Improve GeoIP and composite rule support for AWS events (#91)

This copies the 'aws.sourceIPAddress' and 'aws.userIdentity.userName' fields to the standard static fields 'srcip' and 'user', so that 'srcip' can be used in Wazuh GeoIP lookups and <same_user /> and <same_source_ip /> can be used in composite rules.
wazuh · May 14, 2018 · 1a36d2d · 1a36d2d
1 parent 398d02d
commit 1a36d2d
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/tools/amazon/getawslog.py b/tools/amazon/getawslog.py
@@ -119,6 +119,11 @@ def main(argv):
                             new_dict[key] = json_event[key]
                     new_dict['log_file'] = newFile
                     aws_log = {'aws': new_dict}
+                    # Copy 'aws.sourceIPAddress' and 'aws.userIdentity.userName' to standard fields 'srcip' and 'user' so 'srcip' can be used in Wazuh GeoIP lookups and <same_user /> and <same_source_ip /> can be used in composite rules.
+                    if 'sourceIPAddress' in aws_log["aws"]:
+                        aws_log["srcip"]=aws_log["aws"]["sourceIPAddress"]
+                    if 'userIdentity' in aws_log["aws"] and 'userName' in aws_log["aws"]["userIdentity"]:
+                        aws_log["user"]=aws_log["aws"]["userIdentity"]["userName"]
                     log.write("{0}\n".format(json.dumps(aws_log)))
             log.close()