data_sources/aws_cloudtrail_getpassworddata.yml

name: AWS CloudTrail GetPasswordData
id: 6ff2ce99-85b1-4c17-888a-56dbc3570671
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail GetPasswordData
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
  url: https://splunkbase.splunk.com/app/1876
  version: 7.9.0
fields:
- _time
- app
- awsRegion
- aws_account_id
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- errorMessage
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- reason
- recipientAccountId
- region
- requestID
- requestParameters.instanceId
- responseElements
- result
- result_id
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- tag
- tag::eventtype
- timeendpos
- timestartpos
- tlsDetails.cipherSuite
- tlsDetails.clientProvidedHostHeader
- tlsDetails.tlsVersion
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.sessionContext.attributes.creationDate
- userIdentity.sessionContext.attributes.mfaAuthenticated
- userIdentity.sessionContext.sessionIssuer.accountId
- userIdentity.sessionContext.sessionIssuer.arn
- userIdentity.sessionContext.sessionIssuer.principalId
- userIdentity.sessionContext.sessionIssuer.type
- userIdentity.sessionContext.sessionIssuer.userName
- userIdentity.type
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
  "AROAYTOGP2RLP5AASA6I5:aws-go-sdk-1660169051746043000", "arn": "arn:aws:sts::111111111111:assumed-role/sample-role-used-by-stratus-for-ec2-password-data/aws-go-sdk-1660169051746043000",
  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLLY5RQXEF", "sessionContext":
  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLP5AASA6I5", "arn":
  "arn:aws:iam::111111111111:role/sample-role-used-by-stratus-for-ec2-password-data",
  "accountId": "111111111111", "userName": "sample-role-used-by-stratus-for-ec2-password-data"},
  "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-10T22:04:12Z",
  "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-10T22:04:13Z", "eventSource":
  "ec2.amazonaws.com", "eventName": "GetPasswordData", "awsRegion": "us-west-2", "sourceIPAddress":
  "142.254.89.27", "userAgent": "stratus-red-team_e3e4b259-63a4-4d89-acd5-a7286a279bb8",
  "errorCode": "Client.UnauthorizedOperation", "errorMessage": "You are not authorized
  to perform this operation. Encoded authorization failure message: OwnXKlWs2vtfsyXhkYTFO35PfDwIeH4oGadP2dmbdguXBDpSfP-65XwZU4JdWht_u8p9BlgIZ0QOYIzmm5-ApXc7HsgOynmQvF4vFNUxxiuY0w-VRNBiuPmphwnJqYln8pTJogn0DfcleY5TIuDEFwmGvZHnGMmK1kXJ1VcUiQvbK_vuDpSqIDFz-jqcnOTjzsC4DXlTZkHLL1HEeNVIjI9HCEWYG4CuG9Ti8BQ0AnGVkU8oqvtS6iyVlnPI9oId5_AWpfmE1ijhNKbgFH77DjRn6QyR5rGkGYYFpvaIyMvX33Vti4RzfAyJdpuzMgp6tV-q_Rbh0ikwBJvUtiiGfmqzdQynfRNDQmXJ3ruifOjGmUz34M90SGFJKi5CVHGThtO3UWj9EqYXpKdu_JgTYEqxWvRBopB--V7tOap8XKuz7W3rWyHN2clHA0yooLZ3DV34LWgzzDp9Iv66829HSTwGz7h2P0sGdCNuV_FCxwQzWYa8f6_h1By90MvWUvmEDLSzOfA_PF6BcqCmV8XBiPUvCMPebDSGmPwSa371J5Yn2xEiuQadfuNYRLZnd2i1V_NF9ax67BdZ",
  "requestParameters": {"instanceId": "i-7sap2krlslv6adrs"}, "responseElements": null,
  "requestID": "87368810-7b30-4ff9-b097-702778a53f22", "eventID": "0cdd3757-296a-4454-9619-d0f8be335081",
  "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'