From 3ad479cdf4ae4e5f5c9075b0fd0077c7e953bf0b Mon Sep 17 00:00:00 2001 From: matteopasa Date: Mon, 12 Feb 2024 10:32:49 +0100 Subject: [PATCH] extract more fields from the s3 notification event Signed-off-by: matteopasa --- .../cloudtrail/pkg/cloudtrail/cloudtrail.go | 2 +- plugins/cloudtrail/pkg/cloudtrail/extract.go | 36 ++++++++++++++++--- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go index 30545bdf..07a4edbf 100644 --- a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go +++ b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go @@ -48,7 +48,7 @@ const ( PluginName = "cloudtrail" PluginDescription = "reads cloudtrail JSON data saved to file in the directory specified in the settings" PluginContact = "github.com/falcosecurity/plugins/" - PluginVersion = "0.11.0" + PluginVersion = "0.11.1" PluginEventSource = "aws_cloudtrail" ) diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go index fbcb5ef6..3ab66455 100644 --- a/plugins/cloudtrail/pkg/cloudtrail/extract.go +++ b/plugins/cloudtrail/pkg/cloudtrail/extract.go @@ -214,6 +214,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { switch field { case "ct.id": val := jdata.GetStringBytes("eventID") + if val == nil { + val = jdata.GetStringBytes("id") + } + if val == nil { return false, "" } else { @@ -228,6 +232,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { } case "ct.time": val := jdata.GetStringBytes("eventTime") + if val == nil { + val = jdata.GetStringBytes("time") + } + if val == nil { return false, "" } else { @@ -236,6 +244,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { case "ct.src": val := jdata.GetStringBytes("eventSource") + if val == nil { + val = jdata.GetStringBytes("source") + } + if val == nil { return false, "" } else { @@ -244,6 +256,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { case "ct.shortsrc": val := jdata.GetStringBytes("eventSource") + if val == nil { + val = jdata.GetStringBytes("source") + } + if val == nil { return false, "" } else { @@ -256,6 +272,8 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { res = res[0 : len(res)-len(".amazonaws.com")] } } + + res = strings.TrimPrefix(res, "aws.") case "ct.name": val := jdata.GetStringBytes("eventName") if val == nil { @@ -271,13 +289,14 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { return true, res case "ct.user.accountid": val := jdata.GetStringBytes("userIdentity", "accountId") + if val == nil { + val = jdata.GetStringBytes("recipientAccountId") + } + if val == nil { + val = jdata.GetStringBytes("account") + } if val != nil { res = string(val) - } else { - val := jdata.GetStringBytes("recipientAccountId") - if val != nil { - res = string(val) - } } case "ct.user.identitytype": val := jdata.GetStringBytes("userIdentity", "type") @@ -302,6 +321,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { } case "ct.region": val := jdata.GetStringBytes("awsRegion") + if val == nil { + val = jdata.GetStringBytes("region") + } + if val == nil { return false, "" } else { @@ -407,6 +430,9 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { } case "ct.srcip": val := jdata.GetStringBytes("sourceIPAddress") + if val == nil { + val = jdata.GetStringBytes("detail", "source-ip-address") + } if val == nil { return false, "" } else {