feat(cloudtrail): Add generic additionalEventData field

Similar to ct.request, all values should also be available for additionalEventData. Signed-off-by: Uli Heilmeier <[email protected]>
falcosecurity · Feb 23, 2024 · 9a1f86a · 9a1f86a
1 parent 0e4a687
commit 9a1f86a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/plugins/cloudtrail/README.md b/plugins/cloudtrail/README.md
@@ -73,6 +73,7 @@ Here is the current set of supported fields:
 | `ct.tlsdetails.tlsversion`    | `string` | None | The TLS version of a request.                                                                                                                            |
 | `ct.tlsdetails.ciphersuite`   | `string` | None | The cipher suite (combination of security algorithms used) of a request.                                                                                 |
 | `ct.tlsdetails.clientprovidedhostheader` | `string` | None |  The client-provided host name used in the service API call.                                                                                  |
+| `ct.additionaleventdata`      | `string` | None |  All additonal event data attributes.                                                                                                                    |
 | `s3.uri`                      | `string` | None | the s3 URI (s3://<bucket>/<key>).                                                                                                                        |
 | `s3.bucket`                   | `string` | None | the bucket name for s3 events.                                                                                                                           |
 | `s3.key`                      | `string` | None | the S3 key name.                                                                                                                                         |

diff --git a/plugins/cloudtrail/pkg/cloudtrail/extract.go b/plugins/cloudtrail/pkg/cloudtrail/extract.go
@@ -83,6 +83,7 @@ var supportedFields = []sdk.FieldEntry{
 	{Type: "string", Name: "ct.tlsdetails.tlsversion", Display: "TLS Version", Desc: "The TLS version of a request."},
 	{Type: "string", Name: "ct.tlsdetails.ciphersuite", Display: "TLS Cipher Suite", Desc: "The cipher suite (combination of security algorithms used) of a request."},
 	{Type: "string", Name: "ct.tlsdetails.clientprovidedhostheader", Display: "Client Provided Host Header", Desc: "The client-provided host name used in the service API call."},
+	{Type: "string", Name: "ct.additionaleventdata", Display: "Additional Event Data", Desc: "All additional event data attributes."},
 	{Type: "string", Name: "s3.uri", Display: "Key URI", Desc: "the s3 URI (s3://<bucket>/<key>).", Properties: []string{"conversation"}},
 	{Type: "string", Name: "s3.bucket", Display: "Bucket Name", Desc: "the bucket name for s3 events.", Properties: []string{"conversation"}},
 	{Type: "string", Name: "s3.key", Display: "Key Name", Desc: "the S3 key name."},
@@ -643,6 +644,12 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		} else {
 			res = string(val)
 		}
+	case "ct.additionaleventdata":
+		val := jdata.Get("additionalEventData")
+		if val == nil {
+			return false, ""
+		}
+		res = string(val.MarshalTo(nil))
 	case "s3.bucket":
 		val := jdata.GetStringBytes("requestParameters", "bucketName")