ASIM FileEvent Parser: New AWS CloudTrail S3 Support Added

What Changed

Added comprehensive ASIM FileEvent parser for AWS CloudTrail S3 events with full ARM template deployment support and documentation.

Parser Impact

New data source coverage: AWS S3 file operations via CloudTrail logs

• Primary schema: ASIM FileEvent v0.2.2 normalization
• Event source: s3.amazonaws.com CloudTrail events
• Parser functions: ASimFileEventAWSCloudTrail and vimFileEventAWSCloudTrail

Event Type Mappings

S3 operations normalized to ASIM FileEvent types:

• FileCreated: PutObject, CreateMultipartUpload, UploadPart, RestoreObject
• FileAccessed: GetObject, HeadObject, ListObjects, GetObjectAttributes
• FileDeleted: DeleteObject, DeleteObjects (with version marker support)
• FileAttributesUpdated: PutObjectAcl, PutObjectTagging, DeleteObjectTagging
• FolderCreated: CreateBucket
• FolderModified: PutBucketPolicy, PutBucketEncryption, PutBucketVersioning
• FolderAttributesAccessed: GetBucketAcl, GetBucketPolicy, ListBuckets
• FileCopied: CopyObject
• FileRenamed: RenameObject

Detection Surface Unlocked

Enables monitoring of:

• S3 bucket and object access patterns for data exfiltration detection
• Unauthorized bucket policy or ACL modifications
• Object deletion and lifecycle events for ransomware indicators
• Cross-account S3 operations and privilege escalation attempts
• Data classification through object tagging and metadata operations

Parser includes comprehensive actor attribution (AWS User ID, username, access key), source IP tracking, and additional CloudTrail context preservation.

Affected Files

ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json
Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/ASimFileEventAWSCloudTrail.json
Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/README.md
Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json
Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json
Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/README.md
Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/vimFileEventAWSCloudTrail.json
Parsers/ASimFileEvent/CHANGELOG/ASimFIleEventAWSCloudTrail.md
Parsers/ASimFileEvent/CHANGELOG/ASimFileEvent.md
Parsers/ASimFileEvent/CHANGELOG/imFileEvent.md
Parsers/ASimFileEvent/CHANGELOG/vimFileEventAWSCloudTrail.md
Parsers/ASimFileEvent/Parsers/ASimFileEvent.yaml
Parsers/ASimFileEvent/Parsers/ASimFileEventAWSCloudTrail.yaml
Parsers/ASimFileEvent/Parsers/imFileEvent.yaml
Parsers/ASimFileEvent/Parsers/vimFileEventAWSCloudTrail.yaml