Skip to content

[AWS CloudTrail] Add cloud.account.id field mapping #15057

Closed
Closed
[AWS CloudTrail] Add cloud.account.id field mapping#15057
Assignees
moxarth-rathod
Labels
Integration:awsAWSTeam:SDE-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]enhancementNew feature or request
@cpascale43

Description

@cpascale43
cpascale43
opened on Aug 26, 2025

We are seeing reports that several CloudTrail event types are not mapping the cloud.account.id field from aws.cloudtrail.recipient_account_id.

One customer report displays the following counts of event.action with the filter not cloud.account.id:*

Top 500 values of event.action	Count of records
InvokeExecution	5,076,546
Invoke	3,310,482
AssumeRole	1,505,236
AssumeRoleWithWebIdentity	1,227,378
GenerateDataKey	731,113
PutObject	414,918
Decrypt	287,670
Encrypt	105,060
GetBucketAcl	31,795
GetUser	7,424
HeadBucket	3,437
CreateLogStream	1,962
RetireGrant	1,369
UploadPart	1,198
GetObject	736
InitiateAuth	546
GetFunctionConfiguration20150331v2	360
DescribeKey	311
CompleteMultipartUpload	275
CreateMultipartUpload	275
CopyObject	146
AssumeRoleWithSAML	126
GenerateDataKeyWithoutPlaintext	101
BatchGetImage	69
CreateGrant	67
RespondToAuthChallenge	56
ReEncrypt	9
GetBucketLocation	1

Sample data available on request.

Metadata

Metadata

Assignees

Labels

Integration:awsAWSTeam:SDE-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions