[AWS] Fix aws.cloudtrail.request_id parsing (#33143)

turuncuofke · web-flow · commit 2eb8bb8f90e7 · 2022-09-29T13:00:17.000-06:00
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -70,6 +70,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Import dashboards from CEF integration. {pull}32766[32766]
 - Fix how to handle IPv6 addresses in the fileset `nginx/ingress_controller` for Filebeat. {pull}32989[32989]
 - Fix handling of Cisco 302020 messages in ASA and FTD modules. {pull}33089[33089]
+- Fix requestID parsing in AWS cloudtrail fileset. {pull}33143[33143]
 
 *Auditbeat*
 
diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
@@ -183,7 +183,7 @@ processors:
         }
       ignore_failure: true
   - rename:
-      field: "json.requestId"
+      field: "json.requestID"
       target_field: "aws.cloudtrail.request_id"
       ignore_failure: true
   - rename:
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json
@@ -27,6 +27,7 @@
         "aws.cloudtrail.flattened.response_elements.credentials.expiration": "Oct 2, 2019 11:12:29 PM",
         "aws.cloudtrail.flattened.response_elements.credentials.sessionToken": "AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN",
         "aws.cloudtrail.recipient_account_id": "111111111111",
+        "aws.cloudtrail.request_id": "b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE",
         "aws.cloudtrail.request_parameters": "{incomingTransitiveTags={Department=Engineering}, transitiveTagKeys=[Email, CostCenter], durationSeconds=3600, roleArn=arn:aws:iam::111111111111:role/JohnRole2, roleSessionName=Role2WithTags, tags=[{value=johndoe@example.com, key=Email}, {value=12345, key=CostCenter}]}",
         "aws.cloudtrail.response_elements": "{assumedRoleUser={assumedRoleId=AROAIFR7WHDTSOYQYHFUE:Role2WithTags, arn=arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags}, credentials={accessKeyId=ASIAWHOJDLGPOEXAMPLE, sessionToken=AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN, expiration=Oct 2, 2019 11:12:29 PM}}",
         "aws.cloudtrail.user_identity.access_key_id": "AKIAI44QH8DHBEXAMPLE",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.event_type": "AwsApiCall",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-5204-4fed-9c60-9c6EXAMPLE",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
         "aws.cloudtrail.user_identity.type": "IAMUser",
@@ -50,6 +51,7 @@
         "aws.cloudtrail.event_type": "AwsApiCall",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-5c16-4eda-9724-EXAMPLE",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
         "aws.cloudtrail.user_identity.type": "IAMUser",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json
@@ -9,6 +9,7 @@
         "aws.cloudtrail.flattened.response_elements.accessKey.status": "Active",
         "aws.cloudtrail.flattened.response_elements.accessKey.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-823a-48dc-8fa9-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{userName=Bob}",
         "aws.cloudtrail.response_elements": "{accessKey={accessKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Active, createDate=Jan 8, 2020 8:43:06 PM}}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json
@@ -10,6 +10,7 @@
         "aws.cloudtrail.flattened.response_elements.group.groupName": "TEST-GROUP",
         "aws.cloudtrail.flattened.response_elements.group.path": "/",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-769d-4a61-b731-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}",
         "aws.cloudtrail.response_elements": "{group={path=/, groupName=TEST-GROUP, groupId=EXAMPLE_ID, arn=arn:aws:iam::0123456789012:group/TEST-GROUP, createDate=Jan 9, 2020 1:48:44 AM}}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
@@ -63,6 +64,7 @@
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-c8ae-44dc-8114-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json
@@ -19,6 +19,7 @@
         "aws.cloudtrail.flattened.response_elements.trailARN": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail",
         "aws.cloudtrail.read_only": false,
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-5149-4cf2-be99-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{isMultiRegionTrail=true, s3BucketName=TEST-cloudtrail-bucket, name=TEST-trail, enableLogFileValidation=true, kmsKeyId=, isOrganizationTrail=false, includeGlobalServiceEvents=true}",
         "aws.cloudtrail.response_elements": "{logFileValidationEnabled=true, isMultiRegionTrail=true, s3BucketName=TEST-cloudtrail-bucket, name=TEST-trail, trailARN=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail, isOrganizationTrail=false, includeGlobalServiceEvents=true}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json
@@ -7,6 +7,7 @@
         "aws.cloudtrail.flattened.request_parameters.virtualMFADeviceName": "Alice",
         "aws.cloudtrail.flattened.response_elements.virtualMFADevice.serialNumber": "arn:aws:iam::0123456789012:mfa/Alice",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-303b-4b0e-a8c7-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{path=/, virtualMFADeviceName=Alice}",
         "aws.cloudtrail.response_elements": "{virtualMFADevice={serialNumber=arn:aws:iam::0123456789012:mfa/Alice}}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.serialNumber": "arn:aws:iam::0123456789012:mfa/Alice",
         "aws.cloudtrail.flattened.request_parameters.userName": "Alice",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-801a-4624-8fa0-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Alice, userName=Alice}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_ID",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.accessKeyId": "EXAMPLE_ID",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-3bea-41fa-a0b4-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{accessKeyId=EXAMPLE_ID, userName=Bob}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_ID",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json
@@ -5,6 +5,7 @@
         "aws.cloudtrail.event_version": "1.04",
         "aws.cloudtrail.flattened.request_parameters.bucketName": "my-test-bucket-cross-account",
         "aws.cloudtrail.recipient_account_id": "777788889999",
+        "aws.cloudtrail.request_id": "EXAMPLE463D56D4C",
         "aws.cloudtrail.request_parameters": "{bucketName=my-test-bucket-cross-account}",
         "aws.cloudtrail.user_identity.access_key_id": "AKIAQRSTUVWXYZEXAMPLE",
         "aws.cloudtrail.user_identity.arn": "arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json
@@ -5,6 +5,7 @@
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-66cb-4775-a203-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
@@ -56,6 +57,7 @@
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-2a3c-4a94-b24f-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.sSHPublicKeyId": "EXAMPLE_KEY_ID",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-7b34-44ae-a22f-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.name": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail",
         "aws.cloudtrail.read_only": false,
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-d44f-4a2a-966f-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json
@@ -5,6 +5,7 @@
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "123456789012",
+        "aws.cloudtrail.request_id": "0e794d53-cdb5-4f7d-b7db-5EXAMPLE",
         "aws.cloudtrail.request_parameters": "{userName=Bob}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json
@@ -5,6 +5,7 @@
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.flattened.request_parameters.serialNumber": "arn:aws:iam::0123456789012:mfa/Alice",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-af91-4d1a-aaf2-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Alice}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json
@@ -7,6 +7,7 @@
         "aws.cloudtrail.management_event": true,
         "aws.cloudtrail.read_only": true,
         "aws.cloudtrail.recipient_account_id": "REDACTED",
+        "aws.cloudtrail.request_id": "REDACTED",
         "aws.cloudtrail.user_identity.access_key_id": "REDACTED",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::REDACTED:user/REDACTED",
         "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "true",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.serialNumber": "arn:aws:iam::0123456789012:mfa/Bob",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-adea-490a-a806-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Bob, userName=Bob}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.groupName": "Admin",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-0bf0-47be-bc80-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{groupName=Admin, userName=Bob}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.name": "TEST-trail",
         "aws.cloudtrail.read_only": false,
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-1c30-4f43-9763-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{name=TEST-trail}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.name": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail",
         "aws.cloudtrail.read_only": false,
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-869f-4fec-86f9-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json
@@ -7,6 +7,7 @@
         "aws.cloudtrail.flattened.request_parameters.status": "Inactive",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-7d0c-45f4-b25b-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{accessKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json
@@ -10,6 +10,7 @@
         "aws.cloudtrail.flattened.request_parameters.requireSymbols": true,
         "aws.cloudtrail.flattened.request_parameters.requireUppercaseCharacters": true,
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-5ebf-4bc3-a349-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{minimumPasswordLength=12, requireSymbols=true, allowUsersToChangePassword=true, requireLowercaseCharacters=true, requireNumbers=true, requireUppercaseCharacters=true}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json
@@ -6,6 +6,7 @@
         "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP",
         "aws.cloudtrail.flattened.request_parameters.newGroupName": "TEST-GROUP2",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-c22d-4fca-b40a-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP, newGroupName=TEST-GROUP2}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
@@ -56,6 +57,7 @@
         "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP2",
         "aws.cloudtrail.flattened.request_parameters.newGroupName": "TEST-GROUP",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-f673-4ce7-8529-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP2, newGroupName=TEST-GROUP}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json
@@ -5,6 +5,7 @@
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-0dc6-447a-8859-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{userName=Bob}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json
@@ -7,6 +7,7 @@
         "aws.cloudtrail.flattened.request_parameters.status": "Inactive",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-32f3-4a92-82e1-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
@@ -59,6 +60,7 @@
         "aws.cloudtrail.flattened.request_parameters.status": "Inactive",
         "aws.cloudtrail.flattened.request_parameters.userName": "Bob",
         "aws.cloudtrail.recipient_account_id": "0123456789012",
+        "aws.cloudtrail.request_id": "EXAMPLE-32f3-4a92-82e1-EXAMPLE",
         "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}",
         "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::0123456789012:user/Alice",
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@ processors:`
`183`	`183`	`}`
`184`	`184`	`ignore_failure: true`
`185`	`185`	`- rename:`
`186`		`- field: "json.requestId"`
	`186`	`+ field: "json.requestID"`
`187`	`187`	`target_field: "aws.cloudtrail.request_id"`
`188`	`188`	`ignore_failure: true`
`189`	`189`	`- rename:`