Integration Name

AWS [aws]

Dataset Name

aws.cloudtrail

Integration Version

4.4.0

Agent Version

9.2.0+build202510300150

OS Version and Architecture

macOS Sequoia 15.7.2

User Goal

I'm trying to utilize a boolean field that is included in the event.original CloudTrail log. The field, sessionCredentialFromConsole is populated as true and only included in CloudTrail logs from sessions started via the AWS Console vs AWS CLI or other client.

Existing Features

Currently I can see this field populated via event.original but it is not mapped through our integration making it impossible to use for my use-case which is to exclude certain behavior from our prebuilt detection rules if it is part of a console session. Here is a recent example of a rule I was only partly able to fully tune due to this missing field. The rule looks for suspicious use of temporary credentials which can be created via calls like AssumeRole. However, temporary credentials are also created for Console Sessions which is normal behavior, so without this field there is no way to distinguish between the scenarios.

• [Rule Tuning] AWS IAM API Calls via Temporary Session Tokens detection-rules#5310

What did you see?

Here is a screenshot of the field included as part of the event.original field. This can be found in any Cloudtrail event populated from a Console Session. This field is not populated otherwise.

Anything else?

https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html