cloudtrail mappings

Signed-off-by: Grant Haywood <grant@phaseshift.studio>

src/main/resources/OSMapping/cloudtrail/fieldmappings.yml

@@ -1,7 +1,8 @@
-# this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under windows log group to their corresponding ECS Fields.
 fieldmappings:
-    EventID: event_uid
-    HiveName: unmapped.HiveName
-    fieldB: mappedB
-    fieldA1: mappedA
-    CommandLine: windows-event_data-CommandLine
+    eventName: aws-cloudtrail-event_type
+    eventSource: eventSource
+    requestParameters: aws-cloudtrail-request_parameters
+    requestParameters-containerDefinitions-command: aws-cloudtrail-request_parameters-container-definitions-command
+    userIdentity: aws-cloudtrail-user_identity
+    userIdentity-sessionContext-sessionIssuer-type: aws-cloudtrail-user_identity-session_context-session_issuer-type
+    userIdentity-type: aws-cloudtrail-user_identity-type

src/main/resources/OSMapping/cloudtrail/mappings.json

@@ -1,12 +1,32 @@
 {
   "properties": {
-    "windows-event_data-CommandLine": {
+    "eventName": {
       "type": "alias",
-      "path": "CommandLine"
+      "path": "aws-cloudtrail-event_type"
     },
-    "event_uid": {
+    "eventSource": {
       "type": "alias",
-      "path": "EventID"
+      "path": "eventSource"
+    },
+    "requestParameters": {
+      "type": "alias",
+      "path": "aws-cloudtrail-request_parameters"
+    },
+    "requestParameters-containerDefinitions-command": {
+      "type": "alias",
+      "path": "aws-cloudtrail-request_parameters-container-definitions-command"
+    },
+    "userIdentity": {
+      "type": "alias",
+      "path": "aws-cloudtrail-user_identity"
+    },
+    "userIdentity-sessionContext-sessionIssuer-type": {
+      "type": "alias",
+      "path": "aws-cloudtrail-user_identity-session_context-session_issuer-type"
+    },
+    "userIdentity-type": {
+      "type": "alias",
+      "path": "aws-cloudtrail-user_identity-type"
     }
   }
 }