Add support for CloudTrail Digest and Insight Logs

leehinman · leehinman · commit c094a56f8b79 · 2021-06-04T15:35:51.000-05:00
Closes #1022
diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.6.1"
+  changes:
+    - description: Add support for CloudTrail Digest & Insight logs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1079
 - version: "0.6.0"
   changes:
     - description: Update ECS version, add event.original and preparing for package GA
diff --git a/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs b/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs
@@ -1,4 +1,16 @@
 queue_url: {{queue_url}}
+file_selectors:
+{{#if cloudtrail_regex}}
+  - regex: {{cloudtrail_regex}}
+    expand_event_list_from_field: 'Records'
+{{/if}}
+{{#if cloudtrail_digest_regex}}
+  - regex: {{cloudtrail_digest_regex}}
+{{/if}}
+{{#if cloudtrail_insight_regex}}
+  - regex: {{cloudtrail_insight_regex}}
+    expand_event_list_from_field: 'Records'
+{{/if}}
 expand_event_list_from_field: Records
 {{#if credential_profile_name}}
 credential_profile_name: {{credential_profile_name}}
diff --git a/packages/aws/data_stream/cloudtrail/manifest.yml b/packages/aws/data_stream/cloudtrail/manifest.yml
@@ -47,6 +47,33 @@ streams:
         type: bool
         multi: false
         default: false
+      - name: cloudtrail_regex
+        type: text
+        title: CloudTrail Logs regex
+        default: '/CloudTrail/'
+        required: false
+        show_user: false
+        description: |
+          Regex to match path of CloudTrail S3 Objects.  If blank
+          CloudTrail logs will be skipped.
+      - name: cloudtrail_digest_regex
+        type: text
+        title: CloudTrail Digest Logs regex
+        default: '/CloudTrail-Digest/'
+        required: false
+        show_user: false
+        description: |
+          Regex to match path of CloudTrail Digest S3 Objects.  If
+          blank CloudTrail Digest logs will be skipped.
+      - name: cloudtrail_insight_regex
+        type: text
+        title: CloudTrail Insight Logs regex
+        default: '/CloudTrail-Insight/'
+        required: false
+        show_user: false
+        description: |
+          Regex to match path of CloudTrail Insight S3 Objects.  If
+          blank CloudTrail Insight logs will be skipped.
   - input: httpjson
     title: AWS CloudTrail logs via Splunk Enterprise REST API
     description: Collect AWS CloudTrail logs via Splunk Enterprise REST API
diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: aws
 title: AWS
-version: 0.6.0
+version: 0.6.1
 license: basic
 description: AWS Integration
 type: integration
