August 27, 2024

This release reverts a change to our AWS CloudTrail default (catch all) mapper for how user_username is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some AssumedRole events.

AWS AssumedRole events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the August 5th, 2024 content release to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.

AWS best practices suggest defining sourceIdentity to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor sourceIdentity if it is present in CloudTrail logs. If it is not present, then userIdentity.arn will be used and the resource-id will be mapped to user_username, creating potential for false positives from dynamic session identifiers. See Viewing source identity in CloudTrail in the AWS documentation for more information.

Alternatively, known service accounts which generate dynamic sessions identifers can be tuned out from signals using rule tuning expressions, Field Extraction Rules (FERs), or at the CloudTrail parser to reduce potential for false positive signals.

Log Mappers

[Updated] CloudTrail Default Mapping

Log Mappers​

Log Mappers