Support nested JSON in output

[YamatoSecurity]

In AWS logs, the .requestParameters and .responseElements fields are important to check for more information about the attack, if it succeeded, etc.. so this would be great to output by adding the following to the default_profile.yml file:

Request: '.requestParameters'
Response: '.responseElements'

We can output the nested JSON as found in the log on a single line.
Ex: responseElements":{"requestId":"6448e604-a047-4564-ba7e-712d66db3d97","routeTable":{"routeTableId":"rtb-0c7c2f4aff3677054","vpcId":"vpc-06fe1a64761a0f720","ownerId":"123837392027","routeSet":{"items":[{"destinationCidrBlock":"10.0.0.0/16","gatewayId":"local","state":"active","origin":"CreateRouteTable"}]},"associationSet":{},"propagatingVgwSet":{},"tagSet":{"items":[{"key":"StratusRedTeam","value":"true"},{"key":"Name","value":"stratus-red-team-ec2-steal-credentials-vpc-public"}]}}}

Since they contain many special characters we need to escape them for CSV/JSON output.

We might also want to support the raw output of sessionContext as well which is also nested JSON.

Instead of hardcoding which fields we expect nested JSON and to output raw, how about we define is as follows:

Request: 'raw.requestParameters'
Response: 'raw.responseElements'
SessionContext: 'raw.sessionContext`

where anytime we have the raw keyword in the beginning it is treated as a string of JSON data.

@fukusuket Sorry for many issues as always, but could I ask you to do this one?

[fukusuket]

@YamatoSecurity
I realized that the current implementation already outputs a nested JSON like the one below. It's slightly different from what we originally expected — what do you think? (This is because this feature was released on the sigma-rust side)

If I set default_profile.yml as follows:

Request: '.requestParameters'
Response: '.responseElements'
SessionContext: '.sessionContext'

then output like this.

{
  "AWS-Region": "us-west-1",
  "EventID": "d6289604-b657-46c9-84a1-08da3aac6508",
  "EventName": "DescribeSnapshots",
  "EventSource": "ec2.amazonaws.com",
  "Level": "medium",
  "Request": "{includeRecoveryBin: false, filterSet: {}, ownersSet: {items: [{owner: 342082656213}]}, sharedUsersSet: {}, maxResults: 1000, snapshotSet: {}}",
  "Response": "",
  "RuleAuthor": "vitaliy0x1",
  "RuleID": "8ad1600d-e9dc-4251-b0ee-a65268f29add",
  "RuleTitle": "AWS Root Credentials",
  "SessionContext": "-",
  "SrcIP": "96.253.26.224",
  "Timestamp": "2021-07-29 00:07:58",
  "UserARN": "arn:aws:iam::342082656213:root",
  "UserAccessKeyID": "ASIAU7JNXC7K23F6CKNT",
  "UserAccountID": "342082656213",
  "UserAgent": "EC2ConsoleFrontend, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.122-66.218.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.292-b10 java/1.8.0_292 vendor/Oracle_Corporation cfg/retry-mode/legacy",
  "UserName": "-",
  "UserPrincipalID": "342082656213",
  "UserType": "Root"
}
{
  "AWS-Region": "us-west-1",
  "EventID": "6604bfef-0dcc-4c7a-9e37-61b60a7598a0",
  "EventName": "DescribeAvailabilityZones",
  "EventSource": "ec2.amazonaws.com",
  "Level": "medium",
  "Request": "{availabilityZoneIdSet: {}, availabilityZoneSet: {}}",
  "Response": "",
  "RuleAuthor": "vitaliy0x1",
  "RuleID": "8ad1600d-e9dc-4251-b0ee-a65268f29add",
  "RuleTitle": "AWS Root Credentials",
  "SessionContext": "-",
  "SrcIP": "96.253.26.224",

Since there's also the -R option(For those who want more accurate results), I think this string format might be acceptable as well...?🤔