Add get_user to AWS datamodel

panther-labs · Dec 2, 2024 · 73e442d · 73e442d
1 parent f1eee0c
commit 73e442d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/data_models/aws_cloudtrail_data_model.py b/data_models/aws_cloudtrail_data_model.py
@@ -37,3 +37,22 @@ def load_ip_address(event):
         except ipaddress.AddressValueError:
             return None
     return source_ip
+
+
+def get_user(event):
+    user_type = event.deep_get("userIdentity", "type")
+    if user_type == "Root":
+        return event.deep_get(
+            "userIdentity",
+            "userName",
+            default=event.deep_get("userIdentity", "accountId"),
+        )
+    if user_type in ("IAMUser", "Directory", "Unknown", "SAMLUser", "WebIdentityUser"):
+        return event.deep_get("userIdentity", "userName", default="Unknown")
+    if user_type in ("AssumedRole", "Role", "FederatedUser"):
+        return event.deep_get("sessionContext", "sessionIssuer", "userName", default="Unknown")
+    if user_type == "IdentityCenterUser":
+        return event.deep_get("additionalEventData", "UserName", default="Unknown")
+    if user_type in ("AWSService", "AWSAccount"):
+        return event.get("sourceIdentity", "Unknown")
+    return "Unknown"
diff --git a/data_models/aws_cloudtrail_data_model.yml b/data_models/aws_cloudtrail_data_model.yml
@@ -15,6 +15,6 @@ Mappings:
   - Name: user_agent
     Path: userAgent
   - Name: user
-    Path: $.responseElements.user.userName
+    Method: get_user
   - Name: user_account_id
     Path: $.responseElements.user.userId