diff --git a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go index 30545bdf..e6dd5bdc 100644 --- a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go +++ b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go @@ -48,7 +48,7 @@ const ( PluginName = "cloudtrail" PluginDescription = "reads cloudtrail JSON data saved to file in the directory specified in the settings" PluginContact = "github.com/falcosecurity/plugins/" - PluginVersion = "0.11.0" + PluginVersion = "0.12.0" PluginEventSource = "aws_cloudtrail" ) diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go index fbcb5ef6..63c59063 100644 --- a/plugins/cloudtrail/pkg/cloudtrail/extract.go +++ b/plugins/cloudtrail/pkg/cloudtrail/extract.go @@ -214,6 +214,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { switch field { case "ct.id": val := jdata.GetStringBytes("eventID") + if val == nil { + val = jdata.GetStringBytes("request-id") + } + if val == nil { return false, "" } else { @@ -228,6 +232,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { } case "ct.time": val := jdata.GetStringBytes("eventTime") + if val == nil { return false, "" } else { @@ -258,6 +263,9 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { } case "ct.name": val := jdata.GetStringBytes("eventName") + if val == nil { + val = jdata.GetStringBytes("reason") + } if val == nil { return false, "" } else { @@ -271,13 +279,14 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { return true, res case "ct.user.accountid": val := jdata.GetStringBytes("userIdentity", "accountId") + if val == nil { + val = jdata.GetStringBytes("recipientAccountId") + } + if val == nil { + val = jdata.GetStringBytes("requester") + } if val != nil { res = string(val) - } else { - val := jdata.GetStringBytes("recipientAccountId") - if val != nil { - res = string(val) - } } case "ct.user.identitytype": val := jdata.GetStringBytes("userIdentity", "type") @@ -407,6 +416,9 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { } case "ct.srcip": val := jdata.GetStringBytes("sourceIPAddress") + if val == nil { + val = jdata.GetStringBytes("source-ip-address") + } if val == nil { return false, "" } else { @@ -468,7 +480,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { case "s3.bucket": val := jdata.GetStringBytes("requestParameters", "bucketName") if val == nil { - val = jdata.GetStringBytes("detail", "bucket", "name") + val = jdata.GetStringBytes("bucket", "name") } if val == nil { @@ -479,7 +491,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { case "s3.key": val := jdata.GetStringBytes("requestParameters", "key") if val == nil { - val = jdata.GetStringBytes("detail", "object", "key") + val = jdata.GetStringBytes("object", "key") } if val == nil { @@ -490,7 +502,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { case "s3.uri": sbucket := jdata.GetStringBytes("requestParameters", "bucketName") if sbucket == nil { - sbucket = jdata.GetStringBytes("detail", "bucket", "name") + sbucket = jdata.GetStringBytes("bucket", "name") } if sbucket == nil { return false, "" @@ -498,7 +510,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { skey := jdata.GetStringBytes("requestParameters", "key") if skey == nil { - skey = jdata.GetStringBytes("detail", "object", "key") + skey = jdata.GetStringBytes("object", "key") } if skey == nil { return false, ""