in source/lambda/es_loader/siem/sf_cloudtrail.py [0:0]
def transform(logdata):
if 'errorCode' in logdata or 'errorMessage' in logdata:
logdata['event']['outcome'] = 'failure'
else:
logdata['event']['outcome'] = 'success'
try:
name = logdata['user']['name']
if ':' in name:
logdata['user']['name'] = name.split(':')[-1].split('/')[-1]
except KeyError:
pass
# https://github.com/aws-samples/siem-on-amazon-elasticsearch/issues/33
try:
response_cred = logdata['responseElements']['credentials']
except (KeyError, TypeError):
response_cred = None
if isinstance(response_cred, str):
logdata['responseElements']['credentials'] = {}
if 'arn:aws:iam' in response_cred:
logdata['responseElements']['credentials']['iam'] = response_cred
else:
logdata['responseElements']['credentials']['value'] = response_cred
# https://github.com/aws-samples/siem-on-amazon-elasticsearch/issues/108
try:
logdata['requestParameters']['tags'] = convert_text_into_dict(
logdata['requestParameters']['tags'])
except (KeyError, TypeError):
pass
# https://github.com/aws-samples/siem-on-amazon-elasticsearch/issues/114
try:
logdata['responseElements']['policy'] = convert_text_into_dict(
logdata['responseElements']['policy'])
except (KeyError, TypeError):
pass
# https://github.com/aws-samples/siem-on-amazon-elasticsearch/issues/139
try:
logdata['requestParameters']['disableApiTermination'] = (
logdata['requestParameters']['disableApiTermination']['value'])
except (KeyError, TypeError):
pass
event_source = logdata.get('eventSource', None)
if event_source == 'athena.amazonaws.com':
# #153
try:
tableMetadataList = (
logdata['responseElements']['tableMetadataList'])
except (KeyError, TypeError):
tableMetadataList = None
if tableMetadataList:
for tableMetadata in tableMetadataList:
old_field = 'projection.date.interval.unit'
new_field = 'projection.date.interval_unit'
try:
tableMetadata['parameters'][new_field] = (
tableMetadata['parameters'].pop(old_field))
except KeyError:
pass
elif event_source == 'glue.amazonaws.com':
# #156, #166
try:
configuration = logdata['requestParameters']['configuration']
except (KeyError, TypeError):
configuration = None
if configuration and isinstance(configuration, str):
logdata['requestParameters']['configuration'] = {
'text': configuration}
elif event_source == 'cognito-idp.amazonaws.com':
# #163
try:
session = logdata['responseElements']['session']
except (KeyError, TypeError):
session = None
if session and isinstance(session, str):
logdata['responseElements']['session'] = {'value': session}
elif event_source == 'ecs.amazonaws.com':
# #167
try:
command = logdata['requestParameters']['command']
except (KeyError, TypeError):
command = None
if command and isinstance(command, str):
logdata['requestParameters']['command'] = {'command': command}
elif event_source in ('compute-optimizer.amazonaws.com',
'auditmanager.amazonaws.com'):
try:
status = logdata['responseElements']['status']
except (KeyError, TypeError):
status = None
if status and isinstance(status, str):
logdata['responseElements']['status'] = {'status': status}
return logdata