[Filebeat] AWS CloudTrail Processor parses incorrect AWS region from logs

[sypste]

Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available.

For confirmed bugs, please report:

• Version: 8.3.3
• Operating System: any
• Discuss Forum URL: https://discuss.elastic.co/t/filebeat-aws-cloudtrail-processor-parses-incorrect-aws-region-from-logs/312150
• Steps to Reproduce: Setup CloudTrail in an AWS account with a S3 bucket as storage location, configure S3 bucket to send all objects create events to a SQS queue, configure Filebeat to process aforementioned SQS queue.

Filebeat.yml

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: true

# processors:
#   - add_cloud_metadata: ~
#   - add_docker_metadata: ~

output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
  username: '${ELASTICSEARCH_USERNAME:xxxxx}'
  password: '${ELASTICSEARCH_PASSWORD:xxxxx}'

logging.level: debug

aws.yml

- module: aws
  cloudtrail:
    enabled: true

    # AWS SQS queue url
    var.queue_url: https://sqs.eu-central-1.amazonaws.com/xxxxx/MyS3Queue

    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    var.access_key_id: xxxxx
    var.secret_access_key: xxxxx

Sample CloudTrail log which is rendered to cloud.region eu-central-1

{
  "eventVersion": "1.08",
  "userIdentity": {...},
  "eventTime": "2022-08-16T08:35:40Z",
  "eventSource": "health.amazonaws.com",
  "eventName": "DescribeEventAggregates",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "AWS Internal",
  "userAgent": "AWS Internal",
  "requestParameters": {
    "aggregateField": "eventTypeCategory",
    "filter": {
      "eventStatusCodes": [
        "open",
        "upcoming"
      ],
      "startTimes": [
        {
          "from": "Aug 9, 2022 8:35:40 AM"
        }
      ]
    }
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "xxxx",
  "eventCategory": "Management",
  "sessionCredentialFromConsole": "true"
}

[sypste]

Addressed by elastic/integrations#4024

[botelastic]

This issue doesn't have a Team:<team> label.