Use full event name when logging cloudtrail events

DataDog · Aug 3, 2024 · 49e9478 · 49e9478
1 parent 4ac40ad
commit 49e9478
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 5 deletions.
diff --git a/cmd/grimoire/shell.go b/cmd/grimoire/shell.go
@@ -155,7 +155,7 @@ func (m *ShellCommand) Do() error {
 			os.Exit(1)
 		}
 
-		log.Infof("Found event: %s", (*evt.CloudTrailEvent)["eventName"])
+		log.Infof("Found event: %s", utils.GetCloudTrailEventFullName(evt.CloudTrailEvent))
 		if err := utils.AppendToJsonFileArray(m.OutputFile, *evt.CloudTrailEvent); err != nil {
 			log.Errorf("unable to append CloudTrail event to output file: %v", err)
 		}

diff --git a/cmd/grimoire/stratus-red-team.go b/cmd/grimoire/stratus-red-team.go
@@ -127,7 +127,7 @@ func (m *StratusRedTeamCommand) Do() error {
 }
 
 func (m *StratusRedTeamCommand) handleNewEvent(event *map[string]interface{}) error {
-	log.Printf("Found new CloudTrail event generated on %s UTC: %s", (*event)["eventTime"], (*event)["eventName"])
+	log.Printf("Found new CloudTrail event generated on %s UTC: %s", (*event)["eventTime"], utils.GetCloudTrailEventFullName(event))
 	err := utils.AppendToJsonFileArray(m.OutputFile, *event)
 	if err != nil {
 		return fmt.Errorf("unable to write CloudTrail event to %s: %v", m.OutputFile, err)

diff --git a/pkg/grimoire/logs/cloudtrail.go b/pkg/grimoire/logs/cloudtrail.go
@@ -199,9 +199,7 @@ func (m *CloudTrailEventsFinder) lookupEvents(ctx context.Context, detonation *d
 func (m *CloudTrailEventsFinder) shouldKeepEvent(event *map[string]interface{}) bool {
 	// note: we know (precondition) that zero or one of IncludeEvents and ExcludeEvents is set, not both
 
-	eventName := (*event)["eventName"].(string)
-	eventSourceShort := strings.TrimSuffix((*event)["eventSource"].(string), ".amazonaws.com")
-	fullEventName := fmt.Sprintf("%s:%s", eventSourceShort, eventName) // e.g. "sts:GetCallerIdentity"
+	fullEventName := grimoire.GetCloudTrailEventFullName(event)
 	isReadOnly := (*event)["readOnly"].(bool)
 
 	if m.Options.WriteEventsOnly && isReadOnly {

diff --git a/pkg/grimoire/utils/aws.go b/pkg/grimoire/utils/aws.go
@@ -0,0 +1,13 @@
+package utils
+
+import (
+	"fmt"
+	"strings"
+)
+
+// GetCloudTrailEventFullName returns the full name of a CloudTrail event, e.g. sts:GetCallerIdentity
+func GetCloudTrailEventFullName(event *map[string]interface{}) string {
+	eventName := (*event)["eventName"].(string)
+	eventSourceShort := strings.TrimSuffix((*event)["eventSource"].(string), ".amazonaws.com")
+	return fmt.Sprintf("%s:%s", eventSourceShort, eventName) // e.g. "sts:GetCallerIdentity"
+}
diff --git a/pkg/grimoire/utils/aws_test.go b/pkg/grimoire/utils/aws_test.go
@@ -0,0 +1,15 @@
+package utils
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestGetCloudTrailEventFullName(t *testing.T) {
+	event := map[string]interface{}{
+		"eventName":   "SendCommand",
+		"eventSource": "ssm.amazonaws.com",
+	}
+	result := GetCloudTrailEventFullName(&event)
+	assert.Equal(t, "ssm:SendCommand", result)
+}