Hi guys,

So I'm consuming AWS Cloudtrail events and am particaulrly interested in failed logins to the AWS console.

the correct event is enventName=ConsoleLogin but even when the event has failed it still gets a success action.

Here's the event:
{ [-]
additionalEventData: { [+]
}
awsRegion: us-east-1
errorMessage: Failed authentication
eventID: xxxxxxxxxxxxxxxxxxxxxxx
eventName: ConsoleLogin
eventSource: signin.amazonaws.com
eventTime: 2016-06-13T10:52:17Z
eventType: AwsConsoleSignIn
eventVersion: 1.02
recipientAccountId: 8348xxxxxxxxxxxxx
requestParameters: null
responseElements: { [-]
ConsoleLogin: Failure
}
sourceIPAddress: xxxxxxxxxxxxxxxx
userAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
userIdentity: { [+]
}
}

The event action is still set to sucess.

I traced it to the lookup aws-cloudtrail-action-status.csv but that seems to be expecting a errorcode - which isn't populated. It needs to read responseElements.ConsoleLogin in order to determine success.

Sample of the lookup:
eventName,errorCode,action,status

ConsoleLogin,success,success,success
ConsoleLogin,*,failure,failure

Could you give us a steer on how to resolve?

Thanks