feat(cloudtrail): add AWS SSM related request data to extracted fields by Zaulao · Pull Request #1196 · falcosecurity/plugins

Zaulao · 2026-02-09T19:45:43Z

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area plugins

/area registry

/area build

/area documentation

What this PR does / why we need it:
This PR adds three new fields to the cloudtrail plugin, which extract the values from the requestParameters.reason, requestParameters.target, and requestParameters.documentName fields. These fields are used in ssm:StartSession requests and are useful for monitoring the opening of EC2 connections via Session Manager.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Zaulao · 2026-02-09T19:48:09Z

I guess it was a bad idea to open that PR during a GitHub incident, huh?

ekoops · 2026-02-10T10:09:21Z

I guess it was a bad idea to open that PR during a GitHub incident, huh?

Ahah right! I restarted the CI, let's see 💪

github-actions · 2026-02-10T10:09:29Z

Rules files suggestions

rules

Comparing f05e6f4fb680467463fb065ba16f28f80cb3e477 with latest tag plugins/cloudtrail/v0.14.0

No changes detected

ekoops · 2026-02-11T08:46:51Z

Hey @Zaulao . Could you please rebase and add the DCO to your commit?

github-actions · 2026-02-11T13:06:14Z

Rules files suggestions

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/gcpaudit/v0.7.0

No changes detected

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/github/v0.10.0

No changes detected

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/cloudtrail/v0.14.0

No changes detected

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/k8saudit-gke/v0.7.0

No changes detected

Zaulao · 2026-02-11T13:25:02Z

I think I messed up something on the rebase but it's working, the CI fail seems intermittent

github-actions · 2026-02-12T10:16:38Z

Rules files suggestions

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/gcpaudit/v0.7.0

No changes detected

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/github/v0.10.0

No changes detected

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/cloudtrail/v0.14.0

No changes detected

rules

Comparing 5186e26f82a89a36647eafeff03818333102bc3d with latest tag plugins/k8saudit-gke/v0.7.0

No changes detected

ekoops · 2026-02-12T10:19:03Z

Mmm you included commits from dependabot. I guess those should be already on master... Could you please remove them?

github-actions · 2026-02-12T11:09:35Z

Rules files suggestions

rules

Comparing e7aa9231bc8f9ec0b4de9db4c7184d3c7ae802c4 with latest tag plugins/cloudtrail/v0.14.0

No changes detected

github-actions · 2026-02-12T14:33:28Z

Rules files suggestions

rules

Comparing 54ff4572d083977ed380e8928743358a8191351c with latest tag plugins/cloudtrail/v0.14.0

No changes detected

leogr

Hey @Zaulao

our policy doesn't allow merge commits

Can you rebase and remove them?
This resource may help https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md#resolving-conflicts-by-rebasing

🙏

Signed-off-by: Zaulao <29334377+Zaulao@users.noreply.github.com>

Zaulao · 2026-02-12T16:39:25Z

Sorry for the back and forth, everything should be in order now.

leogr

Just left a suggestion. Otherwise SGTM.

Thank you!

Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Zaulao <29334377+Zaulao@users.noreply.github.com>

github-actions · 2026-02-18T14:10:37Z

Rules files suggestions

rules

Comparing 08ed2f2d3b53a175605414b987abd3dac7b7351b with latest tag plugins/cloudtrail/v0.14.0

No changes detected

poiana · 2026-02-19T08:39:32Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, Zaulao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [ekoops]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

poiana · 2026-02-19T08:39:33Z

LGTM label has been added.

Details

Git tree hash: d4c832f501add307751aad6dd55a7727ae476c85

poiana requested review from ekoops and irozzo-1A February 9, 2026 19:45

poiana added the size/S label Feb 9, 2026

poiana added dco-signoff: no do-not-merge/contains-merge-commits labels Feb 11, 2026

Zaulao force-pushed the feat/cloudtrail-ssm-request-params branch from 993ad6c to 5186e26 Compare February 11, 2026 12:51

poiana added dco-signoff: yes size/L and removed dco-signoff: no do-not-merge/contains-merge-commits size/S labels Feb 11, 2026

poiana added do-not-merge/contains-merge-commits size/S and removed size/L labels Feb 12, 2026

Zaulao force-pushed the feat/cloudtrail-ssm-request-params branch from 34e68d4 to e7aa923 Compare February 12, 2026 10:53

leogr reviewed Feb 12, 2026

View reviewed changes

feat(cloudtrail): add AWS SSM related request data to extracted fields

5c8c025

Signed-off-by: Zaulao <29334377+Zaulao@users.noreply.github.com>

Zaulao force-pushed the feat/cloudtrail-ssm-request-params branch from 54ff457 to 5c8c025 Compare February 12, 2026 16:38

poiana removed the do-not-merge/contains-merge-commits label Feb 12, 2026

Zaulao requested a review from leogr February 12, 2026 19:26

leogr reviewed Feb 17, 2026

View reviewed changes

Comment thread plugins/cloudtrail/pkg/cloudtrail/extract.go Outdated

Comment thread plugins/cloudtrail/README.md Outdated

Zaulao and others added 2 commits February 18, 2026 10:55

Update plugins/cloudtrail/pkg/cloudtrail/extract.go

9b95ae5

Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Zaulao <29334377+Zaulao@users.noreply.github.com>

Update plugins/cloudtrail/README.md

08ed2f2

Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Zaulao <29334377+Zaulao@users.noreply.github.com>

ekoops requested a review from leogr February 19, 2026 08:39

ekoops approved these changes Feb 19, 2026

View reviewed changes

poiana assigned ekoops Feb 19, 2026

poiana added the lgtm label Feb 19, 2026

poiana added the approved label Feb 19, 2026

poiana merged commit d2494aa into falcosecurity:main Feb 19, 2026
12 checks passed

Conversation

Zaulao commented Feb 9, 2026

Uh oh!

Zaulao commented Feb 9, 2026

Uh oh!

ekoops commented Feb 10, 2026

Uh oh!

github-actions Bot commented Feb 10, 2026

Rules files suggestions

rules

Uh oh!

ekoops commented Feb 11, 2026

Uh oh!

github-actions Bot commented Feb 11, 2026

Rules files suggestions

rules

rules

rules

rules

Uh oh!

Zaulao commented Feb 11, 2026

Uh oh!

github-actions Bot commented Feb 12, 2026

Rules files suggestions

rules

rules

rules

rules

Uh oh!

ekoops commented Feb 12, 2026

Uh oh!

github-actions Bot commented Feb 12, 2026

Rules files suggestions

rules

Uh oh!

github-actions Bot commented Feb 12, 2026

Rules files suggestions

rules

Uh oh!

leogr left a comment

Choose a reason for hiding this comment

Uh oh!

Zaulao commented Feb 12, 2026

Uh oh!

leogr left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Feb 18, 2026

Rules files suggestions

rules

Uh oh!

poiana commented Feb 19, 2026

Uh oh!

poiana commented Feb 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants