diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif new file mode 100644 index 000000000000..971ce38d560a --- /dev/null +++ b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif @@ -0,0 +1,51 @@ +[MODEL: dataset = amazon_aws_raw] +/* + CloudTrail Audit Logs + AWS event schema version: 1.11 + https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html +*/ +filter _log_type = "Cloud Audit Log" +| alter // initializations + resource_arn = arraystring(arraymap(resources -> [], "@element" -> ARN), ","), + resource_account_id = arraystring(arraymap(resources -> [], "@element" -> accountId), ","), + resource_name = arraystring(arraymap(resources -> [], arrayindex(regextract("@element" -> ARN, "/([^\/]+)$"), -1)), ","), // extract last segment from ARN after last / + resource_type = arraystring(arraymap(resources -> [], "@element" -> type), ","), + user_identity_arn = userIdentity -> arn, + user_identity_type = userIdentity -> type, + source_ipv4 = if(sourceIPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", sourceIPAddress), // The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. + source_ipv6 = if(sourceIPAddress ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", sourceIPAddress) +| alter // XDM Mappings + xdm.event.description = object_create("requestParameters", requestParameters, "additionalEventData", additionalEventData, "responseElements", responseElements), + xdm.event.id = eventId, + xdm.event.operation_sub_type = eventName, + xdm.event.original_event_type = eventType, + xdm.event.outcome = if(errorCode = null, XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED), + xdm.event.outcome_reason = if(errorMessage != null and errorMessage != "", concat(errorCode, ": ", errorMessage), errorCode), + xdm.event.type = eventName, + xdm.network.session_id = requestID, + xdm.network.tls.cipher = tlsDetails -> cipherSuite, + xdm.network.tls.protocol_version = tlsDetails -> tlsVersion, + xdm.observer.content_version = eventVersion, + xdm.observer.name = eventSource, + xdm.observer.type = eventCategory, + xdm.session_context_id = sharedEventID, + xdm.source.cloud.project_id = userIdentity -> accountId, + xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS, + xdm.source.host.device_id = vpcEndpointId, + xdm.source.host.ipv4_public_addresses = if(source_ipv4 != null and not incidr(source_ipv4, "10.0.0.0/8") and not incidr(source_ipv4, "172.16.0.0/12") and not incidr(source_ipv4, "192.168.0.0/16") and not incidr(source_ipv4, "127.0.0.0/8") and not incidr(source_ipv4, "169.254.0.0/16") and not incidr(source_ipv4, "100.64.0.0/10"), arraycreate(source_ipv4)), + xdm.source.host.fqdn = if(source_ipv4 = null and source_ipv6 = null and sourceIPAddress !~= "AWS Internal", sourceIPAddress), // For services in AWS, only the DNS name is displayed. + xdm.source.ipv4 = source_ipv4, + xdm.source.ipv6 = source_ipv6, + xdm.source.user_agent = userAgent, + xdm.source.user.groups = if(user_identity_type in ("Role", "AssumedRole"), arraycreate(userIdentity -> sessionContext.sessionIssuer.userName)), + xdm.source.user.identifier = coalesce(userIdentity -> principalId, userIdentity -> onBehalfOf.userId), + xdm.source.user.username = coalesce(userIdentity -> userName, userIdentity -> sessionContext.sessionIssuer.userName, user_identity_arn), + xdm.source.user.user_type = if(user_identity_type = "Unknown", XDM_CONST.IDENTITY_TYPE_UNKNOWN, user_identity_type), + xdm.target.cloud.project_id = if(resource_account_id != null and resource_account_id != "", resource_account_id, coalesce(recipientAccountId, vpcEndpointAccountId)), + xdm.target.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS, + xdm.target.cloud.region = awsRegion, + xdm.target.host.fqdn = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader), + xdm.target.host.hostname = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader), + xdm.target.resource.id = if(resource_arn != "", resource_arn), + xdm.target.resource.name = if(resource_name != null and resource_name != "", resource_name, resource_arn), + xdm.target.resource.type = if(resource_type != "", resource_type); \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml new file mode 100644 index 000000000000..a07285987084 --- /dev/null +++ b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml @@ -0,0 +1,6 @@ +fromversion: 8.7.0 +id: Amazon_AWS_CloudTrail_ModelingRule +name: Amazon AWS CloudTrail Modeling Rule +rules: '' +schema: '' +tags: \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json new file mode 100644 index 000000000000..f84dc442c29d --- /dev/null +++ b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json @@ -0,0 +1,96 @@ +{ + "amazon_aws_raw": { + "_log_type": { + "type": "string", + "is_array": false + }, + "additionalEventData": { + "type": "string", + "is_array": false + }, + "awsRegion": { + "type": "string", + "is_array": false + }, + "errorCode": { + "type": "string", + "is_array": false + }, + "errorMessage": { + "type": "string", + "is_array": false + }, + "eventCategory": { + "type": "string", + "is_array": false + }, + "eventID": { + "type": "string", + "is_array": false + }, + "eventName": { + "type": "string", + "is_array": false + }, + "eventSource": { + "type": "string", + "is_array": false + }, + "eventType": { + "type": "string", + "is_array": false + }, + "eventVersion": { + "type": "string", + "is_array": false + }, + "recipientAccountId": { + "type": "string", + "is_array": false + }, + "requestID": { + "type": "string", + "is_array": false + }, + "requestParameters": { + "type": "string", + "is_array": false + }, + "responseElements": { + "type": "string", + "is_array": false + }, + "resources": { + "type": "string", + "is_array": false + }, + "sharedEventID": { + "type": "string", + "is_array": false + }, + "sourceIPAddress": { + "type": "string", + "is_array": false + }, + "tlsDetails": { + "type": "string", + "is_array": false + }, + "userAgent": { + "type": "string", + "is_array": false + }, + "userIdentity": { + "type": "string", + "is_array": false + }, + "vpcEndpointAccountId": { + "type": "string", + "is_array": false + }, + "vpcEndpointId": { + "type": "string", + "is_array": false + } + } +} \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif new file mode 100644 index 000000000000..b84261e26982 --- /dev/null +++ b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif @@ -0,0 +1,8 @@ +[INGEST:vendor="amazon", product="aws", target_dataset="amazon_aws_raw", no_hit = keep] +// Cloud Trail Audit Logs: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html +filter _log_type = "Cloud Audit Log" and to_string(eventTime) ~= "\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z" +| alter _time = parse_timestamp("%FT%H:%M:%E*SZ", to_string(eventTime)); // zulu time notation, e.g. "2024-09-27T11:18:59Z + +// Flow Log Records: https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html +filter _log_type = "Cloud Flow Log" and len(to_string(start)) = 10 // The time, in Unix seconds, when the first packet of the flow was received within the aggregation interval. +| alter _time = to_timestamp(to_integer(start), "SECONDS"); \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml new file mode 100644 index 000000000000..18bf4cc94d02 --- /dev/null +++ b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml @@ -0,0 +1,6 @@ +id: Amazon_AWS_CloudTrail_ParsingRule +name: Amazon AWS CloudTrail Parsing Rule +fromversion: 8.7.0 +tags: [] +rules: '' +samples: '' diff --git a/Packs/AWS-CloudTrail/README.md b/Packs/AWS-CloudTrail/README.md index e69de29bb2d1..a908bf985063 100644 --- a/Packs/AWS-CloudTrail/README.md +++ b/Packs/AWS-CloudTrail/README.md @@ -0,0 +1,9 @@ +<~XSIAM> +## What does this pack do + +The AWS CloudTrail pack contains the following: +* Integration for interacting with a trail on AWS via an automation (Playbooks, Playground, etc.). See the [*AWS - CloudTrail*](https://xsoar.pan.dev/docs/reference/integrations/aws---cloud-trail#configure-aws---cloudtrail-on-cortex-xsoar) integration docs for additional details. +* Data normalization rules for parsing and modeling [*AWS CloudTrail Audit Logs*](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html) that are ingested into the *`amazon_aws_raw`* dataset via the *Amazon S3* data source on Cortex XSIAM. See [Ingest audit logs from AWS Cloud Trail](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) for configuration details. When configuring the Amazon S3 data source on Cortex XSIAM, select the **Audit Logs** log type: +![Amazon S3 Data Source Log Type Selection](https://raw.githubusercontent.com/demisto/content/3d7aa25b8df1d343beb17f67afce837050a180f4/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png) + + \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md b/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md new file mode 100644 index 000000000000..e6686011cef8 --- /dev/null +++ b/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md @@ -0,0 +1,16 @@ + +#### Modeling Rules + +##### New: Amazon AWS CloudTrail Modeling Rule + +<~XSIAM> +Added an XDM mapping for AWS CloudTrail audit logs which are ingested via the [AWS S3 Data Source](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) (Available from Cortex XSIAM 2.4). + + +#### Parsing Rules + +##### New: Amazon AWS CloudTrail Parsing Rule + +<~XSIAM> +Added an assignment of the ingested Audit logs *`eventTime`* timestamp field to the *`_time`* field for audit logs ingested via the [AWS S3 Data Source](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) (Available from Cortex XSIAM 2.4). + diff --git a/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png b/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png new file mode 100644 index 000000000000..0271be6376b6 Binary files /dev/null and b/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png differ diff --git a/Packs/AWS-CloudTrail/pack_metadata.json b/Packs/AWS-CloudTrail/pack_metadata.json index 8f040e490c3a..784b7178327a 100644 --- a/Packs/AWS-CloudTrail/pack_metadata.json +++ b/Packs/AWS-CloudTrail/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - CloudTrail", "description": "Amazon Web Services CloudTrail.", "support": "xsoar", - "currentVersion": "1.1.5", + "currentVersion": "1.1.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -10,9 +10,16 @@ "categories": [ "Cloud Service Provider" ], - "tags": [], + "tags": [ + "marketplacev2:Data Source" + ], "useCases": [], - "keywords": [], + "keywords": [ + "Amazon", + "AWS", + "CloudTrail", + "Cloud Trail" + ], "marketplaces": [ "xsoar", "marketplacev2",