extract more fields from the s3 notification event

Signed-off-by: matteopasa <[email protected]>
falcosecurity · Feb 12, 2024 · 3ad479c · 3ad479c
1 parent 195752b
commit 3ad479c
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 6 deletions.
diff --git a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
@@ -48,7 +48,7 @@ const (
 	PluginName               = "cloudtrail"
 	PluginDescription        = "reads cloudtrail JSON data saved to file in the directory specified in the settings"
 	PluginContact            = "github.com/falcosecurity/plugins/"
-	PluginVersion            = "0.11.0"
+	PluginVersion            = "0.11.1"
 	PluginEventSource        = "aws_cloudtrail"
 )
 

diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go
@@ -214,6 +214,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	switch field {
 	case "ct.id":
 		val := jdata.GetStringBytes("eventID")
+		if val == nil {
+			val = jdata.GetStringBytes("id")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -228,6 +232,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.time":
 		val := jdata.GetStringBytes("eventTime")
+		if val == nil {
+			val = jdata.GetStringBytes("time")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -236,6 +244,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.src":
 		val := jdata.GetStringBytes("eventSource")
 
+		if val == nil {
+			val = jdata.GetStringBytes("source")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -244,6 +256,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.shortsrc":
 		val := jdata.GetStringBytes("eventSource")
 
+		if val == nil {
+			val = jdata.GetStringBytes("source")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -256,6 +272,8 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 				res = res[0 : len(res)-len(".amazonaws.com")]
 			}
 		}
+
+		res = strings.TrimPrefix(res, "aws.")
 	case "ct.name":
 		val := jdata.GetStringBytes("eventName")
 		if val == nil {
@@ -271,13 +289,14 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		return true, res
 	case "ct.user.accountid":
 		val := jdata.GetStringBytes("userIdentity", "accountId")
+		if val == nil {
+			val = jdata.GetStringBytes("recipientAccountId")
+		}
+		if val == nil {
+			val = jdata.GetStringBytes("account")
+		}
 		if val != nil {
 			res = string(val)
-		} else {
-			val := jdata.GetStringBytes("recipientAccountId")
-			if val != nil {
-				res = string(val)
-			}
 		}
 	case "ct.user.identitytype":
 		val := jdata.GetStringBytes("userIdentity", "type")
@@ -302,6 +321,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.region":
 		val := jdata.GetStringBytes("awsRegion")
+		if val == nil {
+			val = jdata.GetStringBytes("region")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -407,6 +430,9 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.srcip":
 		val := jdata.GetStringBytes("sourceIPAddress")
+		if val == nil {
+			val = jdata.GetStringBytes("detail", "source-ip-address")
+		}
 		if val == nil {
 			return false, ""
 		} else {