Hi All,
On tracking the failed logins for AWS console through Cloudtrail logs, errorCode for specific set of logs is not captured correctly.
CORRECT PARSING :
awsRegion: us-east-1
errorMessage: Failed authentication
eventID:
eventName: ConsoleLogin
eventSource: signin.amazonaws.com
eventTime:
eventType: AwsConsoleSignIn
eventVersion:
In the above log errorCode field is 'failure' which is true.
INCORRECT PARSING :
However, for the below log errorCode field is 'success'. Correct output should be errorCode=failure since it is a failed login whose user name is unknown.
awsRegion: us-east-1
errorMessage: No username found in supplied account
eventID:
eventName: CheckMfa
eventSource: signin.amazonaws.com
eventTime:
eventType: AwsConsoleSignIn
eventVersion: 1.05
PROPS.CONF :
Below is the entry for errorCode in props.conf
EVAL-errorCode = coalesce('errorCode',if(like('responseElements.ConsoleLogin',"Failure"),"failure", "success"),"success").
QUESTION :
Please suggest the way how we can achieve the following :
if errorMessage=No username found in supplied account OR errorMessage=Failed authentication then errorCode should be 'failure' else it should be a success.
what should be the entry in props.conf for EVAL-errorCode so that it can be overwritten in local folder.
coalesce is for dealing with null values when you have to deal with them. Also, like is for SQL-like comparisons, which you aren't really doing here.
CloudTrail inputs can be a little tricky. Are you sure they are being ingested correctly?
I'm thinking this field should not be overwritten rather a new field should be created indicating the status whether it is success or failure. Not sure if doing so will break anything else.