Merge pull request #1700 from heyibrahimkhan/patch-5

Create ala-azure-aws_cloudtrail.yml

tools/config/ala-azure-aws_cloudtrail.yml

@@ -0,0 +1,46 @@
+title: AWS CloudTrail Logs mapping for Azure Log Analytics
+order: 20
+backends:
+  - ala
+  - ala-rule
+fieldmappings:
+  additionalEventdata: AdditionalEventData
+  apiVersion: APIVersion
+  awsRegion: AWSRegion
+  errorCode: ErrorCode
+  errorMessage: ErrorMessage
+  eventID: AwsEventId
+  eventName: EventName
+  eventSource: EventSource
+  eventTime: TimeGenerated
+  eventType: EventTypeName
+  eventVersion: EventVersion
+  managementEvent: ManagementEvent
+  readOnly: ReadOnly
+  recipientAccountId: RecipientAccountId
+  requestID: AwsRequestId_
+  requestParameters: RequestParameters
+  responseElements: ResponseElements
+  serviceEventDetails: ServiceEventDetails
+  sourceIPAddress: SourceIpAddress
+  userAgent: UserAgent
+  userIdentity.accessKeyId: UserIdentityAccessKeyId
+  userIdentity.accountId: UserIdentityAccountId
+  userIdentity.arn: UserIdentityArn
+  userIdentity.invokedBy: UserIdentityInvokedBy
+  userIdentity.principalId: UserIdentityPrincipalid
+  userIdentity.sessionContext.attributes.creationDate: SessionCreationDate
+  userIdentity.sessionContext.attributes.mfaAuthenticated: SessionMfaAuthenticated
+  userIdentity.sessionContext.sessionIssuer.userName: SessionIssuerUserName
+  userIdentity.sessionContext.sessionIssuer.type: SessionIssuerType
+  userIdentity.sessionContext.sessionIssuer.principalId: SessionIssuerPrincipalId
+  userIdentity.sessionContext.sessionIssuer.arn: SessionIssuerArn
+  userIdentity.sessionContext.sessionIssuer.accountId: SessionIssuerAccountId
+  userIdentity.type: UserIdentityType
+  userIdentity.userName: UserIdentityUserName
+  vpcEndpointId: VpcEndpointId
+overrides:
+  - field: ErrorCode
+    value: 999999
+    regexes:
+      - (ErrorCode contains \'\')