Add AWS CloudTrail Support

[leehinman]

Direct Field Mappings

• eventTime :: @timestamp
• eventVersion :: aws.cloudtrail.event_version
• userIdentity.type :: aws.cloudtrail.user_identity.type
• userIdentity.userName :: user.name
• userIdentity.principalId :: user.id
• userIdentity.arn :: aws.cloudtrail.user_identity.arn
• userIdentity.accountId :: cloud.account.id
• userIdentity.accessKeyId :: aws.cloudtrail.user_idenity.access_key_id
• userIdentity.sessionContext.creation_date :: aws.cloudtrail.user_identity.session_context.creation_date
• userIdentity.sessionContext.mfa_authenticated :: aws.cloudtrail.user_identity.session_context.mfa_authenticated
• userIdentity.invocedBy :: aws.cloudtrail.user_identity.invoked_by
• eventSource :: event.provider
• eventName :: event.action
• awsRegion :: cloud.region
• sourceIPAddress :: source.address
• userAgent :: user_agent (via user_agent processor)
• errorCode :: error.code
• errorMessage :: error.message
• requestParameters :: aws.cloudtrail.request_parameters (string representation)
• responseElements :: aws.cloudtrail.response_elements (string representation)
• requestId :: aws.cloudtrail.request_id
• eventID :: event.id
• eventType :: aws.cloudtrail.event_type
• apiVerison :: aws.cloudtrail.api_version
• managementEvent :: aws.cloudtrail.management_event
• readOnly :: aws.cloudtrail.read_only
• resources.ARN :: aws.cloudtrail.resources.arn
• resources.accountId :: aws.cloudtrail.resources.account_id
• resources.type :: aws.cloudtrail.resources.type
• recipientAccountId :: aws.cloudtrail.recipient_account_id
• serviceEventDetails :: aws.cloudtrail.service_event_details (string representation)
• sharedEventId :: aws.cloudtrail.shared_event_id
• vpcEndpointId :: aws.cloudtrail.vpc_endpoint_id

Other mappings

• set event.original
• set event.type
• set event.kind
• set event.outcome
• populate related.users array

To Do

• move aws.cloudtrail.related.users to related.users when ECS is upgraded to 1.4

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[webmat]

Most of the mapping to ECS makes sense to me.

I agree with all the fields that are kept as custom fields under aws.* as well. I don't think you've missed any applicable ECS fields for those.

The only thing that's a hard no for me is populating event.category with a value from the source. This is one of the 4 ECS categorization fields, and they're meant to be populated by one of the allowed values defined here. We've just started publishing them in ECS 1.4 (prior to that the field was reserved), and more values are to come. If none of the allowed values for this fields are appropriate for your events (which I think is the case here), the field must be left empty.

[webmat]

event.category should never be populated with a source value.

In ECS 1.4, we're publishing the first allowed values for this field and other (see this new section).

If none of the values published so far for this field (more to come), this event.category field must be left empty.

So you should capture json.eventType in a custom field.

[leehinman]

Thanks for making that adjustment. LGTM from ECS' POV :-)

You should likely get approval from another Beats maintainer as well, IMO. I only reviewed the mapping of the events.

Thanks for reviewing, that was a big help and gives me a little more confidence that I'm using ECS correctly.

It will be a bit before it is ready to merge, I still have to work out the S3 bucket parts.

[webmat]

Thanks for making that adjustment. LGTM from ECS' POV :-)

You should likely get approval from another Beats maintainer as well, IMO. I only reviewed the mapping of the events.

[kaiyan-sheng]

Could you please add release: beta here please? I forgot to add it for previous filesets so I just created a PR to add it: https://github.com/elastic/beats/pull/15248/files

[leehinman]

Added release field. Thanks for catching this

[andrewkroh]

You can apply the user_agent processor to the Ingest Node configuration to parse the value.

[leehinman]

will do

[andrewkroh]

This should get copied over to the source.ip field when its an IP.

[leehinman]

Do we have a good test for an IP address(4 & 6)? The Cloudtrail docs say "For services in AWS, only the DNS name is displayed". So we have to tell the difference, seeing if geoip works almost does it, but geoip doesn't work for localhost and private IP space.

[andrewkroh]

Perhaps this should be an actual date type?

[leehinman]

yes it should

[ynirk]

I have tested a configuration on filebeat 7.5.1 based on this PR.
I have a parsing issue because cloudtrail events are stored in a Records array and an S3 object might contain several events. (some exemples are shown in cloudtrail logs exemples)
I don't know if there is an easy way to split records array elements to single beats events (like logstash split filter)

[kaiyan-sheng]

I just created #15357 to track the work on adding json support for S3 input.

[kaiyan-sheng]

I hit an error when running this fileset:

'cloudtrail.amazonaws.com' is not an IP string literal.

Original message:

{"additionalEventData":{"AuthenticationMethod":"AuthHeader","CipherSuite":"ECDHE-RSA-AES128-SHA","SSEApplied":"SSE_S3","SignatureVersion":"SigV4","bytesTransferredIn":758,"bytesTransferredOut":0,"x-amz-id-2":"4LMgpirqOBiwClBqCrOg3Z/53SBdgrMR5+n9ZyJd0xY5bFL/nMFGW3VqF+6rJ4FO68GurEbQSLI="},"awsRegion":"us-east-1","eventID":"312ee59e-59eb-4056-8193-704368f1712d","eventName":"PutObject","eventSource":"s3.amazonaws.com","eventTime":"2020-01-10T17:01:03Z","eventType":"AwsApiCall","eventVersion":"1.05","readOnly":false,"recipientAccountId":"428152502467","requestID":"3D058BA57D0782F3","requestParameters":{"Host":"test-fb-ks.s3.amazonaws.com","bucketName":"test-fb-ks","key":"AWSLogs/428152502467/CloudTrail/us-east-1/2020/01/10/428152502467_CloudTrail_us-east-1_20200110T1700Z_dRSvtwdbSGr4vvAE.json.gz","x-amz-acl":"bucket-owner-full-control","x-amz-server-side-encryption":"AES256"},"resources":[{"ARN":"arn:aws:s3:::test-fb-ks/AWSLogs/428152502467/CloudTrail/us-east-1/2020/01/10/428152502467_CloudTrail_us-east-1_20200110T1700Z_dRSvtwdbSGr4vvAE.json.gz","type":"AWS::S3::Object"},{"ARN":"arn:aws:s3:::test-fb-ks","accountId":"428152502467","type":"AWS::S3::Bucket"}],"responseElements":{"x-amz-server-side-encryption":"AES256"},"sharedEventID":"c9503de9-f712-423c-a8fe-7fe2bc2fe9bf","sourceIPAddress":"cloudtrail.amazonaws.com","userAgent":"cloudtrail.amazonaws.com","userIdentity":{"invokedBy":"cloudtrail.amazonaws.com","type":"AWSService"}}

[kaiyan-sheng]

Also could you add this fileset does not support CloudTrail-Digest logs in the documentation please? Thanks!

[leehinman]

{"additionalEventData":{"AuthenticationMethod":"AuthHeader","CipherSuite":"ECDHE-RSA-AES128-SHA","SSEApplied":"SSE_S3","SignatureVersion":"SigV4","bytesTransferredIn":758,"bytesTransferredOut":0,"x-amz-id-2":"4LMgpirqOBiwClBqCrOg3Z/53SBdgrMR5+n9ZyJd0xY5bFL/nMFGW3VqF+6rJ4FO68GurEbQSLI="},"awsRegion":"us-east-1","eventID":"312ee59e-59eb-4056-8193-704368f1712d","eventName":"PutObject","eventSource":"s3.amazonaws.com","eventTime":"2020-01-10T17:01:03Z","eventType":"AwsApiCall","eventVersion":"1.05","readOnly":false,"recipientAccountId":"428152502467","requestID":"3D058BA57D0782F3","requestParameters":{"Host":"test-fb-ks.s3.amazonaws.com","bucketName":"test-fb-ks","key":"AWSLogs/428152502467/CloudTrail/us-east-1/2020/01/10/428152502467_CloudTrail_us-east-1_20200110T1700Z_dRSvtwdbSGr4vvAE.json.gz","x-amz-acl":"bucket-owner-full-control","x-amz-server-side-encryption":"AES256"},"resources":[{"ARN":"arn:aws:s3:::test-fb-ks/AWSLogs/428152502467/CloudTrail/us-east-1/2020/01/10/428152502467_CloudTrail_us-east-1_20200110T1700Z_dRSvtwdbSGr4vvAE.json.gz","type":"AWS::S3::Object"},{"ARN":"arn:aws:s3:::test-fb-ks","accountId":"428152502467","type":"AWS::S3::Bucket"}],"responseElements":{"x-amz-server-side-encryption":"AES256"},"sharedEventID":"c9503de9-f712-423c-a8fe-7fe2bc2fe9bf","sourceIPAddress":"cloudtrail.amazonaws.com","userAgent":"cloudtrail.amazonaws.com","userIdentity":{"invokedBy":"cloudtrail.amazonaws.com","type":"AWSService"}}

ick, that is because sourcIPAddress contains a hostname and not an IP address, so the geoip processor doesn't like it. Thanks.

[leehinman]

Also could you add this fileset does not support CloudTrail-Digest logs in the documentation please? Thanks!

Added that to asciidoc & readme. thanks.