search

aws-samples / siem-on-amazon-opensearch-service

A solution for collecting, correlating and visualizing multiple types of logs to help investigate security incidents.
MIT No Attribution
578 stars 190 forks source link

Mapping error with synthetics GetCanaryRuns #136

Closed jinu1980 closed 3 years ago

jinu1980 commented 3 years ago

There is a mapping error with eventName: GetCanaryRuns;

{'type': 'illegal_argument_exception', 'reason': 'mapper [requestParameters.FilterValues] cannot be changed from type [date] to [text]'}

Here is sample logs

{
   "eventVersion":"1.08",
   "userIdentity":{
      "type":"IAMUser",
      "principalId":"masked",
      "arn":"arn:aws:iam::masked:user/user",
      "accountId":"masked",
      "accessKeyId":"masked",
      "userName":"user",
      "sessionContext":{
         "sessionIssuer":{

         },
         "webIdFederationData":{

         },
         "attributes":{
            "mfaAuthenticated":"true",
            "creationDate":"2021-07-12T03:00:45Z"
         }
      }
   },
   "eventTime":"2021-07-12T09:16:01Z",
   "eventSource":"synthetics.amazonaws.com",
   "eventName":"GetCanaryRuns",
   "awsRegion":"ap-southeast-2",
   "sourceIPAddress":"masked",
   "userAgent":"aws-internal/3 aws-sdk-java/1.11.980 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.282-b08 java/1.8.0_282 vendor/Oracle_Corporation cfg/retry-mode/legacy",
   "requestParameters":{
      "Filter":"EXECUTION_RESULT_DATE",
      "name":"poc-canary",
      "FilterValues":[
         "FAILED",
         "2021-07-12"
      ]
   },
   "responseElements":null,
   "requestID":"ac11b656-9dca-4893-9ad2-18b4eebd1c52",
   "eventID":"43d4cf9ed-48c0-4604-b5c9-26b072322dbd",
   "readOnly":true,
   "eventType":"AwsApiCall",
   "managementEvent":true,
   "eventCategory":"Management",
   "recipientAccountId":"masked"
}
nakajiak commented 3 years ago

Thanks for the issue report.