CRTX-133201 AWS CloudTrail Audit Logs XDM Modeling (demisto#37156)

* add parsing rules * add modeling rules * fix parsing rule * enrich modeling * update README metadata and release notes * update metadata * refactor modeling rules * update README + add doc_files image * add screenshot reference to README * update modeling rules and schema * update URL reference on release notes * fix metadata * add comments to modeling xif * minor fixes for modeling and parsing rules * aviod creating empty array if inserted value is null * fix alternative text for image on README.md * fix alternative text for image on README.md * Update Packs/AWS-CloudTrail/README.md Co-authored-by: ShirleyDenkberg <[email protected]> --------- Co-authored-by: ShirleyDenkberg <[email protected]>
VirusTotal · Nov 19, 2024 · 26bc59e · 26bc59e
1 parent 4fdf901
commit 26bc59e
Show file tree

Hide file tree

Showing 9 changed files with 202 additions and 3 deletions.
diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif
@@ -0,0 +1,51 @@
+[MODEL: dataset = amazon_aws_raw]
+/* 
+    CloudTrail Audit Logs
+    AWS event schema version: 1.11
+    https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
+*/
+filter _log_type = "Cloud Audit Log"
+| alter // initializations
+    resource_arn = arraystring(arraymap(resources -> [], "@element" -> ARN), ","),
+    resource_account_id = arraystring(arraymap(resources -> [], "@element" -> accountId), ","),
+    resource_name = arraystring(arraymap(resources -> [], arrayindex(regextract("@element" -> ARN, "/([^\/]+)$"), -1)), ","), // extract last segment from ARN after last /
+    resource_type = arraystring(arraymap(resources -> [], "@element" -> type), ","),
+    user_identity_arn = userIdentity -> arn,
+    user_identity_type = userIdentity -> type,
+    source_ipv4 = if(sourceIPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", sourceIPAddress), // The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server.
+    source_ipv6 = if(sourceIPAddress ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", sourceIPAddress)
+| alter // XDM Mappings 
+    xdm.event.description = object_create("requestParameters", requestParameters, "additionalEventData", additionalEventData, "responseElements", responseElements),
+    xdm.event.id = eventId,
+    xdm.event.operation_sub_type = eventName,
+    xdm.event.original_event_type = eventType,
+    xdm.event.outcome = if(errorCode = null, XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
+    xdm.event.outcome_reason = if(errorMessage != null and errorMessage != "", concat(errorCode, ": ", errorMessage), errorCode),
+    xdm.event.type = eventName,
+    xdm.network.session_id = requestID,
+    xdm.network.tls.cipher = tlsDetails -> cipherSuite,
+    xdm.network.tls.protocol_version = tlsDetails -> tlsVersion,
+    xdm.observer.content_version = eventVersion, 
+    xdm.observer.name = eventSource,
+    xdm.observer.type = eventCategory,
+    xdm.session_context_id = sharedEventID,
+    xdm.source.cloud.project_id = userIdentity -> accountId,
+    xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS,
+    xdm.source.host.device_id = vpcEndpointId,
+    xdm.source.host.ipv4_public_addresses = if(source_ipv4 != null and not incidr(source_ipv4, "10.0.0.0/8") and not incidr(source_ipv4, "172.16.0.0/12") and not incidr(source_ipv4, "192.168.0.0/16") and not incidr(source_ipv4, "127.0.0.0/8") and not incidr(source_ipv4, "169.254.0.0/16") and not incidr(source_ipv4, "100.64.0.0/10"), arraycreate(source_ipv4)),
+    xdm.source.host.fqdn = if(source_ipv4 = null and source_ipv6 = null and sourceIPAddress !~= "AWS Internal", sourceIPAddress), //  For services in AWS, only the DNS name is displayed.
+    xdm.source.ipv4 = source_ipv4,
+    xdm.source.ipv6 = source_ipv6,
+    xdm.source.user_agent = userAgent,
+    xdm.source.user.groups = if(user_identity_type in ("Role", "AssumedRole"), arraycreate(userIdentity -> sessionContext.sessionIssuer.userName)),
+    xdm.source.user.identifier = coalesce(userIdentity -> principalId, userIdentity -> onBehalfOf.userId),
+    xdm.source.user.username = coalesce(userIdentity -> userName, userIdentity -> sessionContext.sessionIssuer.userName, user_identity_arn),
+    xdm.source.user.user_type = if(user_identity_type = "Unknown", XDM_CONST.IDENTITY_TYPE_UNKNOWN, user_identity_type),
+    xdm.target.cloud.project_id = if(resource_account_id != null and resource_account_id != "", resource_account_id, coalesce(recipientAccountId, vpcEndpointAccountId)),
+    xdm.target.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS,
+    xdm.target.cloud.region = awsRegion,
+    xdm.target.host.fqdn = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader),
+    xdm.target.host.hostname = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader),
+    xdm.target.resource.id = if(resource_arn != "", resource_arn),
+    xdm.target.resource.name = if(resource_name != null and resource_name != "", resource_name, resource_arn),
+    xdm.target.resource.type = if(resource_type != "", resource_type);
diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml
@@ -0,0 +1,6 @@
+fromversion: 8.7.0
+id: Amazon_AWS_CloudTrail_ModelingRule
+name: Amazon AWS CloudTrail Modeling Rule
+rules: ''
+schema: ''
+tags:
diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json
@@ -0,0 +1,96 @@
+{
+    "amazon_aws_raw": {
+        "_log_type": {
+            "type": "string",
+            "is_array": false
+        },
+        "additionalEventData": {
+            "type": "string",
+            "is_array": false
+        },
+        "awsRegion": {
+            "type": "string",
+            "is_array": false
+        },
+        "errorCode": {
+            "type": "string",
+            "is_array": false
+        },
+        "errorMessage": {
+            "type": "string",
+            "is_array": false
+        },
+        "eventCategory": {
+            "type": "string",
+            "is_array": false
+        },
+        "eventID": {
+            "type": "string",
+            "is_array": false
+        },
+        "eventName": {
+            "type": "string",
+            "is_array": false
+        },
+        "eventSource": {
+            "type": "string",
+            "is_array": false
+        },
+        "eventType": {
+            "type": "string",
+            "is_array": false
+        },
+        "eventVersion": {
+            "type": "string",
+            "is_array": false
+        },
+        "recipientAccountId": {
+            "type": "string",
+            "is_array": false
+        },
+        "requestID": {
+            "type": "string",
+            "is_array": false
+        },
+        "requestParameters": {
+            "type": "string",
+            "is_array": false
+        },
+        "responseElements": {
+            "type": "string",
+            "is_array": false
+        },
+        "resources": {
+            "type": "string",
+            "is_array": false
+        },
+        "sharedEventID": {
+            "type": "string",
+            "is_array": false
+        },
+        "sourceIPAddress": {
+            "type": "string",
+            "is_array": false
+        },
+        "tlsDetails": {
+            "type": "string",
+            "is_array": false
+        },
+        "userAgent": {
+            "type": "string",
+            "is_array": false
+        },
+        "userIdentity": {
+            "type": "string",
+            "is_array": false
+        },
+        "vpcEndpointAccountId": {
+            "type": "string",
+            "is_array": false
+        },
+        "vpcEndpointId": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+}
diff --git a/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif
@@ -0,0 +1,8 @@
+[INGEST:vendor="amazon", product="aws", target_dataset="amazon_aws_raw", no_hit = keep]
+// Cloud Trail Audit Logs: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
+filter _log_type = "Cloud Audit Log" and to_string(eventTime) ~= "\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z" 
+| alter _time = parse_timestamp("%FT%H:%M:%E*SZ", to_string(eventTime)); // zulu time notation, e.g. "2024-09-27T11:18:59Z 
+
+// Flow Log Records: https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html
+filter _log_type = "Cloud Flow Log" and len(to_string(start)) = 10 // The time, in Unix seconds, when the first packet of the flow was received within the aggregation interval.
+| alter _time = to_timestamp(to_integer(start), "SECONDS"); 
diff --git a/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml
@@ -0,0 +1,6 @@
+id: Amazon_AWS_CloudTrail_ParsingRule
+name: Amazon AWS CloudTrail Parsing Rule
+fromversion: 8.7.0   
+tags: []
+rules: ''
+samples: ''
diff --git a/Packs/AWS-CloudTrail/README.md b/Packs/AWS-CloudTrail/README.md
@@ -0,0 +1,9 @@
+<~XSIAM>
+## What does this pack do
+
+The AWS CloudTrail pack contains the following: 
+* Integration for interacting with a trail on AWS via an automation (Playbooks, Playground, etc.). See the [*AWS - CloudTrail*](https://xsoar.pan.dev/docs/reference/integrations/aws---cloud-trail#configure-aws---cloudtrail-on-cortex-xsoar) integration docs for additional details.
+* Data normalization rules for parsing and modeling [*AWS CloudTrail Audit Logs*](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html) that are ingested into the *`amazon_aws_raw`* dataset via the *Amazon S3* data source on Cortex XSIAM. See [Ingest audit logs from AWS Cloud Trail](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) for configuration details. When configuring the Amazon S3 data source on Cortex XSIAM, select the **Audit Logs** log type: 
+![Amazon S3 Data Source Log Type Selection](https://raw.githubusercontent.com/demisto/content/3d7aa25b8df1d343beb17f67afce837050a180f4/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png)
+
+</~XSIAM>
diff --git a/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md b/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md
@@ -0,0 +1,16 @@
+
+#### Modeling Rules
+
+##### New: Amazon AWS CloudTrail Modeling Rule
+
+<~XSIAM> 
+Added an XDM mapping for AWS CloudTrail audit logs which are ingested via the [AWS S3 Data Source](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) (Available from Cortex XSIAM 2.4).
+</~XSIAM>
+
+#### Parsing Rules
+
+##### New: Amazon AWS CloudTrail Parsing Rule
+
+<~XSIAM> 
+Added an assignment of the ingested Audit logs *`eventTime`* timestamp field to the *`_time`* field for audit logs ingested via the [AWS S3 Data Source](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) (Available from Cortex XSIAM 2.4).
+</~XSIAM>
diff --git a/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png b/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png
diff --git a/Packs/AWS-CloudTrail/pack_metadata.json b/Packs/AWS-CloudTrail/pack_metadata.json
@@ -2,17 +2,24 @@
     "name": "AWS - CloudTrail",
     "description": "Amazon Web Services CloudTrail.",
     "support": "xsoar",
-    "currentVersion": "1.1.5",
+    "currentVersion": "1.1.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "created": "2020-04-14T00:00:00Z",
     "categories": [
         "Cloud Service Provider"
     ],
-    "tags": [],
+    "tags": [
+        "marketplacev2:Data Source"
+    ],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "Amazon",
+        "AWS",
+        "CloudTrail",
+        "Cloud Trail"
+    ],
     "marketplaces": [
         "xsoar",
         "marketplacev2",