[Filebeat] Missing sessionContext in cloudtrail fields

Ref issue: #16086
Ref PR: #17155

The parsing of cloudtrail's session issuer information miss session context in the path. From AWS [doc](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) the `sessionIssuer` part is under `sessionContext`
```
"sessionContext": {
  "attributes": {
    "mfaAuthenticated": "false",
    "creationDate": "20131102T010628Z"
  },
  "sessionIssuer": {
    "type": "Role",
    "principalId": "AROAIDPPEZS35WEXAMPLE",
    "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
    "accountId": "123456789012",
    "userName": "RoleToBeAssumed"
  }
}
```

On logstash i've used the following mapping:
```
sessionContext.sessionIssuer.type -> aws.cloudtrail.user_identity.session_context.issuer.type
sessionContext.sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_context.issuer.id
sessionContext.sessionIssuer.userName -> user.name
sessionContext.sessionIssuer.arn -> aws.cloudtrail.user_identity.session_context.issuer.arn
sessionContext.sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_context.issuer.account.id
```
I've mapped 
- `sessionIssuer` to `issuer` (as we already have session_context)
- `principalId` to `id` and `accountId` to `account.id` (to try to have name closer to ECS ones)

What do you think?


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Filebeat] Missing sessionContext in cloudtrail fields #18894

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development