xdm_migration_2_6_modelingrule

Packs/AMP/ModelingRules/AMP/AMP.yml

@@ -3,4 +3,5 @@ id: AMP_ModelingRule
 name: AMP Modeling Rule
 rules: ''
 schema: ''
-tags:
+tags:
+toversion: 8.9.0

Packs/AMP/ModelingRules/AMP_2_6/AMP_2_6.xif

@@ -0,0 +1,48 @@
+[MODEL: dataset = "cisco_secure_endpoint_raw"]
+alter
+        external_ip = computer -> external_ip,
+        network_addresses_ips = arraymap(computer -> network_addresses[], "@element" -> ip),
+        first_ip_network_addresses = json_extract_scalar(arrayindex(computer -> network_addresses[], 0), "$.ip"),
+        file_description = concat(file -> file_name, " - ", file -> disposition),
+        cloud_ioc_description = cloud_ioc -> description,
+        remote_ip_network_info = network_info -> remote_ip,
+        protocol_network_info = network_info -> nfm.protocol
+| alter
+        xdm.event.id = to_string(id),
+        xdm.event.type = event_type,
+        xdm.event.description = if(file_description != null and cloud_ioc_description != null, concat(cloud_ioc_description, "; ", file_description), coalesce(cloud_ioc_description, file_description )),
+        xdm.event.outcome = if(lowercase(event_type) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(event_type) contains "succ", XDM_CONST.OUTCOME_SUCCESS, null),
+        xdm.event.outcome_reason = error -> description,
+        xdm.alert.original_threat_id = coalesce(detection_id, threat_hunting -> incident_hunt_guid),
+        xdm.alert.severity = severity,
+        xdm.alert.original_threat_name = detection,
+        xdm.alert.name = coalesce(detection, threat_hunting -> incident_title),
+        xdm.alert.description = threat_hunting -> incident_summary,
+        xdm.alert.mitre_tactics = arraymap(tactics -> [], trim("@element", "\"")),
+        xdm.alert.mitre_techniques = arraymap(techniques -> [], trim("@element", "\"")),
+        xdm.alert.risks = vulnerabilities -> [],
+        xdm.source.host.hostname = computer -> hostname,
+        xdm.source.identity.username = computer -> user,
+        xdm.source.agent.identifier = connector_guid,
+        xdm.intermediate.ipv4 = if(external_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", external_ip, null),
+        xdm.intermediate.ipv6 = if(external_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", external_ip, null),
+        xdm.source.ipv4 = if(first_ip_network_addresses ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", first_ip_network_addresses, null),
+        xdm.source.ipv6 = if(first_ip_network_addresses ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", first_ip_network_addresses, null),
+        xdm.source.host.ipv4_addresses = arrayfilter(network_addresses_ips, "@element" ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),
+        xdm.source.host.ipv6_addresses = arrayfilter(network_addresses_ips, "@element" ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}"),
+        xdm.source.host.mac_addresses = arraymap(computer -> network_addresses[], "@element" -> mac),
+        xdm.target.file.filename = file -> file_name,
+        xdm.target.file.path = file -> file_path,
+        xdm.target.file.md5 = file -> identity.md5,
+        xdm.target.file.sha256 = file -> identity.sha256,
+        xdm.source.process.pid = coalesce(to_integer(file -> parent.process_id), to_integer(network_info -> parent.process_id)),
+        xdm.source.process.command_line = command_line -> arguments,
+        xdm.source.process.executable.filename = coalesce(file -> parent.file_name, network_info -> parent.file_name),
+        xdm.source.process.executable.md5 = coalesce(file -> parent.identity.md5, network_info -> parent.identity.md5),
+        xdm.source.process.executable.sha256 = coalesce(file -> parent.identity.sha256, network_info -> parent.identity.sha256),
+        xdm.target.ipv4 = if(remote_ip_network_info ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", remote_ip_network_info, null),
+        xdm.target.ipv6 = if(remote_ip_network_info ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", remote_ip_network_info, null),
+        xdm.target.port = to_integer(network_info -> remote_port),
+        xdm.target.url = network_info -> dirty_url,
+        xdm.network.http.url = network_info -> dirty_url,
+        xdm.network.ip_protocol = if(protocol_network_info = "HOPOPT", XDM_CONST.IP_PROTOCOL_HOPOPT, protocol_network_info = "ICMP",XDM_CONST.IP_PROTOCOL_ICMP, protocol_network_info = "IGMP",XDM_CONST.IP_PROTOCOL_IGMP, protocol_network_info = "GGP",XDM_CONST.IP_PROTOCOL_GGP, protocol_network_info = "IP",XDM_CONST.IP_PROTOCOL_IP, protocol_network_info = "ST",XDM_CONST.IP_PROTOCOL_ST, protocol_network_info = "TCP",XDM_CONST.IP_PROTOCOL_TCP, protocol_network_info = "CBT",XDM_CONST.IP_PROTOCOL_CBT, protocol_network_info = "EGP",XDM_CONST.IP_PROTOCOL_EGP, protocol_network_info = "IGP",XDM_CONST.IP_PROTOCOL_IGP, protocol_network_info = "BBN_RCC_MON",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, protocol_network_info = "NVP_II",XDM_CONST.IP_PROTOCOL_NVP_II, protocol_network_info = "PUP",XDM_CONST.IP_PROTOCOL_PUP, protocol_network_info = "ARGUS",XDM_CONST.IP_PROTOCOL_ARGUS, protocol_network_info = "EMCON",XDM_CONST.IP_PROTOCOL_EMCON, protocol_network_info = "XNET",XDM_CONST.IP_PROTOCOL_XNET, protocol_network_info = "CHAOS",XDM_CONST.IP_PROTOCOL_CHAOS, protocol_network_info = "UDP",XDM_CONST.IP_PROTOCOL_UDP, protocol_network_info = "MUX",XDM_CONST.IP_PROTOCOL_MUX, protocol_network_info = "DCN_MEAS",XDM_CONST.IP_PROTOCOL_DCN_MEAS, protocol_network_info = "HMP",XDM_CONST.IP_PROTOCOL_HMP, protocol_network_info = "PRM",XDM_CONST.IP_PROTOCOL_PRM, protocol_network_info = "XNS_IDP",XDM_CONST.IP_PROTOCOL_XNS_IDP, protocol_network_info = "TRUNK_1",XDM_CONST.IP_PROTOCOL_TRUNK_1, protocol_network_info = "TRUNK_2",XDM_CONST.IP_PROTOCOL_TRUNK_2, protocol_network_info = "LEAF_1",XDM_CONST.IP_PROTOCOL_LEAF_1, protocol_network_info = "LEAF_2",XDM_CONST.IP_PROTOCOL_LEAF_2, protocol_network_info = "RDP",XDM_CONST.IP_PROTOCOL_RDP, protocol_network_info = "IRTP",XDM_CONST.IP_PROTOCOL_IRTP, protocol_network_info = "ISO_TP4",XDM_CONST.IP_PROTOCOL_ISO_TP4, protocol_network_info = "NETBLT",XDM_CONST.IP_PROTOCOL_NETBLT, protocol_network_info = "MFE_NSP",XDM_CONST.IP_PROTOCOL_MFE_NSP, protocol_network_info = "MERIT_INP",XDM_CONST.IP_PROTOCOL_MERIT_INP, protocol_network_info = "DCCP",XDM_CONST.IP_PROTOCOL_DCCP, protocol_network_info = "3PC",XDM_CONST.IP_PROTOCOL_3PC, protocol_network_info = "IDPR",XDM_CONST.IP_PROTOCOL_IDPR, protocol_network_info = "XTP",XDM_CONST.IP_PROTOCOL_XTP, protocol_network_info = "DDP",XDM_CONST.IP_PROTOCOL_DDP, protocol_network_info = "IDPR_CMTP",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, protocol_network_info = "TP",XDM_CONST.IP_PROTOCOL_TP, protocol_network_info = "IL",XDM_CONST.IP_PROTOCOL_IL, protocol_network_info = "IPV6",XDM_CONST.IP_PROTOCOL_IPV6, protocol_network_info = "SDRP",XDM_CONST.IP_PROTOCOL_SDRP, protocol_network_info = "IPV6_ROUTE",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, protocol_network_info = "IPV6_FRAG",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, protocol_network_info = "IDRP",XDM_CONST.IP_PROTOCOL_IDRP, protocol_network_info = "RSVP",XDM_CONST.IP_PROTOCOL_RSVP, protocol_network_info = "GRE",XDM_CONST.IP_PROTOCOL_GRE, protocol_network_info = "DSR",XDM_CONST.IP_PROTOCOL_DSR, protocol_network_info = "BNA",XDM_CONST.IP_PROTOCOL_BNA, protocol_network_info = "ESP",XDM_CONST.IP_PROTOCOL_ESP, protocol_network_info = "AH",XDM_CONST.IP_PROTOCOL_AH, protocol_network_info = "I_NLSP",XDM_CONST.IP_PROTOCOL_I_NLSP, protocol_network_info = "SWIPE",XDM_CONST.IP_PROTOCOL_SWIPE, protocol_network_info = "NARP",XDM_CONST.IP_PROTOCOL_NARP, protocol_network_info = "MOBILE",XDM_CONST.IP_PROTOCOL_MOBILE, protocol_network_info = "TLSP",XDM_CONST.IP_PROTOCOL_TLSP, protocol_network_info = "SKIP",XDM_CONST.IP_PROTOCOL_SKIP, protocol_network_info = "IPV6_ICMP",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, protocol_network_info = "IPV6_NONXT",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, protocol_network_info = "IPV6_OPTS",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, protocol_network_info = "CFTP",XDM_CONST.IP_PROTOCOL_CFTP, protocol_network_info = "SAT_EXPAK",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, protocol_network_info = "KRYPTOLAN",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, protocol_network_info = "RVD",XDM_CONST.IP_PROTOCOL_RVD, protocol_network_info = "IPPC",XDM_CONST.IP_PROTOCOL_IPPC, protocol_network_info = "SAT_MON",XDM_CONST.IP_PROTOCOL_SAT_MON, protocol_network_info = "VISA",XDM_CONST.IP_PROTOCOL_VISA, protocol_network_info = "IPCV",XDM_CONST.IP_PROTOCOL_IPCV, protocol_network_info = "CPNX",XDM_CONST.IP_PROTOCOL_CPNX, protocol_network_info = "CPHB",XDM_CONST.IP_PROTOCOL_CPHB, protocol_network_info = "WSN",XDM_CONST.IP_PROTOCOL_WSN, protocol_network_info = "PVP",XDM_CONST.IP_PROTOCOL_PVP, protocol_network_info = "BR_SAT_MON",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, protocol_network_info = "SUN_ND",XDM_CONST.IP_PROTOCOL_SUN_ND, protocol_network_info = "WB_MON",XDM_CONST.IP_PROTOCOL_WB_MON, protocol_network_info = "WB_EXPAK",XDM_CONST.IP_PROTOCOL_WB_EXPAK, protocol_network_info = "ISO_IP",XDM_CONST.IP_PROTOCOL_ISO_IP, protocol_network_info = "VMTP",XDM_CONST.IP_PROTOCOL_VMTP, protocol_network_info = "SECURE_VMTP",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, protocol_network_info = "VINES",XDM_CONST.IP_PROTOCOL_VINES, protocol_network_info = "TTP",XDM_CONST.IP_PROTOCOL_TTP, protocol_network_info = "NSFNET_IGP",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, protocol_network_info = "DGP",XDM_CONST.IP_PROTOCOL_DGP, protocol_network_info = "TCF",XDM_CONST.IP_PROTOCOL_TCF, protocol_network_info = "EIGRP",XDM_CONST.IP_PROTOCOL_EIGRP, protocol_network_info = "OSPFIGP",XDM_CONST.IP_PROTOCOL_OSPFIGP, protocol_network_info = "SPRITE_RPC",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, protocol_network_info = "LARP",XDM_CONST.IP_PROTOCOL_LARP, protocol_network_info = "MTP",XDM_CONST.IP_PROTOCOL_MTP, protocol_network_info = "AX25",XDM_CONST.IP_PROTOCOL_AX25, protocol_network_info = "IPIP",XDM_CONST.IP_PROTOCOL_IPIP, protocol_network_info = "MICP",XDM_CONST.IP_PROTOCOL_MICP, protocol_network_info = "SCC_SP",XDM_CONST.IP_PROTOCOL_SCC_SP, protocol_network_info = "ETHERIP",XDM_CONST.IP_PROTOCOL_ETHERIP, protocol_network_info = "ENCAP",XDM_CONST.IP_PROTOCOL_ENCAP, protocol_network_info = "GMTP",XDM_CONST.IP_PROTOCOL_GMTP, protocol_network_info = "IFMP",XDM_CONST.IP_PROTOCOL_IFMP, protocol_network_info = "PNNI",XDM_CONST.IP_PROTOCOL_PNNI, protocol_network_info = "PIM",XDM_CONST.IP_PROTOCOL_PIM, protocol_network_info = "ARIS",XDM_CONST.IP_PROTOCOL_ARIS, protocol_network_info = "SCPS",XDM_CONST.IP_PROTOCOL_SCPS, protocol_network_info = "QNX",XDM_CONST.IP_PROTOCOL_QNX, protocol_network_info = "AN",XDM_CONST.IP_PROTOCOL_AN, protocol_network_info = "IPCOMP",XDM_CONST.IP_PROTOCOL_IPCOMP, protocol_network_info = "SNP",XDM_CONST.IP_PROTOCOL_SNP, protocol_network_info = "COMPAQ_PEER",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, protocol_network_info = "IPX_IN_IP",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, protocol_network_info = "VRRP",XDM_CONST.IP_PROTOCOL_VRRP, protocol_network_info = "PGM",XDM_CONST.IP_PROTOCOL_PGM, protocol_network_info = "L2TP",XDM_CONST.IP_PROTOCOL_L2TP, protocol_network_info = "DDX",XDM_CONST.IP_PROTOCOL_DDX, protocol_network_info = "IATP",XDM_CONST.IP_PROTOCOL_IATP, protocol_network_info = "STP",XDM_CONST.IP_PROTOCOL_STP, protocol_network_info = "SRP",XDM_CONST.IP_PROTOCOL_SRP, protocol_network_info = "UTI",XDM_CONST.IP_PROTOCOL_UTI, protocol_network_info = "SMP",XDM_CONST.IP_PROTOCOL_SMP, protocol_network_info = "SM",XDM_CONST.IP_PROTOCOL_SM, protocol_network_info = "PTP",XDM_CONST.IP_PROTOCOL_PTP, protocol_network_info = "ISIS",XDM_CONST.IP_PROTOCOL_ISIS, protocol_network_info = "FIRE",XDM_CONST.IP_PROTOCOL_FIRE, protocol_network_info = "CRTP",XDM_CONST.IP_PROTOCOL_CRTP, protocol_network_info = "CRUDP",XDM_CONST.IP_PROTOCOL_CRUDP, protocol_network_info = "SSCOPMCE",XDM_CONST.IP_PROTOCOL_SSCOPMCE, protocol_network_info = "IPLT",XDM_CONST.IP_PROTOCOL_IPLT, protocol_network_info = "SPS",XDM_CONST.IP_PROTOCOL_SPS, protocol_network_info = "PIPE",XDM_CONST.IP_PROTOCOL_PIPE, protocol_network_info = "SCTP",XDM_CONST.IP_PROTOCOL_SCTP, protocol_network_info = "FC",XDM_CONST.IP_PROTOCOL_FC, protocol_network_info = "RSVP_E2E_IGNORE",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, protocol_network_info = "MOBILITY",XDM_CONST.IP_PROTOCOL_MOBILITY, protocol_network_info = "UDPLITE",XDM_CONST.IP_PROTOCOL_UDPLITE, protocol_network_info = "MPLS_IN_IP",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, protocol_network_info = "MANET",XDM_CONST.IP_PROTOCOL_MANET, protocol_network_info = "HIP",XDM_CONST.IP_PROTOCOL_HIP, protocol_network_info = "SHIM6",XDM_CONST.IP_PROTOCOL_SHIM6, protocol_network_info = "WESP",XDM_CONST.IP_PROTOCOL_WESP, protocol_network_info = "ROHC",XDM_CONST.IP_PROTOCOL_ROHC, protocol_network_info = "RESERVED",XDM_CONST.IP_PROTOCOL_RESERVED,to_string(protocol_network_info));

Packs/AMP/ModelingRules/AMP_2_6/AMP_2_6.yml

@@ -0,0 +1,6 @@
+fromversion: 9.0.0
+id: AMP_ModelingRule
+name: AMP Modeling Rule
+rules: ''
+schema: ''
+tags:

Packs/AMP/ModelingRules/AMP_2_6/AMP_2_6_schema.json

@@ -0,0 +1,68 @@
+{
+    "cisco_secure_endpoint_raw": {
+        "computer": {
+            "type": "string",
+            "is_array": false
+        },
+        "id": {
+            "type": "int",
+            "is_array": false
+        },
+        "event_type": {
+            "type": "string",
+            "is_array": false
+        },
+        "file": {
+            "type": "string",
+            "is_array": false
+        },
+        "detection_id": {
+            "type": "string",
+            "is_array": false
+        },
+        "severity": {
+            "type": "string",
+            "is_array": false
+        },
+        "detection": {
+            "type": "string",
+            "is_array": false
+        },
+        "connector_guid": {
+            "type": "string",
+            "is_array": false
+        },
+        "tactics": {
+            "type": "string",
+            "is_array": false
+        },
+        "techniques": {
+            "type": "string",
+            "is_array": false
+        },
+        "cloud_ioc": {
+            "type": "string",
+            "is_array": false
+        },
+        "command_line": {
+            "type": "string",
+            "is_array": false
+        },
+        "vulnerabilities": {
+            "type": "string",
+            "is_array": false
+        },
+        "error": {
+            "type": "string",
+            "is_array": false
+        },
+        "threat_hunting": {
+            "type": "string",
+            "is_array": false
+        },
+        "network_info": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+}

Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml

@@ -3,4 +3,5 @@ id: Amazon_AWS_CloudTrail_ModelingRule
 name: Amazon AWS CloudTrail Modeling Rule
 rules: ''
 schema: ''
-tags:
+tags:
+toversion: 8.9.0

Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail_2_6/AWSCloudTrail_2_6.xif

@@ -0,0 +1,51 @@
+[MODEL: dataset = amazon_aws_raw]
+/* 
+    CloudTrail Audit Logs
+    AWS event schema version: 1.11
+    https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
+*/
+filter _log_type = "Cloud Audit Log"
+| alter // initializations
+    resource_arn = arraystring(arraymap(resources -> [], "@element" -> ARN), ","),
+    resource_account_id = arraystring(arraymap(resources -> [], "@element" -> accountId), ","),
+    resource_name = arraystring(arraymap(resources -> [], arrayindex(regextract("@element" -> ARN, "/([^\/]+)$"), -1)), ","), // extract last segment from ARN after last /
+    resource_type = arraystring(arraymap(resources -> [], "@element" -> type), ","),
+    user_identity_arn = userIdentity -> arn,
+    user_identity_type = userIdentity -> type,
+    source_ipv4 = if(sourceIPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", sourceIPAddress), // The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server.
+    source_ipv6 = if(sourceIPAddress ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", sourceIPAddress)
+| alter // XDM Mappings 
+    xdm.event.description = object_create("requestParameters", requestParameters, "additionalEventData", additionalEventData, "responseElements", responseElements),
+    xdm.event.id = eventId,
+    xdm.event.operation_sub_type = eventName,
+    xdm.event.original_event_type = eventType,
+    xdm.event.outcome = if(errorCode = null, XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
+    xdm.event.outcome_reason = if(errorMessage != null and errorMessage != "", concat(errorCode, ": ", errorMessage), errorCode),
+    xdm.event.type = eventName,
+    xdm.network.session_id = requestID,
+    xdm.network.tls.cipher = tlsDetails -> cipherSuite,
+    xdm.network.tls.protocol_version = tlsDetails -> tlsVersion,
+    xdm.observer.content_version = eventVersion, 
+    xdm.observer.name = eventSource,
+    xdm.observer.type = eventCategory,
+    xdm.session_context_id = sharedEventID,
+    xdm.source.cloud.project_id = userIdentity -> accountId,
+    xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS,
+    xdm.source.host.device_id = vpcEndpointId,
+    xdm.source.host.ipv4_public_addresses = if(source_ipv4 != null and not incidr(source_ipv4, "10.0.0.0/8") and not incidr(source_ipv4, "172.16.0.0/12") and not incidr(source_ipv4, "192.168.0.0/16") and not incidr(source_ipv4, "127.0.0.0/8") and not incidr(source_ipv4, "169.254.0.0/16") and not incidr(source_ipv4, "100.64.0.0/10"), arraycreate(source_ipv4)),
+    xdm.source.host.fqdn = if(source_ipv4 = null and source_ipv6 = null and sourceIPAddress !~= "AWS Internal", sourceIPAddress), //  For services in AWS, only the DNS name is displayed.
+    xdm.source.ipv4 = source_ipv4,
+    xdm.source.ipv6 = source_ipv6,
+    xdm.source.user_agent = userAgent,
+    xdm.source.identity.groups = if(user_identity_type in ("Role", "AssumedRole"), arraycreate(userIdentity -> sessionContext.sessionIssuer.userName)),
+    xdm.source.identity.identifier = coalesce(userIdentity -> principalId, userIdentity -> onBehalfOf.userId),
+    xdm.source.identity.username = coalesce(userIdentity -> userName, userIdentity -> sessionContext.sessionIssuer.userName, user_identity_arn),
+    xdm.source.identity.user_type = if(user_identity_type = "Unknown", XDM_CONST.IDENTITY_TYPE_UNKNOWN, user_identity_type),
+    xdm.target.cloud.project_id = if(resource_account_id != null and resource_account_id != "", resource_account_id, coalesce(recipientAccountId, vpcEndpointAccountId)),
+    xdm.target.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS,
+    xdm.target.cloud.region = awsRegion,
+    xdm.target.host.fqdn = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader),
+    xdm.target.host.hostname = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader),
+    xdm.target.resource.id = if(resource_arn != "", resource_arn),
+    xdm.target.resource.name = if(resource_name != null and resource_name != "", resource_name, resource_arn),
+    xdm.target.resource.type = if(resource_type != "", resource_type);

Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail_2_6/AWSCloudTrail_2_6.yml

@@ -0,0 +1,6 @@
+fromversion: 9.0.0
+id: Amazon_AWS_CloudTrail_ModelingRule
+name: Amazon AWS CloudTrail Modeling Rule
+rules: ''
+schema: ''
+tags: