You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Do you think it be possible to add support for GuardDuty message format,
Using as is the sample output from GuardDuty looks like this:
Message Description version: 0 id: 94fc31e1-8e7f-0234-12d6-4baa425fe901 detail-type: GuardDuty Finding source: aws.guardduty account: *** time: 2019-03-02T21:25:06Z region: eu-west-1 resources: [] detail: {"schemaVersion":"2.0","accountId":"***","region":"eu-west-1","partition":"aws","id":"00b4a024780657c85f1befc2286e957f","arn":"arn:aws:guardduty:eu-west-1:***:detector/1cb46e3bff812aa163e14334dd9751b4/finding/00b4a024780657c85f1befc2286e957f","type":"Persistence:IAMUser/NetworkPermissions","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"IAMUser","userName":"GeneratedFindingUserName"}},"service":{"serviceName":"guardduty","detectorId":"1cb46e3bff812aa163e14334dd9751b4","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"GeneratedFindingAPIName","serviceName":"GeneratedFindingAPIServiceName","callerType":"Remote IP","remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"recentApiCalls":[{"api":"GeneratedFindingAPIName1","count":2},{"api":"GeneratedFindingAPIName2","count":2}],"sample":true},"eventFirstSeen":"2019-03-02T21:21:55.724Z","eventLastSeen":"2019-03-02T21:21:55.724Z","archived":false,"count":1},"severity":5,"createdAt":"2019-03-02T21:21:55.724Z","updatedAt":"2019-03-02T21:21:55.724Z","title":"Unusual changes to network permissions by GeneratedFindingUserName.","description":"APIs commonly used to change the network access permissions for security groups, routes and ACLs, was invoked by IAM principal GeneratedFindingUserName. Such activity is not typically seen from this principal."}
The text was updated successfully, but these errors were encountered:
Hi,
Do you think it be possible to add support for GuardDuty message format,
Using as is the sample output from GuardDuty looks like this:
Message Description version: 0 id: 94fc31e1-8e7f-0234-12d6-4baa425fe901 detail-type: GuardDuty Finding source: aws.guardduty account: *** time: 2019-03-02T21:25:06Z region: eu-west-1 resources: [] detail: {"schemaVersion":"2.0","accountId":"***","region":"eu-west-1","partition":"aws","id":"00b4a024780657c85f1befc2286e957f","arn":"arn:aws:guardduty:eu-west-1:***:detector/1cb46e3bff812aa163e14334dd9751b4/finding/00b4a024780657c85f1befc2286e957f","type":"Persistence:IAMUser/NetworkPermissions","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"IAMUser","userName":"GeneratedFindingUserName"}},"service":{"serviceName":"guardduty","detectorId":"1cb46e3bff812aa163e14334dd9751b4","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"GeneratedFindingAPIName","serviceName":"GeneratedFindingAPIServiceName","callerType":"Remote IP","remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"recentApiCalls":[{"api":"GeneratedFindingAPIName1","count":2},{"api":"GeneratedFindingAPIName2","count":2}],"sample":true},"eventFirstSeen":"2019-03-02T21:21:55.724Z","eventLastSeen":"2019-03-02T21:21:55.724Z","archived":false,"count":1},"severity":5,"createdAt":"2019-03-02T21:21:55.724Z","updatedAt":"2019-03-02T21:21:55.724Z","title":"Unusual changes to network permissions by GeneratedFindingUserName.","description":"APIs commonly used to change the network access permissions for security groups, routes and ACLs, was invoked by IAM principal GeneratedFindingUserName. Such activity is not typically seen from this principal."}The text was updated successfully, but these errors were encountered: