Hi,
I’m working on enriching AWS CloudTrail logs with Organization Unit (OU) information. Since CloudTrail logs (except for the “CreateAccount” event) do not natively include the OU, I’ve implemented the following workflow:
I created a Data Table that maps Account ID to OU and I wrote a detection rule that triggers on the “CreateAccount” log and uses the write_row function to update the mapping in the Data Table.
I need the OU information to be available in every case opened for a specific account, even though the logs triggering those cases don't contain the OU field.
What is the best practice to enrich a case with a field from a data table in this situation?
Can I leverage the outcome section to fetch the OU from my data table and then promote it to the case level?
I’m looking for the standard procedure to handle the Alert-to-Case mapping for these enriched values.
Or, is graph_override a better approach for this type of entity-based enrichment?
I want to make sure that when an analyst opens a case for "Account_AAA", the "OU" field is clearly visible in the case context/metadata.
Could you please provide a code example of the YARA-L lookup and explain the steps to map this outcome to a case field?
Thanks