aws: retain CloudTrail sessionCredentialFromConsole field (#16098)

Author: efd6

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "4.6.0"
+  changes:
+    - description: Retain CloudTrail `sessionCredentialFromConsole` field as `aws.cloudtrail.session_credential_from_console`.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16098
 - version: "4.5.0"
   changes:
     - description: Prevent updating fleet health status to degraded when the HTTPJSON template value evaluation is empty.

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log-expected.json

@@ -27,6 +27,7 @@
                     "recipient_account_id": "000000000",
                     "request_id": "14743001-eef4-4746-b324-92b3d5f294f4",
                     "request_parameters": "{scope=REGIONAL, name=TestWebAcl, lockToken=6d67ea01-9048-4ab5-addf-c5da40e9b182, id=a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5}",
+                    "session_credential_from_console": "true",
                     "user_identity": {
                         "access_key_id": "ACCESSKEYID",
                         "arn": "arn:aws:iam::000000000:user/[email protected]",

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json

@@ -27,6 +27,7 @@
                     "request_id": "695e60be-fe04-417d-9977-491ec28bbbb6",
                     "request_parameters": "{sessionId=root-5hvouhyykagjjk3f6glxk8o6bu}",
                     "response_elements": "{sessionId=root-5hvouhyykagjjk3f6glxk8o6bu}",
+                    "session_credential_from_console": "true",
                     "user_identity": {
                         "access_key_id": "ACCESSKEY",
                         "arn": "arn:aws:iam::00000000000:root",

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json

@@ -241,6 +241,7 @@
                     "recipient_account_id": "001122334455",
                     "request_id": "EXAMPLE",
                     "request_parameters": "{Host=s3express-control.eu-west-1.amazonaws.com}",
+                    "session_credential_from_console": "true",
                     "user_identity": {
                         "access_key_id": "REDACTED",
                         "arn": "arn:aws:sts::001122334455:assumed-role/Some_AWS_Role/[email protected]",

packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml

@@ -828,6 +828,11 @@ processors:
       field: json.userIdentity.sessionContext.sessionIssuer.accountId
       target_field: aws.cloudtrail.user_identity.session_context.session_issuer.account_id
       ignore_failure: true
+  - rename:
+      field: json.sessionCredentialFromConsole
+      target_field: aws.cloudtrail.session_credential_from_console
+      ignore_missing: true
+      ignore_failure: true
   - rename:
       field: json.userIdentity.invokedBy
       target_field: aws.cloudtrail.user_identity.invoked_by

packages/aws/data_stream/cloudtrail/fields/fields.yml

@@ -189,6 +189,8 @@
           type: flattened
           description: >-
             Additional insight details.
+    - name: session_credential_from_console
+      type: keyword
 - name: related.entity
   description: "A collection of all entity identifiers associated with the document. \nIf the document  contains multiple entities, identifiers for each will be included.\nExample identifiers include(but not limited to) cloud resource IDs, ARNs,  email addresses,\nand hostnames. \n"
   type: keyword

packages/aws/docs/cloudtrail.md

@@ -109,6 +109,7 @@ Refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ec
 | aws.cloudtrail.response_elements.text | Multi-field of `aws.cloudtrail.response_elements`. | text |
 | aws.cloudtrail.service_event_details | Identifies the service event, including what triggered the event and the result. | keyword |
 | aws.cloudtrail.service_event_details.text | Multi-field of `aws.cloudtrail.service_event_details`. | text |
+| aws.cloudtrail.session_credential_from_console |  | keyword |
 | aws.cloudtrail.shared_event_id | GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. | keyword |
 | aws.cloudtrail.user_identity.access_key_id | The access key ID that was used to sign the request. | keyword |
 | aws.cloudtrail.user_identity.arn | The Amazon Resource Name (ARN) of the principal that made the call. | keyword |

packages/aws/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.3.2
 name: aws
 title: AWS
-version: "4.5.0"
+version: "4.6.0"
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration
 categories: