Introduction

When a new event is received by a CDR integration, part of the process determines which principal created the event. It is vital that principals are selected in a consistent way so that:
  • Event history is populated correctly for a principal
  • Exclusions are applied to the correct principal
This article explains how principals are selected from an inbound event.

Basis

The vast majority of events processed by a CDR integration come from AWS CloudTrail management events therefore this AWS User Guide document was used to determine the principal for each event. Pass-through detections for GuardDuty, Macie and Access Analyzer do not have a principal selection.

Selection Criteria

Based on the userIdentity.type field of an event, the following fields are selected from userIdentity to represent the principal:
  • Root = Root
  • IAMUser = userName
  • AssumedRole = principalId
  • Role = userName
  • FederatedUser = sessionContext.sessionIssuer.userName
  • Directory = userName
  • AWSAccount = accountId
  • AWSService = invokedBy
  • IdentityCenterUser = onBehalfOf.userId
  • Unknown = userName
  • SAMLUser = userName
  • WebIdentityUser = userName
In the case where no value is present for the selected field the principal will be set to Unknown with the userIdentity.type value appended