THREAT-278 OCSF data model, CloudTrail - fix pack & formatting

data_models/aws_cloudtrail_data_model.yml

@@ -114,3 +114,5 @@ Mappings:
  Path: $.requestParameters.enable
  - Name: resource_arn
  Path: $.requestParameters.resourceArn
+ - Name: request_items
+ Path: $.requestParameters.instancesSet.items

data_models/ocsf_accountchange_data_model.yml

@@ -1,7 +1,7 @@
 AnalysisType: datamodel
 LogTypes:
  - OCSF.AccountChange
-DataModelID: "Standard.OCSF.Account.Change"
+DataModelID: "Standard.OCSF.AccountChange"
 DisplayName: "OCSF Account Change"
 Filename: ocsf_accountchange_data_model.py
 Enabled: true

data_models/ocsf_apiactivity_data_model.py

@@ -65,3 +65,7 @@ def request_enable(event):
 
 def resource_arn(event):
  return request_parameters(event).get("resourceArn", "")
+
+
+def request_items(event):
+ return deep_get(request_parameters(event), "instancesSet", "items")

data_models/ocsf_apiactivity_data_model.yml

@@ -86,3 +86,5 @@ Mappings:
  Method: request_enable
  - Name: resource_arn
  Method: resource_arn
+ - Name: request_items
+ Method: request_items

rules/aws_cloudtrail_rules/aws_modify_cloud_compute_infrastructure.py

@@ -69,10 +69,10 @@ def title(event):
 
 
 def alert_context(event):
- # items = deep_get(event, "requestParameters", "instancesSet", "items") not sure if we can get this data in OCSF
+ items = event.udm("request_items", default=[{}])
  return {
  "awsRegion": event.udm("cloud_region"),
  "eventName": event.udm("event_name"),
  "recipientAccountId": event.udm("recipient_account_id"),
- # "instanceId": items[0].get("instanceId"),
+ "instanceId": items[0].get("instanceId"),
  }

rules/aws_cloudtrail_rules/aws_rds_publicrestore.py

@@ -12,7 +12,8 @@ def rule(event):
 
 
 def title(event):
- return f"Publicly Accessible RDS restore created in [{event.udm('recipient_account_id', default='')}]"
+ return (f"Publicly Accessible RDS restore created in "
+ f"[{event.udm('recipient_account_id', default='')}]")
 
 
 def alert_context(event):