What Changed
New ASIM User Management parser for AWS CloudTrail supporting IAM and Cognito Identity Provider event normalization.
Parser Impact
The parser normalizes AWS CloudTrail user management events to ASIM User Management schema (v0.1.2), targeting:
- IAM events (iam.amazonaws.com): user/role lifecycle, group membership, policy attachments
- Cognito IDP events (cognito-idp.amazonaws.com): user pools, group management, authentication configuration
Detection Surface Unlocked
Provides normalized visibility into AWS identity operations:
- User and role creation/deletion across IAM and Cognito
- Group membership changes and policy modifications
- Password changes and MFA device management
- Cross-service identity activity correlation via ASIM schema
ASIM Schema Enhancement
Added new enumerated values to ASimTester.csv:
- EventVendor: AWS for UserManagement schema
- EventProduct: CloudTrail for UserManagement schema
- GroupIdType: Simple enumeration
- TargetUserIdType: AWSIAMUserId, AWSIAMRoleId enumerations
Affected Files
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
Parsers/ASimUserManagement/ARM/ASimUserManagementAWSCloudTrail/ASimUserManagementAWSCloudTrail.json
Parsers/ASimUserManagement/ARM/ASimUserManagementAWSCloudTrail/README.md
Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json
Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json
Parsers/ASimUserManagement/ARM/vimUserManagementAWSCloudTrail/README.md
Parsers/ASimUserManagement/ARM/vimUserManagementAWSCloudTrail/vimUserManagementAWSCloudTrail.json
Parsers/ASimUserManagement/CHANGELOG/ASimUserManagementAWSCloudTrail.md
Parsers/ASimUserManagement/CHANGELOG/vimUserManagementAWSCloudTrail.md
Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
Parsers/ASimUserManagement/Parsers/ASimUserManagementAWSCloudTrail.yaml
Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
Parsers/ASimUserManagement/Parsers/vimUserManagementAWSCloudTrail.yaml