From 87569c20e5701eaeee2a52269811ee0347fa5f39 Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Fri, 2 Feb 2024 14:20:13 +0100
Subject: [PATCH 1/2] extract from s3 notification message

Signed-off-by: matteopasa <matteo.pasina@sysdig.com>
---
 plugins/cloudtrail/pkg/cloudtrail/extract.go | 26 ++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go
index 759c7f42..5763ff94 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/extract.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/extract.go
@@ -153,7 +153,7 @@ func getEvtInfo(jdata *fastjson.Value) string {
 		return "<invalid cloudtrail event: eventName field missing>"
 	}
 
-	if (evtuser == evtsrcip) {
+	if evtuser == evtsrcip {
 		info = fmt.Sprintf("%v %v%v %v", evtuser, errsymbol, rwsymbol, evtname)
 	} else {
 		info = fmt.Sprintf("%v via %v %v%v %v", evtuser, evtsrcip, errsymbol, rwsymbol, evtname)
@@ -467,25 +467,43 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "s3.bucket":
 		val := jdata.GetStringBytes("requestParameters", "bucketName")
+		if val == nil {
+			val = jdata.GetStringBytes("detail", "bucket", "name")
+		}
+
 		if val == nil {
 			return false, ""
 		}
+
 		res = string(val)
 	case "s3.key":
 		val := jdata.GetStringBytes("requestParameters", "key")
+		if val == nil {
+			val = jdata.GetStringBytes("detail", "object", "key")
+		}
+
 		if val == nil {
 			return false, ""
 		}
+
 		res = string(val)
 	case "s3.uri":
 		sbucket := jdata.GetStringBytes("requestParameters", "bucketName")
+		if sbucket == nil {
+			sbucket = jdata.GetStringBytes("detail", "bucket", "name")
+		}
 		if sbucket == nil {
 			return false, ""
 		}
+
 		skey := jdata.GetStringBytes("requestParameters", "key")
+		if skey == nil {
+			skey = jdata.GetStringBytes("detail", "object", "key")
+		}
 		if skey == nil {
 			return false, ""
 		}
+
 		res = fmt.Sprintf("s3://%s/%s", sbucket, skey)
 	case "ec2.name":
 		var iname string = ""
@@ -590,12 +608,16 @@ func getfieldU64(jdata *fastjson.Value, field string) (bool, uint64) {
 		}
 		return false, 0
 	case "s3.cnt.put":
-		if string(jdata.GetStringBytes("eventName")) == "PutObject" {
+		if string(jdata.GetStringBytes("eventName")) == "PutObject" ||
+			string(jdata.GetStringBytes("detail", "reason")) == "PutObject" {
 			return true, 1
 		}
 		return false, 0
 	case "s3.cnt.other":
 		ename := string(jdata.GetStringBytes("eventName"))
+		if ename == "" {
+			ename = string(jdata.GetStringBytes("detail", "reason"))
+		}
 		if ename == "GetObject" || ename == "PutObject" {
 			return true, 1
 		}

From b06e6b1bd400a00ff2c14234d8e73a47633fa86c Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Fri, 2 Feb 2024 14:27:00 +0100
Subject: [PATCH 2/2] add size to s3.bytes

Signed-off-by: matteopasa <matteo.pasina@sysdig.com>
---
 plugins/cloudtrail/pkg/cloudtrail/extract.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go
index 5763ff94..fbcb5ef6 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/extract.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/extract.go
@@ -587,14 +587,22 @@ func getfieldU64(jdata *fastjson.Value, field string) (bool, uint64) {
 		if out != nil {
 			tot = tot + getvalueU64(out)
 		}
-		return (in != nil || out != nil), tot
+		size := jdata.Get("detail", "object", "size")
+		if size != nil {
+			tot = tot + getvalueU64(size)
+		}
+		return (in != nil || out != nil || size != nil), tot
 	case "s3.bytes.in":
 		var tot uint64 = 0
 		in := jdata.Get("additionalEventData", "bytesTransferredIn")
 		if in != nil {
 			tot = tot + getvalueU64(in)
 		}
-		return (in != nil), tot
+		size := jdata.Get("detail", "object", "size")
+		if size != nil {
+			tot = tot + getvalueU64(size)
+		}
+		return (in != nil || size != nil), tot
 	case "s3.bytes.out":
 		var tot uint64 = 0
 		out := jdata.Get("additionalEventData", "bytesTransferredOut")