{
Name = amazon-awscloudtrail-sk4-user-token-create-success-tokenpost
# TimeFormat = """yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ"""
Conditions = [ """"eventType":"AwsServiceEvent"""", """eventName":"Token_POST"""" ]
Fields = ${AwsParserTemplates.aws-cloudtrail-json.Fields}[
""""responseParameters":\{("[^,]+,)*"status\\?":\s*({http_response_code}\d+)""",
""""requestParameters":\{("[^,]+,)*"grant_type\\?":\s*\\?"({grant_type}[^"]+?)\\?"""",
]
ParserVersion = v1.0.0
aws-cloudtrail-json = {
Vendor = Amazon
Product = AWS CloudTrail
TimeFormat = "yyyy-MM-dd'T'HH:mm:ssZ"
Fields = [
""""userIdentity":\{("[^,]+,)*"type"\\?:\s*\\?"({user_type}[^"]+?)\\?"""",
""""userIdentity":\{("[^,]+,)*"arn"\\?:\s*\\?"({user_arn}[^"]+?)\\?"""",
""""userIdentity":\{("[^,]+,)*"accountId\\?"+\s*:\s*\\?"+?({aws_account}[^"]+?)\\?"+\s*[,\]\}]""",
""""userIdentity":\{("[^,]+,)*"principalId\\?"+\s*:\s*\\?"+?({principal_id}[^"]+?)\\?"+\s*[,\]\}]""",
""""userIdentity":\{("[^,]+,)*"attributes":\{("[^,]+,)*"mfaAuthenticated"\\?:\s*\\?"({mfa}[^"]+?)\\?"""",
""""assumedRoleUser":\{("[^,]+,)*"arn"\s*:\s*"({role_arn}[^"]+)\\?""""
# """"eventTime"+\s*:\s*"+?(|({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d)Z?)"+\s*[,\]\}]""",
""""eventTime"+\s*:\s*"+?(|({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ?))"+\s*[,\]\}]""",
""""eventSource"+\s*:\s*"+?(|({service_name}[^"]+))"+\s*[,\]\}]""",
""""eventName"+\s*:\s*"+?(|({operation}[^"]+))"+\s*[,\]\}]""",
""""awsRegion"\s*:\s*"({region}[^"]+)"""",
""""sourceIPAddress"+\s*:\s*"+?(?:({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?|({src_host}[\w\-.]+))"+\s*[,\]\}]""",
""""userAgent"\s*:\s*"\[?(|({user_agent}[^"]+?))\]?"""",
""""eventID\\?"+:\\?"+({event_code}[^"\\]+)\\?"""",
""""eventType"+\s*:\s*"+?(|({event_category}[^"]+))"+\s*[,\]\}]""",
""""errorCode"\s*:\s*"({result}[^"]+)"""",
""""errorMessage"\s*:\s*"({failure_reason}[^"]+)"""",
""""readOnly"\s*:\s*({readonly}[^",\}]+)("|,|\}\s*$)""",
""""vpcEndpointId":"({vpc}[^"]+)""",
""""+requestParameters":\{("[^,]+,)*"roleSessionName\\?":\s*\\?"({session_name}[^"]+?)\\?"""",
""""+responseElements":\{"assumedRoleUser":\{("[^,]+,)*"assumedRoleId\\?":\s*\\?"({role_id}[^"]+?)\\?"""",
""""credentials":\{"accessKeyId":"({key_id}[^"]+?)\\?"""",
#AWS CloudTrail user regexes
"""\Wsuser=[^=]*?(({email_address}[^@=\s\/:]+@[^=\.\s\/:]+\.[^\s=\/:]+?)|({user}[\w\.\-]{1,40}\$?)(@[^=]+?)?)(\s+\w+=|\s*$)""",
"""\\?"type\\?":\\?"IAMUser\\?"[^\}]+?"userName\\?":\s*\\?"(({email_address}[^"@]+@[^"\.]+\.[^"]+)|({user}[\w\.\-]{1,40}\$?)(@({domain}[^@"]+))?)\\?"""",
""""userIdentity\\?":.+?"arn\\?":\s*\\?"arn:aws:sts::\d+:assumed-role\/([^\/"]+\/)(AssumeRoleSession|((?![\w\-\.]{30,})(({email_address}[^"@]+@[^"\.]+\.[^"]+)|({user}[\w\.\-]{1,40}\$?)(@({domain}[^@"]+))?)))\\?"""",
""""sourceIdentity\\?":\s*\\?"(({email_address}[^"@]+@[^"\.]+\.[^"]+)|({user}[\w\.\-]{1,40}\$?)(@({domain}[^@"]+))?)\\?"""",
""""userIdentity\\?":.+?"AssumedRole\\?".+?"principalId\\?":\s*\\?"[A-Z\d]{1,25}:({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.\-])*[A-Za-z0-9]+@({email_domain}[^\]\s"\\,;\|]+\.[^\]\s"\\,;\|]+))\\?"\s*[,\]\}]""",
""""userIdentity\\?":.+?"AssumedRole\\?".+?"sessionIssuer\\?":\s*\{[^\}]+?"IAMUser\\?"[^\}]+?"userName\\?":\s*\\?"(({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.\-])*[A-Za-z0-9]+@({email_domain}[^\]\s"\\,;\|]+\.[^\]\s"\\,;\|]+))|({user}[\w\.\-]{1,40}\$?)(@({domain}[^@"]+))?)\\?"""",
""""userIdentity\\?":.+?"IAMUser\\?".+?"userName\\?":\s*\\?"(({email_address}[^"@]+@[^"\.]+\.[^"]+)|({user}[\w\.\-]{1,40}\$?)(@({domain}[^@"]+))?)\\?"""",
""""userIdentity\\?":\s*\{.*?"type\\?":\s*\\?"({user}Root)\\?""""
}