PRINCIPAL_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.3.2 Python/2.7.5 Windows/7", + "user_agent.os.name": "Windows", + "user_agent.version": "1.3.2" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log new file mode 100644 index 000000000000..5d33cd1ae3d7 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-11-27T15:07:22Z"}}},"eventTime":"2019-11-27T15:10:15Z","eventSource":"iam.amazonaws.com","eventName":"CreateVirtualMFADevice","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"console.amazonaws.com","requestParameters":{"virtualMFADeviceName":"Alice","path":"/"},"responseElements":{"virtualMFADevice":{"serialNumber":"arn:aws:iam::0123456789012:mfa/Alice"}},"requestID":"EXAMPLE-303b-4b0e-a8c7-EXAMPLE","eventID":"EXAMPLE-351c-472a-b089-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json new file mode 100644 index 000000000000..e083f2839024 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -0,0 +1,36 @@ +[ + { + "@timestamp": "2019-11-27T15:10:15.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{path=/, virtualMFADeviceName=Alice}", + "aws.cloudtrail.response_elements": "{virtualMFADevice={serialNumber=arn:aws:iam::0123456789012:mfa/Alice}}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.session_context.creation_date": "2019-11-27T15:07:22.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "CreateVirtualMFADevice", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-351c-472a-b089-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-11-27T15:07:22Z\"}}},\"eventTime\":\"2019-11-27T15:10:15Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateVirtualMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"console.amazonaws.com\",\"requestParameters\":{\"virtualMFADeviceName\":\"Alice\",\"path\":\"/\"},\"responseElements\":{\"virtualMFADevice\":{\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"}},\"requestID\":\"EXAMPLE-303b-4b0e-a8c7-EXAMPLE\",\"eventID\":\"EXAMPLE-351c-472a-b089-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "console.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log new file mode 100644 index 000000000000..bc8b0627f2ff --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-09T16:36:17Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T00:34:02Z","eventSource":"iam.amazonaws.com","eventName":"DeactivateMFADevice","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"userName":"Alice","serialNumber":"arn:aws:iam::0123456789012:mfa/Alice"},"responseElements":null,"requestID":"EXAMPLE-801a-4624-8fa0-EXAMPLE","eventID":"EXAMPLE-1889-416b-ace9-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json new file mode 100644 index 000000000000..fa4c622a9778 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2020-01-10T00:34:02.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Alice, userName=Alice}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-09T16:36:17.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "DeactivateMFADevice", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-1889-416b-ace9-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T00:34:02Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeactivateMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Alice\",\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-801a-4624-8fa0-EXAMPLE\",\"eventID\":\"EXAMPLE-1889-416b-ace9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Alice" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log new file mode 100644 index 000000000000..63799766f5c6 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T19:09:36Z","eventSource":"iam.amazonaws.com","eventName":"DeleteAccessKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"userName":"Bob","accessKeyId":"EXAMPLE_ID"},"responseElements":null,"requestID":"EXAMPLE-3bea-41fa-a0b4-EXAMPLE","eventID":"EXAMPLE-0698-46bd-998d-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json new file mode 100644 index 000000000000..a48b71415c7a --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2020-01-08T19:09:36.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{accessKeyId=EXAMPLE_ID, userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-08T15:12:16.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "DeleteAccessKey", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-0698-46bd-998d-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T19:09:36Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\",\"accessKeyId\":\"EXAMPLE_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-3bea-41fa-a0b4-EXAMPLE\",\"eventID\":\"EXAMPLE-0698-46bd-998d-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log new file mode 100644 index 000000000000..913b109d7c0d --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.04","userIdentity":{"type":"AssumedRole","principalId":"AIDAQRSTUVWXYZEXAMPLE:devdsk","arn":"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk","accountId":"777788889999","accessKeyId":"AKIAQRSTUVWXYZEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-11-14T17:25:26Z"},"sessionIssuer":{"type":"Role","principalId":"AIDAQRSTUVWXYZEXAMPLE","arn":"arn:aws:iam::777788889999:role/AssumeNothing","accountId":"777788889999","userName":"AssumeNothing"}}},"eventTime":"2016-11-14T17:25:45Z","eventSource":"s3.amazonaws.com","eventName":"DeleteBucket","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.1","userAgent":"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]","requestParameters":{"bucketName":"my-test-bucket-cross-account"},"responseElements":null,"requestID":"EXAMPLE463D56D4C","eventID":"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE","eventType":"AwsApiCall","recipientAccountId":"777788889999"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json new file mode 100644 index 000000000000..df70f16ad506 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2016-11-14T17:25:45.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.04", + "aws.cloudtrail.recipient_account_id": "777788889999", + "aws.cloudtrail.request_parameters": "{bucketName=my-test-bucket-cross-account}", + "aws.cloudtrail.user_identity.access_key_id": "AKIAQRSTUVWXYZEXAMPLE", + "aws.cloudtrail.user_identity.arn": "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk", + "aws.cloudtrail.user_identity.session_context.creation_date": "2016-11-14T17:25:26.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false", + "aws.cloudtrail.user_identity.type": "AssumedRole", + "cloud.account.id": "777788889999", + "cloud.region": "us-east-2", + "event.action": "DeleteBucket", + "event.dataset": "aws.cloudtrail", + "event.id": "dEXAMPLE-265a-41e0-9352-4401bEXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE:devdsk\",\"arn\":\"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk\",\"accountId\":\"777788889999\",\"accessKeyId\":\"AKIAQRSTUVWXYZEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2016-11-14T17:25:26Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE\",\"arn\":\"arn:aws:iam::777788889999:role/AssumeNothing\",\"accountId\":\"777788889999\",\"userName\":\"AssumeNothing\"}}},\"eventTime\":\"2016-11-14T17:25:45Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"DeleteBucket\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.1\",\"userAgent\":\"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]\",\"requestParameters\":{\"bucketName\":\"my-test-bucket-cross-account\"},\"responseElements\":null,\"requestID\":\"EXAMPLE463D56D4C\",\"eventID\":\"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"777788889999\"}", + "event.outcome": "success", + "event.provider": "s3.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "192.0.2.1", + "user.id": "AIDAQRSTUVWXYZEXAMPLE:devdsk", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]", + "user_agent.os.full": "Linux 3.2.45", + "user_agent.os.name": "Linux", + "user_agent.os.version": "3.2.45", + "user_agent.version": "1.11.10" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log new file mode 100644 index 000000000000..97e75c9ab077 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"0123456789012","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-09T02:25:44Z","eventSource":"iam.amazonaws.com","eventName":"DeleteGroup","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"groupName":"TEST-GROUP"},"responseElements":null,"requestID":"EXAMPLE-66cb-4775-a203-EXAMPLE","eventID":"EXAMPLE-cbc2-4cc3-8bbc-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_PRINCIPLE","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2020-01-09T02:25:11Z","eventSource":"iam.amazonaws.com","eventName":"DeleteGroup","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","errorCode":"DeleteConflictException","errorMessage":"Cannot delete entity, must detach all policies first.","requestParameters":{"groupName":"TEST-GROUP"},"responseElements":null,"requestID":"EXAMPLE-2a3c-4a94-b24f-EXAMPLE","eventID":"EXAMPLE-5aa2-4b5f-a52a-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json new file mode 100644 index 000000000000..22fb61cafccd --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -0,0 +1,70 @@ +[ + { + "@timestamp": "2020-01-09T02:25:44.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-08T15:12:16.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "DeleteGroup", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-cbc2-4cc3-8bbc-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-09T02:25:44Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-66cb-4775-a203-EXAMPLE\",\"eventID\":\"EXAMPLE-cbc2-4cc3-8bbc-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "0123456789012", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + }, + { + "@timestamp": "2020-01-09T02:25:11.000Z", + "aws.cloudtrail.error_code": "DeleteConflictException", + "aws.cloudtrail.error_message": "Cannot delete entity, must detach all policies first.", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "DeleteGroup", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-5aa2-4b5f-a52a-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_PRINCIPLE\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:25:11Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"DeleteConflictException\",\"errorMessage\":\"Cannot delete entity, must detach all policies first.\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-2a3c-4a94-b24f-EXAMPLE\",\"eventID\":\"EXAMPLE-5aa2-4b5f-a52a-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "failure", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 747, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_PRINCIPLE", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log new file mode 100644 index 000000000000..47451dfe3714 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T16:07:08Z","eventSource":"iam.amazonaws.com","eventName":"DeleteSSHPublicKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"sSHPublicKeyId":"EXAMPLE_KEY_ID","userName":"Bob"},"responseElements":null,"requestID":"EXAMPLE-7b34-44ae-a22f-EXAMPLE","eventID":"EXAMPLE-72ff-4d4f-9a8d-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json new file mode 100644 index 000000000000..afd79ac5600e --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2020-01-10T16:07:08.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-10T14:38:30.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "DeleteSSHPublicKey", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-72ff-4d4f-9a8d-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:07:08Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-7b34-44ae-a22f-EXAMPLE\",\"eventID\":\"EXAMPLE-72ff-4d4f-9a8d-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log new file mode 100644 index 000000000000..f747ff2c14a8 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice"},"eventTime":"2020-01-09T20:09:51Z","eventSource":"cloudtrail.amazonaws.com","eventName":"DeleteTrail","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":{"name":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail"},"responseElements":null,"requestID":"EXAMPLE-d44f-4a2a-966f-EXAMPLE","eventID":"EXAMPLE-3f9d-4634-8ff1-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json new file mode 100644 index 000000000000..b672da4fb736 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -0,0 +1,35 @@ +[ + { + "@timestamp": "2020-01-09T20:09:51.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.read_only": false, + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-west-2", + "event.action": "DeleteTrail", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-3f9d-4634-8ff1-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T20:09:51Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"DeleteTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-d44f-4a2a-966f-EXAMPLE\",\"eventID\":\"EXAMPLE-3f9d-4634-8ff1-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "cloudtrail.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log new file mode 100644 index 000000000000..ce00f5a11855 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-03T15:26:38Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-03T15:50:52Z","eventSource":"iam.amazonaws.com","eventName":"DeleteUser","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"userName":"Bob"},"responseElements":null,"requestID":"0e794d53-cdb5-4f7d-b7db-5EXAMPLE","eventID":"b89eb34b-8fcb-4cba-8439-d4EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json new file mode 100644 index 000000000000..e368aaa27cf9 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2020-01-03T15:50:52.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "123456789012", + "aws.cloudtrail.request_parameters": "{userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-03T15:26:38.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "123456789012", + "cloud.region": "us-east-1", + "event.action": "DeleteUser", + "event.dataset": "aws.cloudtrail", + "event.id": "b89eb34b-8fcb-4cba-8439-d4EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-03T15:26:38Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-03T15:50:52Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"0e794d53-cdb5-4f7d-b7db-5EXAMPLE\",\"eventID\":\"b89eb34b-8fcb-4cba-8439-d4EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EX_PRINCIPAL_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log new file mode 100644 index 000000000000..ad22f516894c --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-09T16:36:17Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T00:34:02Z","eventSource":"iam.amazonaws.com","eventName":"DeleteVirtualMFADevice","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"serialNumber":"arn:aws:iam::0123456789012:mfa/Alice"},"responseElements":null,"requestID":"EXAMPLE-af91-4d1a-aaf2-EXAMPLE","eventID":"EXAMPLE-f8e6-4d5f-8525-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json new file mode 100644 index 000000000000..654c89f9a195 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -0,0 +1,36 @@ +[ + { + "@timestamp": "2020-01-10T00:34:02.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Alice}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-09T16:36:17.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "DeleteVirtualMFADevice", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-f8e6-4d5f-8525-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T00:34:02Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteVirtualMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-af91-4d1a-aaf2-EXAMPLE\",\"eventID\":\"EXAMPLE-f8e6-4d5f-8525-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log new file mode 100644 index 000000000000..67cdd3ad6e68 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-11-27T15:07:22Z"}}},"eventTime":"2019-11-27T15:11:09Z","eventSource":"iam.amazonaws.com","eventName":"EnableMFADevice","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"console.amazonaws.com","requestParameters":{"userName":"Bob","serialNumber":"arn:aws:iam::0123456789012:mfa/Bob"},"responseElements":null,"requestID":"EXAMPLE-adea-490a-a806-EXAMPLE","eventID":"EXAMPLE-3fdc-4b2a-9885-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json new file mode 100644 index 000000000000..3c662013a649 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2019-11-27T15:11:09.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Bob, userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.session_context.creation_date": "2019-11-27T15:07:22.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "EnableMFADevice", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-3fdc-4b2a-9885-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-11-27T15:07:22Z\"}}},\"eventTime\":\"2019-11-27T15:11:09Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"EnableMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"console.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\",\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-adea-490a-a806-EXAMPLE\",\"eventID\":\"EXAMPLE-3fdc-4b2a-9885-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "console.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log new file mode 100644 index 000000000000..93c180dfe9b0 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-06T14:36:28Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-06T15:19:50Z","eventSource":"iam.amazonaws.com","eventName":"RemoveUserFromGroup","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"groupName":"Admin","userName":"Bob"},"responseElements":null,"requestID":"EXAMPLE-0bf0-47be-bc80-EXAMPLE","eventID":"EXAMPLE-6e8b-431a-94f4-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json new file mode 100644 index 000000000000..c3690e2ebb1c --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2020-01-06T15:19:50.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{groupName=Admin, userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-06T14:36:28.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "RemoveUserFromGroup", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-6e8b-431a-94f4-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-06T14:36:28Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-06T15:19:50Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"RemoveUserFromGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"groupName\":\"Admin\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-0bf0-47be-bc80-EXAMPLE\",\"eventID\":\"EXAMPLE-6e8b-431a-94f4-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log new file mode 100644 index 000000000000..e03d924e97bf --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T15:30:25Z","eventSource":"cloudtrail.amazonaws.com","eventName":"StartLogging","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"name":"TEST-trail"},"responseElements":null,"requestID":"EXAMPLE-1c30-4f43-9763-EXAMPLE","eventID":"EXAMPLE-aa78-4a84-a27f-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json new file mode 100644 index 000000000000..ce898dd8eff3 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -0,0 +1,37 @@ +[ + { + "@timestamp": "2020-01-08T15:30:25.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.read_only": false, + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{name=TEST-trail}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-08T15:12:16.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-west-2", + "event.action": "StartLogging", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-aa78-4a84-a27f-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T15:30:25Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"StartLogging\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"TEST-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-1c30-4f43-9763-EXAMPLE\",\"eventID\":\"EXAMPLE-aa78-4a84-a27f-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "cloudtrail.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log new file mode 100644 index 000000000000..b2c96b814b9d --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-09T16:36:17Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-09T16:46:16Z","eventSource":"cloudtrail.amazonaws.com","eventName":"StopLogging","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"name":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail"},"responseElements":null,"requestID":"EXAMPLE-869f-4fec-86f9-EXAMPLE","eventID":"EXAMPLE-8cc3-42db-9a0d-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json new file mode 100644 index 000000000000..023f0d11d79a --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -0,0 +1,37 @@ +[ + { + "@timestamp": "2020-01-09T16:46:16.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.read_only": false, + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-09T16:36:17.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-west-2", + "event.action": "StopLogging", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-8cc3-42db-9a0d-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-09T16:46:16Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"StopLogging\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-869f-4fec-86f9-EXAMPLE\",\"eventID\":\"EXAMPLE-8cc3-42db-9a0d-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "cloudtrail.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log new file mode 100644 index 000000000000..ed2b823cfcf2 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T15:01:23Z","eventSource":"iam.amazonaws.com","eventName":"UpdateAccessKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"status":"Inactive","accessKeyId":"EXAMPLE_KEY_ID","userName":"Bob"},"responseElements":null,"requestID":"EXAMPLE-7d0c-45f4-b25b-EXAMPLE","eventID":"EXAMPLE-0ef0-42cd-8551-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json new file mode 100644 index 000000000000..939fdfbe9f1e --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2020-01-10T15:01:23.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{accessKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-10T14:38:30.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateAccessKey", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-0ef0-42cd-8551-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T15:01:23Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-7d0c-45f4-b25b-EXAMPLE\",\"eventID\":\"EXAMPLE-0ef0-42cd-8551-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log new file mode 100644 index 000000000000..24094717e84d --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T18:05:33Z","eventSource":"iam.amazonaws.com","eventName":"UpdateAccountPasswordPolicy","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"requireLowercaseCharacters":true,"requireSymbols":true,"requireNumbers":true,"minimumPasswordLength":12,"requireUppercaseCharacters":true,"allowUsersToChangePassword":true},"responseElements":null,"requestID":"EXAMPLE-5ebf-4bc3-a349-EXAMPLE","eventID":"EXAMPLE-91f9-49f3-948c-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json new file mode 100644 index 000000000000..89eb5f8fa631 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -0,0 +1,36 @@ +[ + { + "@timestamp": "2020-01-10T18:05:33.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{minimumPasswordLength=12, requireSymbols=true, allowUsersToChangePassword=true, requireLowercaseCharacters=true, requireNumbers=true, requireUppercaseCharacters=true}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-10T14:38:30.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateAccountPasswordPolicy", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-91f9-49f3-948c-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T18:05:33Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateAccountPasswordPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"requireLowercaseCharacters\":true,\"requireSymbols\":true,\"requireNumbers\":true,\"minimumPasswordLength\":12,\"requireUppercaseCharacters\":true,\"allowUsersToChangePassword\":true},\"responseElements\":null,\"requestID\":\"EXAMPLE-5ebf-4bc3-a349-EXAMPLE\",\"eventID\":\"EXAMPLE-91f9-49f3-948c-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log new file mode 100644 index 000000000000..27f9733a7129 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"0123456789012","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice"},"eventTime":"2020-01-09T02:23:11Z","eventSource":"iam.amazonaws.com","eventName":"UpdateGroup","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":{"newGroupName":"TEST-GROUP2","groupName":"TEST-GROUP"},"responseElements":null,"requestID":"EXAMPLE-c22d-4fca-b40a-EXAMPLE","eventID":"EXAMPLE-c3aa-487b-b05e-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"0123456789012","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice"},"eventTime":"2020-01-09T02:24:35Z","eventSource":"iam.amazonaws.com","eventName":"UpdateGroup","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","errorCode":"EntityAlreadyExistsException","errorMessage":"Group with name TEST-GROUP already exists.","requestParameters":{"newGroupName":"TEST-GROUP","groupName":"TEST-GROUP2"},"responseElements":null,"requestID":"EXAMPLE-f673-4ce7-8529-EXAMPLE","eventID":"EXAMPLE-6a0b-475c-b5db-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json new file mode 100644 index 000000000000..ca6b0f783e82 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -0,0 +1,68 @@ +[ + { + "@timestamp": "2020-01-09T02:23:11.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP, newGroupName=TEST-GROUP2}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateGroup", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-c3aa-487b-b05e-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:23:11Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"newGroupName\":\"TEST-GROUP2\",\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-c22d-4fca-b40a-EXAMPLE\",\"eventID\":\"EXAMPLE-c3aa-487b-b05e-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "0123456789012", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + }, + { + "@timestamp": "2020-01-09T02:24:35.000Z", + "aws.cloudtrail.error_code": "EntityAlreadyExistsException", + "aws.cloudtrail.error_message": "Group with name TEST-GROUP already exists.", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP2, newGroupName=TEST-GROUP}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateGroup", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-6a0b-475c-b5db-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:24:35Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"EntityAlreadyExistsException\",\"errorMessage\":\"Group with name TEST-GROUP already exists.\",\"requestParameters\":{\"newGroupName\":\"TEST-GROUP\",\"groupName\":\"TEST-GROUP2\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-f673-4ce7-8529-EXAMPLE\",\"eventID\":\"EXAMPLE-6a0b-475c-b5db-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "failure", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 683, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "0123456789012", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log new file mode 100644 index 000000000000..5dc6e47cb5ec --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T18:25:42Z","eventSource":"iam.amazonaws.com","eventName":"UpdateLoginProfile","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"userName":"Bob"},"responseElements":null,"requestID":"EXAMPLE-0dc6-447a-8859-EXAMPLE","eventID":"EXAMPLE-c3b6-4498-b818-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json new file mode 100644 index 000000000000..19b4208c57e9 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2020-01-10T18:25:42.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-10T14:38:30.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateLoginProfile", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-c3b6-4498-b818-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T18:25:42Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateLoginProfile\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-0dc6-447a-8859-EXAMPLE\",\"eventID\":\"EXAMPLE-c3b6-4498-b818-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log new file mode 100644 index 000000000000..6a31d001b620 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T16:06:54Z","eventSource":"iam.amazonaws.com","eventName":"UpdateSSHPublicKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"status":"Inactive","userName":"Bob","sSHPublicKeyId":"EXAMPLE_KEY_ID"},"responseElements":null,"requestID":"EXAMPLE-32f3-4a92-82e1-EXAMPLE","eventID":"EXAMPLE-5c88-4652-9ee9-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T16:06:54Z","eventSource":"iam.amazonaws.com","eventName":"UpdateSSHPublicKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"status":"Inactive","userName":"Bob","sSHPublicKeyId":"EXAMPLE_KEY_ID"},"responseElements":null,"requestID":"EXAMPLE-32f3-4a92-82e1-EXAMPLE","eventID":"EXAMPLE-5c88-4652-9ee9-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json new file mode 100644 index 000000000000..479fafa3ca35 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -0,0 +1,76 @@ +[ + { + "@timestamp": "2020-01-10T16:06:54.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-10T14:38:30.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateSSHPublicKey", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-5c88-4652-9ee9-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:54Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"userName\":\"Bob\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-32f3-4a92-82e1-EXAMPLE\",\"eventID\":\"EXAMPLE-5c88-4652-9ee9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + }, + { + "@timestamp": "2020-01-10T16:06:54.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-10T14:38:30.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateSSHPublicKey", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-5c88-4652-9ee9-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:54Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"userName\":\"Bob\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-32f3-4a92-82e1-EXAMPLE\",\"eventID\":\"EXAMPLE-5c88-4652-9ee9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 800, + "related.user": [ + "Bob" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log new file mode 100644 index 000000000000..f8a9bc9e2a34 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.04","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2016-07-14T19:15:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-east-2","sourceIPAddress":"205.251.233.182","userAgent":"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22","errorCode":"TrailNotFoundException","errorMessage":"Unknown trail: myTrail2 for the user: 123456789012","requestParameters":{"name":"myTrail2"},"responseElements":null,"requestID":"5d40662a-49f7-11e6-97e4-dEXAMPLE","eventID":"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T20:58:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"name":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","isMultiRegionTrail":true,"enableLogFileValidation":false,"kmsKeyId":""},"responseElements":{"name":"TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","snsTopicARN":"","includeGlobalServiceEvents":true,"isMultiRegionTrail":true,"trailARN":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","logFileValidationEnabled":false,"isOrganizationTrail":false},"requestID":"EXAMPLE-f3da-42d1-84f5-EXAMPLE","eventID":"EXAMPLE-b5e9-4846-8407-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json new file mode 100644 index 000000000000..1eb130c2a62b --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -0,0 +1,80 @@ +[ + { + "@timestamp": "2016-07-14T19:15:45.000Z", + "aws.cloudtrail.error_code": "TrailNotFoundException", + "aws.cloudtrail.error_message": "Unknown trail: myTrail2 for the user: 123456789012", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.04", + "aws.cloudtrail.recipient_account_id": "123456789012", + "aws.cloudtrail.request_parameters": "{name=myTrail2}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "123456789012", + "cloud.region": "us-east-2", + "event.action": "UpdateTrail", + "event.dataset": "aws.cloudtrail", + "event.id": "b7d4398e-b2f0-4faa-9c76-e2EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"205.251.233.182\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", + "event.outcome": "failure", + "event.provider": "cloudtrail.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "source.address": "205.251.233.182", + "source.geo.city_name": "Boardman", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 45.8491, + "source.geo.location.lon": -119.7143, + "source.geo.region_iso_code": "US-OR", + "source.geo.region_name": "Oregon", + "user.id": "EX_PRINCIPAL_ID", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22", + "user_agent.os.name": "Windows", + "user_agent.version": "1.10.32" + }, + { + "@timestamp": "2020-01-08T20:58:45.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.read_only": false, + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{isMultiRegionTrail=true, s3BucketName=test-cloudtrail-bucket, snsTopicName=, name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail, enableLogFileValidation=false, kmsKeyId=}", + "aws.cloudtrail.response_elements": "{snsTopicARN=, logFileValidationEnabled=false, isMultiRegionTrail=true, s3BucketName=test-cloudtrail-bucket, snsTopicName=, name=TEST-trail, trailARN=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail, isOrganizationTrail=false, includeGlobalServiceEvents=true}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-08T15:12:16.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-west-2", + "event.action": "UpdateTrail", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-b5e9-4846-8407-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T20:58:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"s3BucketName\":\"test-cloudtrail-bucket\",\"snsTopicName\":\"\",\"isMultiRegionTrail\":true,\"enableLogFileValidation\":false,\"kmsKeyId\":\"\"},\"responseElements\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"test-cloudtrail-bucket\",\"snsTopicName\":\"\",\"snsTopicARN\":\"\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"trailARN\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"logFileValidationEnabled\":false,\"isOrganizationTrail\":false},\"requestID\":\"EXAMPLE-f3da-42d1-84f5-EXAMPLE\",\"eventID\":\"EXAMPLE-b5e9-4846-8407-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "cloudtrail.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 766, + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log new file mode 100644 index 000000000000..62721399a405 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log @@ -0,0 +1,2 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2020-01-08T20:53:12Z","eventSource":"iam.amazonaws.com","eventName":"UpdateUser","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":{"userName":"Bob","newUserName":"Robert"},"responseElements":null,"requestID":"3a6b3260-739d-465e-9406-bcEXAMPLE","eventID":"9150d546-3564-4262-8e62-110EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"} + diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json new file mode 100644 index 000000000000..81a1d43be16a --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2020-01-08T20:53:12.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "123456789012", + "aws.cloudtrail.request_parameters": "{newUserName=Robert, userName=Bob}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "123456789012", + "cloud.region": "us-east-1", + "event.action": "UpdateUser", + "event.dataset": "aws.cloudtrail", + "event.id": "9150d546-3564-4262-8e62-110EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-08T20:53:12Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"userName\":\"Bob\",\"newUserName\":\"Robert\"},\"responseElements\":null,\"requestID\":\"3a6b3260-739d-465e-9406-bcEXAMPLE\",\"eventID\":\"9150d546-3564-4262-8e62-110EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Bob", + "Robert" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EX_PRINCIPAL_ID", + "user.name": "Alice", + "user_agent.device.name": "Spider", + "user_agent.name": "aws-cli", + "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", + "user_agent.version": "1.16.310" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log new file mode 100644 index 000000000000..0db4791855bd --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T16:06:40Z","eventSource":"iam.amazonaws.com","eventName":"UploadSSHPublicKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain","userName":"Alice"},"responseElements":{"sSHPublicKey":{"fingerprint":"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de","status":"Active","uploadDate":"Jan 10, 2020 4:06:40 PM","userName":"Alice","sSHPublicKeyId":"EXAMPLE_KEY_ID","sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain"}},"requestID":"EXAMPLE-44b9-41cd-90f2-EXAMPLE","eventID":"EXAMPLE-9a9d-4da4-9998-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json new file mode 100644 index 000000000000..a07d63346392 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2020-01-10T16:06:40.000Z", + "aws.cloudtrail.event_type": "AwsApiCall", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.recipient_account_id": "0123456789012", + "aws.cloudtrail.request_parameters": "{sSHPublicKeyBody=ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain, userName=Alice}", + "aws.cloudtrail.response_elements": "{sSHPublicKey={sSHPublicKeyBody=ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain, sSHPublicKeyId=EXAMPLE_KEY_ID, uploadDate=Jan 10, 2020 4:06:40 PM, fingerprint=de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de, userName=Alice, status=Active}}", + "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", + "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice", + "aws.cloudtrail.user_identity.invoked_by": "signin.amazonaws.com", + "aws.cloudtrail.user_identity.session_context.creation_date": "2020-01-10T14:38:30.000Z", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true", + "aws.cloudtrail.user_identity.type": "IAMUser", + "cloud.account.id": "0123456789012", + "cloud.region": "us-east-1", + "event.action": "UploadSSHPublicKey", + "event.dataset": "aws.cloudtrail", + "event.id": "EXAMPLE-9a9d-4da4-9998-EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:40Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UploadSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\",\"userName\":\"Alice\"},\"responseElements\":{\"sSHPublicKey\":{\"fingerprint\":\"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de\",\"status\":\"Active\",\"uploadDate\":\"Jan 10, 2020 4:06:40 PM\",\"userName\":\"Alice\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\",\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\"}},\"requestID\":\"EXAMPLE-44b9-41cd-90f2-EXAMPLE\",\"eventID\":\"EXAMPLE-9a9d-4da4-9998-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", + "event.outcome": "success", + "event.provider": "iam.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "related.user": [ + "Alice" + ], + "service.type": "aws", + "source.address": "127.0.0.1", + "user.id": "EXAMPLE_ID", + "user.name": "Alice", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "signin.amazonaws.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index 030c19715119..e976c49dffa6 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzMWt1v27oVf89fcdCXmwCyh9tbDEOADnBTF/XqtVns3rs9qTR5LHGmSJWk7Dp//XCoD8uOlLap3F0/tI4onfM73x/yCDa4vwa2cxcAXnqF1zD5Y3EBYFEhc3gNK/TsAkCg41bmXhp9DX+/AAD4pxGFQlgbCynTQkmdgDKJg7U1GZEZXwCsJSrhrsMDI9Asw5odffw+x2tIrCny6koHH/q8CWQayoHPuDpts2izQbVqrnWxok8jZsJaV3tAtIEYG3BM56+OsHThaWOif48OamAb3O+MFSdnjwChzzLFQBHMGnyKoAwTsGKKaY523AmAuA0LgB7vBBCUtH0Oc7r4qrroemAxm6CPg3nGzOphIU7u3tcIS0alHxzclk4sfi7Q+W58SjqPGu2wuIL3VJTBp8yDRY5yiyIg4kZr5ESgG1RujTfcqGFB1VS7bXqZep+DseB5ftUNq1JknFvD0Tmpk9jLDMcOeSfStTLMP8HvjGcKiDJIDQ650cKBk5rjifYIbgUKpDvouNBeKpDhokPtwRtgYDEhk1gkqfkGtegWszr8E4nZEoNOKoDgpVJHF5xn1pMeXG60kDrpsyOdO/x/S1jjOLJdqAQPpDy2ZVCPkqh7gvqgulKuzHWKpYxOfkiqKpDaltKQSaVkJWxUSVvCNzlqPBKIK+Owxw29cjHlMZeyDZ5XDsrnJMhyvoCGJSmamyxX6PFULjAdXpoyBytEDeg8Wynp0j7R6vCT+bAZbnYLTAiLztWmqZ3o4OngU1L8VzJwjTA39tTxfzQLG+tJnUOgo5Q9rqNo7DzzhYu5EQM3AiVhIMIPw/OyffowQMsHqB5S/HpD2Vdq+NQL/VOnxM6pmMs8HbpQLxZzKOlC4Upoy/niL+FyY4Se1oYwnadSE/umWn83Lp4ahzrmaP1ZO66SDxAfuZaceWoxkFyAktyREzwVvkMr2cDKLWmCLrIV2jPLIjU3WSivysVM4dDJRGqPCVrYMlWEckQZPPBpVdTVvquFr+O4lCoCua4l7i9H9E3Ep6PWAHIQ7EC87N97EFjGMZan5H+QNTfao/ZNxfj079Eku9ejJXEbzcQnSJGJvqkrY56nKGJbKGqnpLHS74du20uqByOH3okm9DBZVBDao06wJivvqY674bOyScIvyAuPA2u2JA41cdilqI9LXQMYLtfG7pgVEazlFxSjujJEwAqfovYhJsfj8dUYZh4408FwLPSVW7RMlerpiUOLQlrkPi7swNnk4928ytBB4xUfkrsSf8dco4JucGitsWOLzJmnJutOaIEulHQJHum7MUaFbs2kauNqattvjJOdzr5nWfxGCXmLFkqG37V0WRV8gz42u8EHeM600ZKzUH4tzF7XcRd41X84U1iOFYyeVi2cnW8zVNIvM0E7oMjtqlgjaydM6r4ViMXMeIx7mvEHl78l8vOc2bJWerQa/WlbXqHsy6rN8U8yasMvAmOBwSi4Z6HbuUfUd/WmmHI5MmR9moDzllJlghptALHawyRj90ZT5HgDhZafC1R7kIKQrveAjKeP77xMTsTkk7NNj3obsuXqS0CKNsz2Arli1PgzB4sPk9txc2cEd9PFcvx2ubyNM/SpETQThKiKCU0Ef0xfLWbL6WO3GAuvJsubt+PX0/l0OR1/ePWP6c2yW/QNDlydn21w/wxyZv2JM0WhNKCmmUYEkM9Gz+o0fFCVMOhAGw+eRm5GQIgay/Br0REXVg4ry11JePTxbnYkEem+SSwZOscS7IZGU11cDnMDbip0kaGVvMTRHjcbjVdjZH95PcNUfAjDaSi0N0Zg287aVBXYcF5Y27sL2Xt0MfXdw2qsGm6aHVvgEwb0CPALV4WgxBJUelgMb9FSt9sW4x6t6Ukjq/9SS+Xkfbdmf2QtRUSbkhv40NwVPLB3KxKeDIuys2jyaP91WmqlhrWSSeoPg1XZ1vziIEfrcmoKtz0e6gurY2ZNocVPg898y4FdTsW61ZrvTWEfryEW12jt0BX6aMQJvnlX8ammsK/PqVTaY5b0xdOA0D46tKMJcXp0RNyidTRkDT24VnSpjanWiU3l+dZiU5GYia+VnNQM3NmQAF9GLLsfSTF6ToAP3ohfPGpxaLhg9rpnAScTzXxhMa4EGXhRVJOv9RTBQia/B7T05UVUxhHFfxgBvTmaVo+SxJP7ynI7GbtC+oEL2AI5CbcwNEE4mLM9WrhcLOZX9Uq0EU9jYrwMaEkCcv9Fl2h00LNpOIgcXsuc7W11jeqYYTBQBJPCp29DrAa4J/eUUewi+FeBdr8oW2+67zP9Xffil7nFEfkGCmrxrp5u2hBVJdNhdYFa5EZq37hltaikr02c9a/5zhJNS8u0Cy8/SkcL3if9Hi6X88VVk81anlbtLU9f9DV5NedrZXbfvqGofvDyDZhPdhS/394Asfqu3cRZlEhI3hCSuUlczWIMszVVbLJ20JjANSuUJ/wZ81G4VutXOnjePEBtCY2MDHjhvMn6nujxFca5KfTwhYF0XtGm6la/naxN0Ldq92jX59gQH/YEGv3O2M2BV8C2SyVPy9+gWLZeS169zzZWPL53Pcu6NeRs6YA5Z3gZSDvpj/BFMLm5md4uKXPdTfuHZWWSx4a5JyNVJkkok1ajXKXc2rwRfHgXwfsPryfLSSi172a39L3P7M4zfVar1yyCan95qNkneEVU92YNbenCajFkvb0pen4XtPGxs5wJ0V0wnrKryxmV/5HCLSq4NFYmUjN1Ve82H75Sr8TpRyic/ykIBQ2DuizdLZh1ungU5zbnZ/QYStMhDqt3FG7Y7OGKlcbh0+4Bf8ngnCJ4nsdrxZKBM8tK+oy5TTWsNYXDKGV2lHGWN7cQ2F7D85eL/7yPfv0b/Tea3LyLfn35ZvY+evHybrHshny+H1iWWruG2e32RUT//jXMcNM3k/HF/wIAAP//M1ZGIA==" + return "eJzMW1uT2zayfvev6PJLxlWSTsVJnTo1p7JV8ni80WZiz47kZPeJhoiWiBUEMAAoWf71Ww2AF4mk5iIpu3qwNSLZ/XWj7wCHsMLdNbCtfQXghJN4DePfp68ADEpkFq9hjo69AuBoUyNyJ7S6hr+8AgD4VfNCIiy0gYwpLoVagtRLCwuj10Rm9ApgIVBye+0fGIJiayzZ0cftcryGpdFFHn/p4EOfD55MRdnzGcWrTRZNNqnUBXeGCVld6uJIn0Npyw/HBSukSzyLa1gwaXHvcifYJmBtPN4bwjIjLHvQu+A3RcANKpds0Fih1d4dpSQr3G214QfXjgCjzyzDJqJIH/QCXIYEMDAm9GvmRp3QCosmERyVE27XCe1QyW1gw05kRHkSCQNKXBOUVCvHhLLA0TEhLbC5LpzHS9xAL1q0JuNfoQQILmMO1oyjf8TgHwVaNwCmOGwzkWaQGvT3MmlhiwZb5AqLfASTBThc59ows2s94+8ZeA4lbpvprYVMb+nXFs0WAT0nKZGPDm7tMpLmapAOWheP20h7OTpuCCsSNewF61nyhnebQ0t9PpK2YZRQxmv2TSt4QKsLkyJ8ZGuEq/HDxzclwNwIlYqcyYM1T5mUh2ptoE5TtDZZ4S4RXfjOhT/wIUIweR8Qbpn1hgNOgxVL1bTQfsAWLTltQo6BX10v5C4vfCrgyaKJxQP16twKlzXcwGJamC6TgH0TJ3erHMOLnhu9ERwtCBViDYWh2rOjjJ10K9WlBplD7kOty7TFJsuOR/tcqanc9YIlrHAZUUmJeufdj1vFUxUN0To2TBYIwoIz9H9Uv9bOB0XQxgc1/31LovYS64xMUUX1gjJptdfhnqxheVm32unz64cxcNyIFP8ftMvQbIXFQciObYNt6tWvFVktZ64PfNDpkRueo1Ai44O8E2uEbYbBu9q229aYsLZoB+JaFqE2eoU8mXfZ/bnCBbEqAxvVERYN6b0vndkizYB1WT2UkfP25i2MC6dhmjJfssUK5VYy60QK75Ap65hcdad9NEabJNX8cHWeXo50Z/2mdJ5JZf7RWA26wijrYwhdP4Zvjday5TkhTo6DCUm/QaRctCNQI60kZ4at0aE5XLdTVVoTHpAymdoNYtgk+7YUhUMk78s3NVKba2UxicH73EBL+lVyoEDFUnrGlqa+QkgzppZo4SqE/EG7RMvJ3wdk0hwlkusHIm+65WKcC7rOZOILXs72qv9TRRtX5CkOsUZiC+V1lcKUdrRYLhpNi1BpddpUqjpuUq0S5tQVConJAw4F4EKg3TMcf1vpwHMUatmudpmUyGGJCg1z/nlhA+keZ/btT0dte5In7+Mva9vGkpQAeWOtDKba8B4zysXJPdqjOMf3k6pRY9bqVNS52l/f2nEubpiULUpeghnJeUTXa6bY0ntf8IVz+gG801oiUz1mtM2QqoiGtoWFQ0eEBsJwV58LMJ5oJbt70pOXosYqLOic7IRWhAB71kNiXV/ojae+e+mOoy/pm8cghfXxo6IdWw3kIFSt2uc2lpfr5qoWbvzwsV2xNPoyXaiOiHYuGOPAgLoxXeb4CExvFZrLttyPqMYHp8pTTLmSoVfyo7rra7a1wxh3hx7ZNSWbIT3q/+6xwFTkgpy9V8GnOMwD5gapwAixi9U69r5vMEWx8fFV2GPOHOUKESmJo5/Lxdiq/iR2AxAqlQWnGnlLqJ0RyyWakBa6g2xoNYINFbJPqIwZ5FGms6r9r58n7xvZa75rTvmchkKJPwqUu9Kkmte7BYojV68cakWoSg81VYziNtSRTgMXiwUa+iNMkPc/0QRst0o2eZqg4rkW51bJwQr/dn8DJSPypjD7izVMbPx8W+XFbucget5pYMr3vc2mpWq+ykZr+kMta1XQyPmrQ7l6Z9HL/Un0U0fNt3fvnjVjbsWIk0fLzaZVasZhziRTKfb0QSfVd50AmvPKPQBeSZu3cEc/vos/9tikY2aJLvHLM2qnwRMhjh8+lggDo2AH9U7Ko00ZJXxsJ6gTcXnriZRbwRoh1Uph2l/Z5EY7nerDaHIiqJJq95peZc7l1Bu5NO9p9KpW22iqiYRaJk6scWQx7US6kJodVsBPsTvtmAyjJqHAYqoVt2CFSvFAe6GVC12dsLWOC+WEBLEXWKmwXNKSUOqZs3SFqqcRiRf/i8RsiEFXIkBwQsq9H6xjxtnY3VLKfWQQ8R+WsBpYNNeuypR7Uu6vpVePFL0FT626INe6u9qRutVeP0+q6EjNlVKwFlKKKOwgShvg6xwV7gmUSm0Pp6NV5JQ2oThmM7bCy8pRTrRnd1OoWJKiU73O/QToQC7QHVaaMQtzRAVoHZtLYbM+0Ur3E4cN2okRbnIPjHOD1pZLUxpRbemhWn4sApcIc21e3sN3R2FtXNmBnIqOQvaommVZx1xhT5sqd0IOhIEIt93zqnm17aDhAcqH5L9Om9BJf+mF/qW72rcySUWenTtRT6d3EOiGvR2hyAn+x/9cLUJPaUOYLpOpiX2VrZ+NK820RZWkaNxFK67AB4iPWPhNL4j9atiFbRjBS+FbNIKdWbmBJqhiPUdzYVmESvXap1dpEybx3MFEKIdLNHEiqBc+gns+jYw633WV8KUfB6n81kaUuD8d0TeedE3WTpSDYHvioX7vQWBYiqf0tZ2s/c4/tejREr78Yzhef1PDGXEbTvgXyJDxvq5rzVyaIU9MIamcErpjB//ksj1QrRfZ106FrPYvPYT9LUyxoIKX7omXe2buoUjCr5gW7f35E4HHCUdJPOwb76W6eifwaqHNlhk+gIX4inxYZobB3qb6aDR6M4KJg5Sp8iwTWNygYTKop8cPDXJhMHVJYc4cTT4/3MUI7TUe+fjthfDfltlKBUc2W0cGmX3xzkcntLD/G+iW28DVYkR0CyZkE1eV234Ic++Lz1mmP/jRD5ryTM9zhi7zIl2hS7omzKdGBaa0EimT4ZhIPdb2vMo/4nw5wOgp1fy1y02GAv0QCQ5PGUVfo9VeMqH696XX2mHSU4y3fn6K5+c5MyFXOjQK3WFZHlH2RdXq8p+0qBU/v+nNYOjNs1D7B3rK+ebFNo1boMdgnaFQuTeNriaj3cNoZPUsthtqta92XvXW+3h+9MUhCweAgGMqGRX+zML00/h+VN05gIfb6Wz082x2n6zRZZqPyn0jv2E9gN9v300ns9tjt2gD78azm59H72/vbme3o0/v/nZ7M+sWfYVnzs6vV7h73Tx2UOdgSg2oqKfhHuTr4esyDNeq4hrDyQVHLTfzRxqrEyfHLa0w4ryyPATCw88Pkz2JSPdVYImHgrqhUVeXhGbujJMKVazRiDTgaLab9VbjkdMcZzhr1d0JVW546xPtjebYXGelYwbWaVoY0zsL2Tm0ie07K/BijcXmppqxeT6+QR8Afi235LxK68HwBg1Vu00xvqHRPWFk/i8qqaz41q3ZU8ZSRLRKuZ4P9V3eAnunIv5JPyi7iCb35l+HqVYoWEixzFxjp8+XNd9ZyNHYnIrCTY+FusKohBldKP6nwWeuYcA2p2TdKM13ujCPHWZboDHnztB7LY63zYfIJ3Zhj/ep/o0Ktjzl7M0ToX22aIZj4nS0RYzHjc7euJbHmCbvy3FilXmemmwiiQl/LOVk+syVDQnwdcjW34aCD9/607OVNeJXh4rXBRdM3vcM4MRSMVcYvMy7PRX5Uk8DmIrlbx4tfflx0H7zoFkx7gWJF9eVYTqZ2EK0jnKfOmXElISbauogLNyxHRq4mk7v3pQj0fpoJS61E9ULAmT+0y7R6ELPpKEW2W/LXGy3ujqVv8cwvlM0Llz2s/fVcDh2/57gxXYAfy/Q7Kah9Kb7/qC/y1r8Kjc4JNtATiXem5cvrfeqwPS8uqjOZpRmGQeV9LXjXAUcjPku4k0zw5T1mx/B0KblKwNXs7vpmyqaNSwtzi0PN/oap10WUm+fPqFovZX41BnFb/c3QKyeNZu4iBIJyQdCcqeXtmThX6fb6YJWOx6g9+9bxgNu4VB9qV9h4W31AJUl1DIySAvr9LrviR5bOcOht+7K2h+Pqg67lbuT5RL0jdodmsUlJsT1nECh22qzqnl5bOH0kz+DYthiIdK4n60NPz53vci4tTxQ1nW6OeIbwPjm5vZ+RpHr4ba/WZZ6eayZezFSqZdLiqSxlYvKLZd3AJ9+GcDHT+/Hs7FPtb9M7ul737Jbx9RFV71k4VX7XVuzL7CKQVmbVbSF9aNFH/V2uug5F7RyiTUp47w7YbxkVpczSv9DiRuUcKWNWArF5JtyttneUo/i9CPk1v0pCDk1gyqk7gbMMlwcxbnJ0wtajD/fSH5YvW991uhhi7nC84fdGn9gcEkRXJonC8mWZ44sc+HWzK5is1YlDi2l3lLEmd3cg2d7DW9/mv7z4+D7/6P/huObXwbf//Rh8nHw408P01k35MsdsAxau4bJ/ebHAf37v76Hu/0wHr36dwAAAP//TiBmYw==" } diff --git a/x-pack/filebeat/module/aws/module.yml b/x-pack/filebeat/module/aws/module.yml new file mode 100644 index 000000000000..dc4a096b4a19 --- /dev/null +++ b/x-pack/filebeat/module/aws/module.yml @@ -0,0 +1,2 @@ +- id: Filebeat-aws-cloudtrail-Dashboard + file: Filebeat-aws-cloudtrail.json diff --git a/x-pack/filebeat/modules.d/aws.yml.disabled b/x-pack/filebeat/modules.d/aws.yml.disabled index d0c7dcf8692b..b6c2810738f1 100644 --- a/x-pack/filebeat/modules.d/aws.yml.disabled +++ b/x-pack/filebeat/modules.d/aws.yml.disabled @@ -28,3 +28,12 @@ # Profile name for aws credential #var.credential_profile_name: fb-aws + + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Profile name for aws credential + #var.credential_profile_name: fb-aws