aws.cloudtrail: Add user.name to Cloudtrail's UserAuthentication events. (#15436)

aws.cloudtrail: Add user.name to Cloudtrail's UserAuthentication events

Author: kcreddy

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "4.2.0"
+  changes:
+    - description: Add `user.name` to Cloudtrail's `UserAuthentication` events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15436
 - version: "4.1.0"
   changes:
     - description: Add `vulnerability_workflow` and `misconfiguration_workflow` sub category labels.

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-user-authentication.log

@@ -0,0 +1 @@
+{"eventVersion":"1.09","userIdentity":{"type":"IdentityCenterUser","arn":"","accountId":"redacted","accessKeyId":"","onBehalfOf":{"userId":"redacted","identityStoreArn":"arn:aws:identitystore::redacted:identitystore/redacted"},"credentialId":"redacted"},"eventTime":"2025-09-22T12:29:21Z","eventSource":"signin.amazonaws.com","eventName":"UserAuthentication","awsRegion":"us-east-2","sourceIPAddress":"redacted","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36","requestParameters":null,"responseElements":null,"additionalEventData":{"AuthWorkflowID":"redacted","UserName":"redacted@example.com","LoginTo":"https://redacted.awsapps.com/start/","CredentialType":"EXTERNAL_IDP"},"requestID":"redacted","eventID":"redacted","readOnly":false,"eventType":"AwsServiceEvent","recipientAccountId":"redacted","serviceEventDetails":{"UserAuthentication":"Success"},"eventCategory":"Management"}

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-user-authentication.log-expected.json

@@ -0,0 +1,90 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-09-22T12:29:21.000Z",
+            "actor": {
+                "entity": {
+                    "id": [
+                        "redacted"
+                    ]
+                }
+            },
+            "aws": {
+                "cloudtrail": {
+                    "additional_eventdata": "{AuthWorkflowID=redacted, LoginTo=https://redacted.awsapps.com/start/, CredentialType=EXTERNAL_IDP}",
+                    "event_category": "Management",
+                    "event_type": "AwsServiceEvent",
+                    "event_version": "1.09",
+                    "flattened": {
+                        "additional_eventdata": {
+                            "AuthWorkflowID": "redacted",
+                            "CredentialType": "EXTERNAL_IDP",
+                            "LoginTo": "https://redacted.awsapps.com/start/"
+                        },
+                        "service_event_details": {
+                            "UserAuthentication": "Success"
+                        }
+                    },
+                    "read_only": false,
+                    "recipient_account_id": "redacted",
+                    "request_id": "redacted",
+                    "service_event_details": "{UserAuthentication=Success}",
+                    "user_identity": {
+                        "type": "IdentityCenterUser"
+                    }
+                }
+            },
+            "cloud": {
+                "account": {
+                    "id": "redacted"
+                },
+                "region": "us-east-2"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "UserAuthentication",
+                "created": "2021-11-11T01:02:03.123456789Z",
+                "id": "redacted",
+                "kind": "event",
+                "original": "{\"eventVersion\":\"1.09\",\"userIdentity\":{\"type\":\"IdentityCenterUser\",\"arn\":\"\",\"accountId\":\"redacted\",\"accessKeyId\":\"\",\"onBehalfOf\":{\"userId\":\"redacted\",\"identityStoreArn\":\"arn:aws:identitystore::redacted:identitystore/redacted\"},\"credentialId\":\"redacted\"},\"eventTime\":\"2025-09-22T12:29:21Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"UserAuthentication\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"redacted\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36\",\"requestParameters\":null,\"responseElements\":null,\"additionalEventData\":{\"AuthWorkflowID\":\"redacted\",\"UserName\":\"redacted@example.com\",\"LoginTo\":\"https://redacted.awsapps.com/start/\",\"CredentialType\":\"EXTERNAL_IDP\"},\"requestID\":\"redacted\",\"eventID\":\"redacted\",\"readOnly\":false,\"eventType\":\"AwsServiceEvent\",\"recipientAccountId\":\"redacted\",\"serviceEventDetails\":{\"UserAuthentication\":\"Success\"},\"eventCategory\":\"Management\"}",
+                "outcome": "success",
+                "provider": "signin.amazonaws.com",
+                "type": [
+                    "info"
+                ]
+            },
+            "related": {
+                "entity": [],
+                "user": [
+                    "redacted@example.com"
+                ]
+            },
+            "source": {
+                "address": "redacted"
+            },
+            "tags": [
+                "preserve_original_event",
+                "actor_target_mapping"
+            ],
+            "user": {
+                "email": "redacted@example.com",
+                "name": "redacted@example.com"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Mac"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",
+                "os": {
+                    "full": "Mac OS X 10.15.7",
+                    "name": "Mac OS X",
+                    "version": "10.15.7"
+                },
+                "version": "140.0.0.0"
+            }
+        }
+    ]
+}

packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml

@@ -845,6 +845,11 @@ processors:
       field: json.eventCategory
       target_field: aws.cloudtrail.event_category
       ignore_failure: true
+  - rename:
+      field: json.additionalEventData.UserName
+      tag: rename_additionalEventData_UserName_to_username
+      target_field: user.name
+      if: ctx.event?.action == 'UserAuthentication' && ctx.user?.name == null && ctx.json?.additionalEventData?.UserName != null 
   - set:
       field: cloud.region
       copy_from: json.awsRegion

packages/aws/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.3.2
 name: aws
 title: AWS
-version: 4.1.0
+version: 4.2.0
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration
 categories: