Added cdr events structs (#416)

Signed-off-by: Afek Berger <[email protected]>
armosec · Dec 10, 2024 · d7dd95b · d7dd95b
1 parent 5035f16
commit d7dd95b
Show file tree

Hide file tree

Showing 3 changed files with 154 additions and 0 deletions.
diff --git a/armotypes/cdr/aws.go b/armotypes/cdr/aws.go
@@ -0,0 +1,79 @@
+package cdr
+
+import "time"
+
+type CloudTrailEvent struct {
+	EventVersion        string                 `json:"eventVersion"`
+	UserIdentity        UserIdentity           `json:"userIdentity"`
+	EventTime           time.Time              `json:"eventTime"`
+	EventSource         string                 `json:"eventSource"`
+	EventName           string                 `json:"eventName"`
+	AWSRegion           string                 `json:"awsRegion"`
+	SourceIPAddress     string                 `json:"sourceIPAddress"`
+	UserAgent           string                 `json:"userAgent"`
+	ErrorCode           string                 `json:"errorCode,omitempty"`
+	ErrorMessage        string                 `json:"errorMessage,omitempty"`
+	RequestParameters   map[string]interface{} `json:"requestParameters,omitempty"`
+	ResponseElements    map[string]interface{} `json:"responseElements,omitempty"`
+	AdditionalEventData map[string]interface{} `json:"additionalEventData,omitempty"`
+	RequestID           string                 `json:"requestId"`
+	EventID             string                 `json:"eventId"`
+	EventType           string                 `json:"eventType"`
+	APIVersion          string                 `json:"apiVersion,omitempty"`
+	ReadOnly            bool                   `json:"readOnly"`
+	ManagementEvent     bool                   `json:"managementEvent"`
+	Resources           []Resource             `json:"resources,omitempty"`
+	RecipientAccountId  string                 `json:"recipientAccountId,omitempty"`
+	SharedEventID       string                 `json:"sharedEventId,omitempty"`
+	VpcEndpointId       string                 `json:"vpcEndpointId,omitempty"`
+	TLSDetails          *TLSDetails            `json:"tlsDetails,omitempty"`
+	ServiceEventDetails map[string]interface{} `json:"serviceEventDetails,omitempty"`
+}
+
+type UserIdentity struct {
+	Type           string          `json:"type"`
+	PrincipalID    string          `json:"principalId"`
+	ARN            string          `json:"arn,omitempty"`
+	AccountID      string          `json:"accountId"`
+	AccessKeyID    string          `json:"accessKeyId,omitempty"`
+	UserName       string          `json:"userName,omitempty"`
+	InvokedBy      string          `json:"invokedBy,omitempty"`
+	SessionContext *SessionContext `json:"sessionContext,omitempty"`
+	OnBehalfOf     *OnBehalfOf     `json:"onBehalfOf,omitempty"`
+	CredentialId   string          `json:"credentialId,omitempty"`
+}
+
+type OnBehalfOf struct {
+	UserId           string `json:"userId"`
+	IdentityStoreArn string `json:"identityStoreArn"`
+}
+
+type SessionContext struct {
+	SessionIssuer *SessionIssuer `json:"sessionIssuer,omitempty"`
+	Attributes    *Attributes    `json:"attributes,omitempty"`
+}
+
+type SessionIssuer struct {
+	Type        string `json:"type"`
+	PrincipalID string `json:"principalId"`
+	ARN         string `json:"arn"`
+	AccountID   string `json:"accountId"`
+	UserName    string `json:"userName"`
+}
+
+type Attributes struct {
+	MfaAuthenticated string `json:"mfaAuthenticated,omitempty"`
+	CreationDate     string `json:"creationDate,omitempty"`
+}
+
+type Resource struct {
+	ResourceType string `json:"resourceType"`
+	ResourceName string `json:"resourceName,omitempty"`
+	ResourceARN  string `json:"ARN,omitempty"`
+}
+
+type TLSDetails struct {
+	TLSVersion               string `json:"tlsVersion,omitempty"`
+	CipherSuite              string `json:"cipherSuite,omitempty"`
+	ClientProvidedHostHeader string `json:"clientProvidedHostHeader,omitempty"`
+}
diff --git a/armotypes/cdr/cdr.go b/armotypes/cdr/cdr.go
@@ -0,0 +1,72 @@
+package cdr
+
+type CustomerDetails struct {
+	// CustomerGUID is the unique identifier of the customer account
+	CustomerGUID string `json:"customerGUID"`
+	// AccessKey is the access key of the customer account
+	AccessKey string `json:"accessKey"`
+}
+
+// Cloud services
+type CloudService string
+
+const (
+	// CloudTrail is the cloudtrail service
+	CloudTrail CloudService = "cloudtrail"
+	// Add more cloud services here
+)
+
+// Cloud providers
+type CloudProvider string
+
+const (
+	// AWS is the AWS cloud provider
+	AWS CloudProvider = "aws"
+	// Add more cloud providers here
+)
+
+type CloudMetadata struct {
+	// Provider is the cloud provider
+	Provider CloudProvider `json:"provider,omitempty"`
+	// SourceService is the source service (e.g cloudtrail, cloudwatch, etc)
+	SourceService CloudService `json:"sourceService,omitempty"`
+}
+
+// The types corresponds to the SourceService type
+type EventData struct {
+	// AWSCloudTrail cloudtrail event
+	AWSCloudTrail *CloudTrailEvent `json:"awsCloudTrail,omitempty"`
+	// Add more cloud event data here
+}
+
+type CdrAlert struct {
+	// CloudMetadata is the metadata of the cloud
+	CloudMetadata `json:"cloudMetadata,omitempty"`
+	// EventData is the event data
+	EventData `json:"eventData,omitempty"`
+	// RuleName is the name of the rule
+	RuleName string `json:"ruleName,omitempty"`
+	// RuleID is the unique identifier of the rule
+	RuleID string `json:"ruleID,omitempty"`
+	// Description is the description of the rule
+	Description string `json:"description,omitempty"`
+	// Priority is the severity of the rule
+	Priority string `json:"priority,omitempty"`
+	// Tags is the tags of the rule
+	Tags []string `json:"tags,omitempty"`
+	// Message is the failure message
+	Message string `json:"message,omitempty"`
+	// MitreTactic is the MITRE ATT&CK tactic
+	MitreTactic string `json:"mitreTactic,omitempty"`
+	// MitreTechnique is the MITRE ATT&CK technique
+	MitreTechnique string `json:"mitreTechnique,omitempty"`
+}
+
+type CdrAlertBatch struct {
+	// CustomerGUID is the unique identifier of the customer
+	CustomerGUID string `json:"customerGUID,omitempty"`
+	// CloudAccountID is the unique identifier of the cloud account
+	CloudAccountID string `json:"cloudAccountID,omitempty"`
+	// RuleFailures is the list of rule failures
+	RuleFailures []CdrAlert `json:"ruleFailures,omitempty"`
+}
diff --git a/armotypes/runtimeincidents.go b/armotypes/runtimeincidents.go
@@ -3,6 +3,7 @@ package armotypes
 import (
 	"time"
 
+	"github.com/armosec/armoapi-go/armotypes/cdr"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
@@ -47,6 +48,7 @@ const (
 	AlertTypeRule AlertType = iota
 	AlertTypeMalware
 	AlertTypeAdmission
+	AlertTypeCdr
 )
 
 type StackFrame struct {
@@ -155,6 +157,7 @@ type RuntimeAlert struct {
 	MalwareAlert           `json:",inline" bson:"inline"`
 	AdmissionAlert         `json:",inline" bson:"inline"`
 	RuntimeAlertK8sDetails `json:",inline" bson:"inline"`
+	cdr.CdrAlert           `json:",inline" bson:"inline"`
 	AlertType              AlertType `json:"alertType" bson:"alertType"`
 	// Rule ID
 	RuleID string `json:"ruleID,omitempty" bson:"ruleID,omitempty"`