From 3ad479cdf4ae4e5f5c9075b0fd0077c7e953bf0b Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Mon, 12 Feb 2024 10:32:49 +0100
Subject: [PATCH 1/3] extract more fields from the s3 notification event

Signed-off-by: matteopasa <matteo.pasina@sysdig.com>
---
 .../cloudtrail/pkg/cloudtrail/cloudtrail.go   |  2 +-
 plugins/cloudtrail/pkg/cloudtrail/extract.go  | 36 ++++++++++++++++---
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
index 30545bdf..07a4edbf 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
@@ -48,7 +48,7 @@ const (
 	PluginName               = "cloudtrail"
 	PluginDescription        = "reads cloudtrail JSON data saved to file in the directory specified in the settings"
 	PluginContact            = "github.com/falcosecurity/plugins/"
-	PluginVersion            = "0.11.0"
+	PluginVersion            = "0.11.1"
 	PluginEventSource        = "aws_cloudtrail"
 )
 
diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go
index fbcb5ef6..3ab66455 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/extract.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/extract.go
@@ -214,6 +214,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	switch field {
 	case "ct.id":
 		val := jdata.GetStringBytes("eventID")
+		if val == nil {
+			val = jdata.GetStringBytes("id")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -228,6 +232,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.time":
 		val := jdata.GetStringBytes("eventTime")
+		if val == nil {
+			val = jdata.GetStringBytes("time")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -236,6 +244,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.src":
 		val := jdata.GetStringBytes("eventSource")
 
+		if val == nil {
+			val = jdata.GetStringBytes("source")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -244,6 +256,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.shortsrc":
 		val := jdata.GetStringBytes("eventSource")
 
+		if val == nil {
+			val = jdata.GetStringBytes("source")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -256,6 +272,8 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 				res = res[0 : len(res)-len(".amazonaws.com")]
 			}
 		}
+
+		res = strings.TrimPrefix(res, "aws.")
 	case "ct.name":
 		val := jdata.GetStringBytes("eventName")
 		if val == nil {
@@ -271,13 +289,14 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		return true, res
 	case "ct.user.accountid":
 		val := jdata.GetStringBytes("userIdentity", "accountId")
+		if val == nil {
+			val = jdata.GetStringBytes("recipientAccountId")
+		}
+		if val == nil {
+			val = jdata.GetStringBytes("account")
+		}
 		if val != nil {
 			res = string(val)
-		} else {
-			val := jdata.GetStringBytes("recipientAccountId")
-			if val != nil {
-				res = string(val)
-			}
 		}
 	case "ct.user.identitytype":
 		val := jdata.GetStringBytes("userIdentity", "type")
@@ -302,6 +321,10 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.region":
 		val := jdata.GetStringBytes("awsRegion")
+		if val == nil {
+			val = jdata.GetStringBytes("region")
+		}
+
 		if val == nil {
 			return false, ""
 		} else {
@@ -407,6 +430,9 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.srcip":
 		val := jdata.GetStringBytes("sourceIPAddress")
+		if val == nil {
+			val = jdata.GetStringBytes("detail", "source-ip-address")
+		}
 		if val == nil {
 			return false, ""
 		} else {

From fc1abb72d1103769ec89b155f61a1aba5061cc32 Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Mon, 12 Feb 2024 14:32:07 +0100
Subject: [PATCH 2/3] fix extract s3 notification paths

Signed-off-by: matteopasa <matteo.pasina@sysdig.com>
---
 plugins/cloudtrail/pkg/cloudtrail/extract.go | 32 ++++++--------------
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go
index 3ab66455..f1a93c56 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/extract.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/extract.go
@@ -215,7 +215,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.id":
 		val := jdata.GetStringBytes("eventID")
 		if val == nil {
-			val = jdata.GetStringBytes("id")
+			val = jdata.GetStringBytes("request-id")
 		}
 
 		if val == nil {
@@ -232,9 +232,6 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.time":
 		val := jdata.GetStringBytes("eventTime")
-		if val == nil {
-			val = jdata.GetStringBytes("time")
-		}
 
 		if val == nil {
 			return false, ""
@@ -244,10 +241,6 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.src":
 		val := jdata.GetStringBytes("eventSource")
 
-		if val == nil {
-			val = jdata.GetStringBytes("source")
-		}
-
 		if val == nil {
 			return false, ""
 		} else {
@@ -256,10 +249,6 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.shortsrc":
 		val := jdata.GetStringBytes("eventSource")
 
-		if val == nil {
-			val = jdata.GetStringBytes("source")
-		}
-
 		if val == nil {
 			return false, ""
 		} else {
@@ -276,6 +265,9 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		res = strings.TrimPrefix(res, "aws.")
 	case "ct.name":
 		val := jdata.GetStringBytes("eventName")
+		if val == nil {
+			val = jdata.GetStringBytes("reason")
+		}
 		if val == nil {
 			return false, ""
 		} else {
@@ -293,7 +285,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 			val = jdata.GetStringBytes("recipientAccountId")
 		}
 		if val == nil {
-			val = jdata.GetStringBytes("account")
+			val = jdata.GetStringBytes("requester")
 		}
 		if val != nil {
 			res = string(val)
@@ -321,10 +313,6 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		}
 	case "ct.region":
 		val := jdata.GetStringBytes("awsRegion")
-		if val == nil {
-			val = jdata.GetStringBytes("region")
-		}
-
 		if val == nil {
 			return false, ""
 		} else {
@@ -431,7 +419,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "ct.srcip":
 		val := jdata.GetStringBytes("sourceIPAddress")
 		if val == nil {
-			val = jdata.GetStringBytes("detail", "source-ip-address")
+			val = jdata.GetStringBytes("source-ip-address")
 		}
 		if val == nil {
 			return false, ""
@@ -494,7 +482,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "s3.bucket":
 		val := jdata.GetStringBytes("requestParameters", "bucketName")
 		if val == nil {
-			val = jdata.GetStringBytes("detail", "bucket", "name")
+			val = jdata.GetStringBytes("bucket", "name")
 		}
 
 		if val == nil {
@@ -505,7 +493,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "s3.key":
 		val := jdata.GetStringBytes("requestParameters", "key")
 		if val == nil {
-			val = jdata.GetStringBytes("detail", "object", "key")
+			val = jdata.GetStringBytes("object", "key")
 		}
 
 		if val == nil {
@@ -516,7 +504,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 	case "s3.uri":
 		sbucket := jdata.GetStringBytes("requestParameters", "bucketName")
 		if sbucket == nil {
-			sbucket = jdata.GetStringBytes("detail", "bucket", "name")
+			sbucket = jdata.GetStringBytes("bucket", "name")
 		}
 		if sbucket == nil {
 			return false, ""
@@ -524,7 +512,7 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 
 		skey := jdata.GetStringBytes("requestParameters", "key")
 		if skey == nil {
-			skey = jdata.GetStringBytes("detail", "object", "key")
+			skey = jdata.GetStringBytes("object", "key")
 		}
 		if skey == nil {
 			return false, ""

From e3689d777304884dfc38828d94bbe7fba0e06d70 Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Mon, 12 Feb 2024 14:48:24 +0100
Subject: [PATCH 3/3] bump version to 0.12

Signed-off-by: matteopasa <matteo.pasina@sysdig.com>
---
 plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go | 2 +-
 plugins/cloudtrail/pkg/cloudtrail/extract.go    | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
index 07a4edbf..e6dd5bdc 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
@@ -48,7 +48,7 @@ const (
 	PluginName               = "cloudtrail"
 	PluginDescription        = "reads cloudtrail JSON data saved to file in the directory specified in the settings"
 	PluginContact            = "github.com/falcosecurity/plugins/"
-	PluginVersion            = "0.11.1"
+	PluginVersion            = "0.12.0"
 	PluginEventSource        = "aws_cloudtrail"
 )
 
diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go
index f1a93c56..63c59063 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/extract.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/extract.go
@@ -261,8 +261,6 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 				res = res[0 : len(res)-len(".amazonaws.com")]
 			}
 		}
-
-		res = strings.TrimPrefix(res, "aws.")
 	case "ct.name":
 		val := jdata.GetStringBytes("eventName")
 		if val == nil {