fix(plugins/cloudtrail): support for assumedrole in cloudtrail

[fcracker79]

What type of PR is this?

/kind bug
/area plugins

What this PR does / why we need it:
The PR ensures that the ct.user field is correctly populated in case of assumed role.
It does the following attempts:

1. Takes the userIdentity.arn field and extracts the session name
2. If not valid/missing, takes the userIdentity.principalId and takes the role session name
3. If not valid/missing, takes the original userIdentity.sessionContext.sessionIssuer.userName field

[poiana]

Welcome @fcracker79! It looks like this is your first PR to falcosecurity/plugins 🎉

[poiana]

@legobrick: changing LGTM is restricted to collaborators

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ekoops]

Hey, thank you for this contribution! 😄
This introduces a change in the field, behaviour, so we should document it in

plugins/plugins/cloudtrail/pkg/cloudtrail/extract.go

Line 41 in e0a957a

{Type: "string", Name: "ct.user", Display: "User Name", Desc: "the user of the cloudtrail event (userIdentity.userName in the json).", Properties: []string{"conversation"}},

.
Could you please modify the field description and re-generate the couldtrail plugin's README.md accordingly?

[ekoops]

Thank you! 😄
/approve

[poiana]

LGTM label has been added.

Details

Git tree hash: 3ec49c510cfb57717d7f7cd9e5ffe5b001908c81

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, fcracker79, legobrick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ekoops]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment