forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws_cloudtrail_assumerolewithsaml.yml
126 lines (126 loc) · 4.82 KB
/
aws_cloudtrail_assumerolewithsaml.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: AWS CloudTrail AssumeRoleWithSAML
id: 1e28f2a6-2db9-405f-b298-18734a293f77
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail AssumeRoleWithSAML
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
version: 7.7.1
fields:
- _time
- action
- app
- awsRegion
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.durationSeconds
- requestParameters.principalArn
- requestParameters.roleArn
- requestParameters.roleSessionName
- requestParameters.sAMLAssertionID
- resources{}.ARN
- resources{}.accountId
- resources{}.type
- responseElements.assumedRoleUser.arn
- responseElements.assumedRoleUser.assumedRoleId
- responseElements.audience
- responseElements.credentials.accessKeyId
- responseElements.credentials.expiration
- responseElements.credentials.sessionToken
- responseElements.issuer
- responseElements.nameQualifier
- responseElements.subject
- responseElements.subjectType
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- src_user
- src_user_id
- src_user_type
- start_time
- status
- tag
- tag::action
- tag::eventtype
- temp_access_key
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.identityProvider
- userIdentity.principalId
- userIdentity.type
- userIdentity.userName
- user_agent
- user_arn
- user_id
- user_name
- user_role
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "principalId":
"ZRu9MRAjiG9tvi1QBNfdI664G5A=:[email protected]", "userName": "[email protected]",
"identityProvider": "ZRu9MRAjiG9tvi1QBNfdI664G5A="}, "eventTime": "2021-01-22T03:44:16Z",
"eventSource": "sts.amazonaws.com", "eventName": "AssumeRoleWithSAML", "awsRegion":
"us-east-1", "sourceIPAddress": "72.21.217.152", "userAgent": "AWS Signin, aws-internal/3
aws-sdk-java/1.11.898 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
java/1.8.0_275 kotlin/1.3.72 vendor/Oracle_Corporation", "requestParameters": {"sAMLAssertionID":
"_d33ba0ad-0c88-4b83-80a6-27c08027d000", "roleSessionName": "[email protected]",
"durationSeconds": 3600, "roleArn": "arn:aws:iam::111111111111:role/rodonmicrotestrole",
"principalArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "responseElements":
{"subjectType": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "issuer":
"https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/", "credentials":
{"accessKeyId": "ASIAYTOGP2RLKJXOV7VR", "expiration": "Jan 22, 2021 3:59:16 AM",
"sessionToken": "IQoJb3JpZ2luX2VjENz//////////wEaCXVzLWVhc3QtMSJGMEQCIHl/WQdLq53ULYl10fPtpeV3H7da9mOXGuIStvhdDA6kAiAdO/7rocOXAtyDV+0MJhSj/piqlqEI/BcAKm8zqBhOgiqgAwi1//////////8BEAIaDDU5MTUxMTE0NzYwNiIMAFP8GfyI/x1fKCHYKvQCznxxgKnEdcuvrr/fBLmHxEDjQ9vQxjasA8gZF8GawZ5SFH9ViKqoZh93bYkOwKqZD8cdqJIo9SYL17RGhVqxzvsjU4+QsRXTN5eGgh+LyF9EZqeCl6oCkaTJqNrXHuenzTi0yiL510LKsSckrAm8+SuwI/jQu3oE1BEcJQieAc4RjYx3II+1cUvyfRlFvR2NDfZhdWcQvAivV06KJg9c2zfCF0Agzn/YZSNvsRL5UhnKhJ2wktSvT8lR0mS3n9xR1j3iYNxVDHab180cnfkP3G6tAmxj5U29diNQrusJxKWWhr/Q9wHRdDj5dO2QUZzSymKKU/UiRJ8nyYPINaJ8XWVAPiT4QgzpMxotkvSkDLEG/brB9yEr2p7W8Y3xMGZ37qSGkuU4z9x40RU9G1XPhv27NO9aaGs/VXYTMCzWRNxnsLfNkk/DihrcaR0SclRcvs+zmfe1ZUoGnfjNYm+AIyJi4D7OrXF5/Mt46Z2y76DnULlAMJCUqYAGOpsBw4fyafV8OizX7Lebh2JRXFZsWBY1GTpyGvO5otrw++4axud44vYVi5iU5rbJxtTBm4vtJartxgXoPJFnQuat9gLrIlXhjmg+m50a5xs1Ut2UWEsWY2Duu4jA9ap7P7dYv9kIK9P2uyhsjKQhCjTpfe4I/llcupbDotYBJuvlB5n85a5kgiSriFk5zetoXQIweuYEWQZsD/AN+LE="},
"nameQualifier": "ZRu9MRAjiG9tvi1QBNfdI664G5A=", "assumedRoleUser": {"assumedRoleId":
"AROAYTOGP2RLKFUVAQAIJ:[email protected]", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/[email protected]"},
"subject": "[email protected]", "audience": "https://signin.aws.amazon.com/saml"},
"requestID": "e19c7a7f-cd96-4642-9ee6-2360a7b01b12", "eventID": "b25b825d-9c9b-49d3-9ecd-290dbe8f2c29",
"readOnly": true, "resources": [{"accountId": "111111111111", "type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::111111111111:role/rodonmicrotestrole"}, {"accountId": "111111111111",
"type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}],
"eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
"recipientAccountId": "111111111111"}'