Collect AWS GuardDuty logs
This document describes how you can collect AWS GuardDuty logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the GUARDDUTY
ingestion label.
Before you begin
- Ensure that an AWS S3 bucket is created. To create the AWS S3 bucket, see Create your first S3 bucket.
- Ensure that a KMS key is created. To create the KMS key, see Creating asymmetric KMS keys.
- Ensure that AWS GuardDuty has permission to access the KMS key. To grant access to the KMS key, see Exporting findings. GuardDuty encrypts the findings data in your bucket by using an AWS KMS key.
Configure AWS GuardDuty
To configure AWS GuardDuty, do the following:
- Sign in to the AWS console.
- Search for GuardDuty.
- Select Settings.
In the Finding export option section, do the following:
- From the Frequency for updated findings list, select Update CWE and S3 every 15 minutes. The frequency selection is for the updated findings. The new findings are exported after 5 minutes from the time of creation.
- In the S3 bucket section, select the S3 bucket in which you want to export the GuardDuty findings.
- In the Log file prefix section, provide the log file prefix.
- In the KMS encryption section, select the KMS encryption.
- From the Key alias list, select the key.
- Click Save.
After the log files are stored in the S3 bucket, create an SQS queue and attach it with the S3 bucket.
Sample KMS policy
The following is a sample KMS policy:
{
"Sid": "Allow GuardDuty to encrypt findings",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.AWS_REGION.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "KEY_ARN"
}
Replace the following:
- AWS_REGION: the chosen region.
- KEY_ARN: Amazon Resource Name (ARN) of the KMS key.
Check the required IAM user and KMS key policies for S3, SQS, and KMS.
Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:
- For information about any logging sources, see AWS Identity and Access Management endpoints and quotas.
- For information about S3 logging sources, see Amazon Simple Storage Service endpoints and quotas.
- For information about SQS logging sources, see Amazon Simple Queue Service endpoints and quotas.
Configure a feed in Google Security Operations to ingest AWS GuardDuty logs
- From the Google Security Operations menu, select Settings.
- Click Feeds.
- Click Add new.
- Select Amazon S3 or Amazon SQS as the Source type.
- Select GuardDuty as the Log type.
- Click Next.
- Google Security Operations supports log collection using an access key ID and secret method. To create the access key ID and secret, see Configure tool authentication with AWS.
Based on the AWS GuardDuty configuration that you created, specify values for the following fields.
- If using Amazon S3
- Region
- S3 URI
- URI is a
- Source deletion option
- If using Amazon SQS
- Region
- Queue name
- Account number
- Queue access key ID
- Queue secret access key
- Source deletion option
Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support
What's next
UDM mapping
This parser code processes AWS GuardDuty findings in JSON format, extracting relevant fields and mapping them to a unified data model (UDM). It performs data transformations, including string replacements, merging arrays, and converting data types, to create a structured representation of the security event for analysis and correlation.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
accountId | principal.group.product_object_id | The AWS account ID associated with the finding. |
additionalInfo.portsScannedSample | event.idm.read_only_udm.about.port | List of ports scanned during a port sweep. |
additionalInfo.sample | security_result.about.labels.value | Indicates whether the finding is a sample finding. |
additionalInfo.threatListName | security_result.threat_feed_name | The name of the threat list that triggered the finding. |
additionalInfo.threatName | security_result.threat_name | The name of the threat that triggered the finding. |
additionalInfo.userAgent .fullUserAgent |
network.http.user_agent | The full user agent string associated with the finding. |
additionalInfo.userAgent .userAgentCategory |
security_result.detection_fields.value | The category of the user agent associated with the finding. |
arn | target.asset.attribute .cloud.project.product_object_id |
The Amazon Resource Name (ARN) of the finding. |
detail.accountId | principal.group.product_object_id | The AWS account ID associated with the finding. |
detail.description | security_result.description | A detailed description of the finding. |
detail.id | target.asset.attribute.cloud.project.id | A unique ID for the finding. |
detail.resource.accessKeyDetails | principal.user | Details about the AWS access key involved in the finding. |
detail.resource.accessKeyDetails .accessKeyId |
principal.user.userid | The ID of the AWS access key involved in the finding. |
detail.resource.accessKeyDetails .principalId |
principal.user.userid | The principal ID of the AWS access key involved in the finding. |
detail.resource.accessKeyDetails .userType |
principal.user.attribute.roles.name | The type of user associated with the AWS access key involved in the finding. |
detail.resource.accessKeyDetails .userName |
principal.user.user_display_name | The name of the user associated with the AWS access key involved in the finding. |
detail.resource.s3BucketDetails .0.arn |
target.resource.name | The ARN of the S3 bucket involved in the finding. |
detail.resource.s3BucketDetails .0.defaultServerSideEncryption.encryptionType |
network.tls.client.supported_ciphers | The type of server-side encryption used for the S3 bucket involved in the finding. |
detail.resource.s3BucketDetails .0.name |
target.resource.name | The name of the S3 bucket involved in the finding. |
detail.resource.s3BucketDetails .0.owner.id |
target.resource.attribute.labels.value | The ID of the owner of the S3 bucket involved in the finding. |
detail.resource.s3BucketDetails .0.publicAccess.effectivePermission |
target.resource.attribute.labels.value | The effective permission of the S3 bucket involved in the finding. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicPolicy |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .ignorePublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .restrictPublicBuckets |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicReadAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the access control list (ACL) allows public read access. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicWriteAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the access control list (ACL) allows public write access. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicPolicy |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .ignorePublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .restrictPublicBuckets |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicReadAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the bucket policy allows public read access. |
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicWriteAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the bucket policy allows public write access. |
detail.resource.s3BucketDetails .0.type |
target.resource.attribute.labels.value | The type of S3 bucket involved in the finding. |
detail.service.action .actionType |
principal.group.attribute.labels.value | The type of action associated with the finding. |
detail.service.action .awsApiCallAction.api |
principal.application | The name of the AWS API call involved in the finding. |
detail.service.action .awsApiCallAction.callerType |
principal.group.attribute.labels.value | The type of caller that made the AWS API call involved in the finding. |
detail.service.action .awsApiCallAction.domainDetails.domain |
network.dns.questions.name | The domain name associated with the AWS API call involved in the finding. |
detail.service.action.awsApiCallAction .remoteIpDetails.country.countryName |
target.location.country_or_region | The country name associated with the remote IP address that made the AWS API call involved in the finding. |
detail.service.action.awsApiCallAction .remoteIpDetails.geoLocation.lat |
target.location.region_latitude | The latitude of the remote IP address that made the AWS API call involved in the finding. |
detail.service.action.awsApiCallAction .remoteIpDetails.geoLocation.lon |
target.location.region_longitude | The longitude of the remote IP address that made the AWS API call involved in the finding. |
detail.service.action .awsApiCallAction.remoteIpDetails.ipAddressV4 |
target.ip | The IP address that made the AWS API call involved in the finding. |
detail.service.action .awsApiCallAction.serviceName |
metadata.description | The name of the AWS service involved in the finding. |
detail.service.action .dnsRequestAction.blocked |
security_result.action | Whether the DNS request was blocked. |
detail.service.action .dnsRequestAction.domain |
principal.administrative_domain | The domain name associated with the DNS request involved in the finding. |
detail.service.action .dnsRequestAction.protocol |
network.ip_protocol | The protocol used for the DNS request involved in the finding. |
detail.service.action .networkConnectionAction.blocked |
security_result.action | Whether the network connection was blocked. |
detail.service.action .networkConnectionAction.connectionDirection |
network.direction | The direction of the network connection involved in the finding. |
detail.service.action .networkConnectionAction.localIpDetails .ipAddressV4 |
principal.ip | The local IP address involved in the network connection. |
detail.service.action .networkConnectionAction.localPortDetails .port |
principal.port | The local port involved in the network connection. |
detail.service.action .networkConnectionAction.localPortDetails .portName |
principal.application | The name of the local port involved in the network connection. |
detail.service.action .networkConnectionAction.protocol |
network.ip_protocol | The protocol used for the network connection involved in the finding. |
detail.service.action .networkConnectionAction.remoteIpDetails .city.cityName |
target.location.city | The city name associated with the remote IP address involved in the network connection. |
detail.service.action .networkConnectionAction.remoteIpDetails .country.countryName |
target.location.country_or_region | The country name associated with the remote IP address involved in the network connection. |
detail.service.action .networkConnectionAction.remoteIpDetails .ipAddressV4 |
target.ip | The remote IP address involved in the network connection. |
detail.service.action .networkConnectionAction.remotePortDetails .port |
target.port | The remote port involved in the network connection. |
detail.service.action .networkConnectionAction.remotePortDetails .portName |
target.application | The name of the remote port involved in the network connection. |
detail.service.action .portProbeAction.blocked |
security_result.action | Whether the port probe was blocked. |
detail.service.action .portProbeAction.portProbeDetails .0.localPortDetails.port |
target.port | The local port that was probed. |
detail.service.action .portProbeAction.portProbeDetails .0.localPortDetails.portName |
principal.application | The name of the local port that was probed. |
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.city.cityName |
target.location.city | The city name associated with the remote IP address that performed the port probe. |
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.country.countryName |
target.location.country_or_region | The country name associated with the remote IP address that performed the port probe. |
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.geoLocation.lat |
target.location.region_latitude | The latitude of the remote IP address that performed the port probe. |
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.geoLocation.lon |
target.location.region_longitude | The longitude of the remote IP address that performed the port probe. |
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.ipAddressV4 |
target.ip | The remote IP address that performed the port probe. |
detail.service.additionalInfo .threatListName |
security_result.threat_feed_name | The name of the threat list that triggered the finding. |
detail.service.additionalInfo .threatName |
security_result.threat_name | The name of the threat that triggered the finding. |
detail.service.additionalInfo .userAgent.fullUserAgent |
network.http.user_agent | The full user agent string associated with the finding. |
detail.service.additionalInfo .userAgent.userAgentCategory |
security_result.detection_fields.value | The category of the user agent associated with the finding. |
detail.service.additionalInfo .value |
security_result.about .resource.attribute.labels.value |
Additional information about the finding. |
detail.title | security_result.summary | A short title for the finding. |
detail.type | metadata.product_event_type | The type of finding. |
detail.updatedAt | metadata.event_timestamp | The time the finding was last updated. |
detail-type | event.idm.read_only_udm .additional.fields.value.string_value |
The type of event that triggered the finding. |
partition | target.asset.attribute .cloud.project.type |
The AWS partition that the finding occurred in. |
resource.accessKeyDetails | principal.user | Details about the AWS access key involved in the finding. |
resource.accessKeyDetails.accessKeyId | principal.user.userid | The ID of the AWS access key involved in the finding. |
resource.accessKeyDetails.principalId | principal.user.userid | The principal ID of the AWS access key involved in the finding. |
resource.accessKeyDetails.userType | principal.user.attribute.roles.name | The type of user associated with the AWS access key involved in the finding. |
resource.accessKeyDetails.userName | principal.user.user_display_name | The name of the user associated with the AWS access key involved in the finding. |
resource.instanceDetails.availabilityZone | target.asset.attribute.cloud.availability_zone | The availability zone of the EC2 instance involved in the finding. |
resource.instanceDetails.imageDescription | event.idm.read_only_udm .principal.resource.attribute.labels.value |
The description of the AMI used to launch the EC2 instance involved in the finding. |
resource.instanceDetails.imageId | event.idm.read_only_udm .additional.fields.value.string_value |
The ID of the AMI used to launch the EC2 instance involved in the finding. |
resource.instanceDetails .iamInstanceProfile.arn |
target.resource.attribute.labels.value | The ARN of the IAM instance profile associated with the EC2 instance involved in the finding. |
resource.instanceDetails .iamInstanceProfile.id |
target.resource.attribute.labels.value | The ID of the IAM instance profile associated with the EC2 instance involved in the finding. |
resource.instanceDetails.instanceId | target.resource.product_object_id | The ID of the EC2 instance involved in the finding. |
resource.instanceDetails.instanceState | target.resource.attribute.labels.value | The state of the EC2 instance involved in the finding. |
resource.instanceDetails.instanceType | target.resource.attribute.labels.value | The type of the EC2 instance involved in the finding. |
resource.instanceDetails .launchTime |
target.resource.attribute.creation_time | The time the EC2 instance involved in the finding was launched. |
resource.instanceDetails .networkInterfaces.0.networkInterfaceId |
target.resource.attribute.labels.value | The ID of the network interface associated with the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.privateDnsName |
target.resource.attribute.labels.value | The private DNS name of the network interface associated with the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.publicDnsName |
target.resource.attribute.labels.value | The public DNS name of the network interface associated with the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.publicIp |
principal.ip | The public IP address of the network interface associated with the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.privateIpAddress |
principal.ip | The private IP address of the network interface associated with the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.securityGroups .0.groupId |
target.user.group_identifiers | The ID of the security group associated with the network interface of the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.securityGroups .0.groupName |
target.user.group_identifiers | The name of the security group associated with the network interface of the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.subnetId |
target.resource.attribute.labels.value | The ID of the subnet associated with the network interface of the EC2 instance involved in the finding. |
resource.instanceDetails .networkInterfaces.0.vpcId |
target.asset.attribute.cloud.vpc.id | The ID of the VPC associated with the network interface of the EC2 instance involved in the finding. |
resource.instanceDetails.outpostArn | target.resource.attribute.labels.value | The ARN of the outpost associated with the EC2 instance involved in the finding. |
resource.instanceDetails.platform | target.asset.platform_software.platform_version | The platform of the EC2 instance involved in the finding. |
resource.instanceDetails .productCodes.0.productCodeType |
target.resource.type | The type of product code associated with the EC2 instance involved in the finding. |
resource.instanceDetails.tags | target.asset.attribute.labels | The tags associated with the EC2 instance involved in the finding. |
resource.kubernetesDetails .kubernetesUserDetails.username |
principal.user.userid | The username of the Kubernetes user involved in the finding. |
resource.rdsDbInstanceDetails .dbClusterIdentifier |
event.idm.read_only_udm .target.resource_ancestors.product_object_id |
The identifier of the RDS DB cluster involved in the finding. |
resource.rdsDbInstanceDetails .dbInstanceArn |
target.resource.name | The ARN of the RDS DB instance involved in the finding. |
resource.rdsDbInstanceDetails .dbInstanceIdentifier |
target.resource.product_object_id | The identifier of the RDS DB instance involved in the finding. |
resource.rdsDbUserDetails.user | principal.user.userid | The username of the RDS DB user involved in the finding. |
resource.resourceType | target.resource.resource_subtype | The type of resource involved in the finding. |
resource.s3BucketDetails | principal.resource.attribute.labels | Details about the S3 bucket involved in the finding. |
resource.s3BucketDetails.0.arn | target.resource.name | The ARN of the S3 bucket involved in the finding. |
resource.s3BucketDetails.0.createdAt | event.idm.read_only_udm .principal.resource.attribute.labels.value |
The time the S3 bucket involved in the finding was created. |
resource.s3BucketDetails.0 .defaultServerSideEncryption.encryptionType |
network.tls.client.supported_ciphers | The type of server-side encryption used for the S3 bucket involved in the finding. |
resource.s3BucketDetails.0.name | target.resource.name | The name of the S3 bucket involved in the finding. |
resource.s3BucketDetails.0.owner.id | target.resource.attribute.labels.value | The ID of the owner of the S3 bucket involved in the finding. |
resource.s3BucketDetails .0.publicAccess.effectivePermission |
target.resource.attribute.labels.value | The effective permission of the S3 bucket involved in the finding. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicPolicy |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .ignorePublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .restrictPublicBuckets |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the account. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicReadAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the access control list (ACL) allows public read access. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicWriteAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the access control list (ACL) allows public write access. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicPolicy |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .ignorePublicAcls |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .restrictPublicBuckets |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether public access blocks are enabled for the bucket. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicReadAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the bucket policy allows public read access. |
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicWriteAccess |
event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the bucket policy allows public write access. |
resource.s3BucketDetails.0.tags | event.idm.read_only_udm .principal.resource.attribute.labels |
The tags associated with the S3 bucket involved in the finding. |
resource.s3BucketDetails.0.type | target.resource.attribute.labels.value | The type of S3 bucket involved in the finding. |
service.action .actionType |
principal.group.attribute.labels.value | The type of action associated with the finding. |
service.action .awsApiCallAction.affectedResources .AWS_CloudTrail_Trail |
event.idm.read_only_udm .principal.resource.attribute.labels.value |
The name of the AWS CloudTrail trail involved in the finding. |
service.action .awsApiCallAction.affectedResources .AWS_S3_Bucket |
event.idm.read_only_udm .principal.resource.attribute.labels.value |
The name of the S3 bucket involved in the finding. |
service.action .awsApiCallAction.api |
principal.application | The name of the AWS API call involved in the finding. |
service.action .awsApiCallAction.callerType |
principal.group.attribute.labels.value | The type of caller that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.domainDetails.domain |
network.dns.questions.name | The domain name associated with the AWS API call involved in the finding. |
service.action .awsApiCallAction.errorCode |
security_result.rule_type | The error code associated with the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .country.countryName |
target.location.country_or_region | The country name associated with the remote IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .geoLocation.lat |
target.location.region_latitude | The latitude of the remote IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .geoLocation.lon |
target.location.region_longitude | The longitude of the remote IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .ipAddressV4 |
target.ip | The IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .organization.asn |
event.idm.read_only_udm .additional.fields.value.string_value |
The Autonomous System Number (ASN) of the organization associated with the remote IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .organization.asnOrg |
event.idm.read_only_udm .additional.fields.value.string_value |
The name of the organization associated with the remote IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .organization.isp |
event.idm.read_only_udm .additional.fields.value.string_value |
The name of the internet service provider (ISP) associated with the remote IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.remoteIpDetails .organization.org |
event.idm.read_only_udm .additional.fields.value.string_value |
The name of the organization associated with the remote IP address that made the AWS API call involved in the finding. |
service.action .awsApiCallAction.serviceName |
metadata.description | The name of the AWS service involved in the finding. |
service.action .dnsRequestAction.blocked |
security_result.action | Whether the DNS request was blocked. |
service.action .dnsRequestAction.domain |
principal.administrative_domain | The domain name associated with the DNS request involved in the finding. |
service.action .dnsRequestAction.protocol |
network.ip_protocol | The protocol used for the DNS request involved in the finding. |
service.action .kubernetesApiCallAction.remoteIpDetails .country.countryName |
target.location.country_or_region | The country name associated with the remote IP address that made the Kubernetes API call involved in the finding. |
service.action .kubernetesApiCallAction.remoteIpDetails .geoLocation.lat |
target.location.region_latitude | The latitude of the remote IP address that made the Kubernetes API call involved in the finding. |
service.action .kubernetesApiCallAction.remoteIpDetails .geoLocation.lon |
target.location.region_longitude | The longitude of the remote IP address that made the Kubernetes API call involved in the finding. |
service.action .kubernetesApiCallAction.remoteIpDetails .ipAddressV4 |
target.ip | The IP address that made the Kubernetes API call involved in the finding. |
service.action .networkConnectionAction.blocked |
security_result.action | Whether the network connection was blocked. |
service.action .networkConnectionAction.connectionDirection |
network.direction | The direction of the network connection involved in the finding. |
service.action .networkConnectionAction.localIpDetails .ipAddressV4 |
principal.ip | The local IP address involved in the network connection. |
service.action .networkConnectionAction.localPortDetails .port |
principal.port | The local port involved in the network connection. |
service.action .networkConnectionAction.localPortDetails .portName |
principal.application | The name of the local port involved in the network connection. |
service.action .networkConnectionAction.protocol |
network.ip_protocol | The protocol used for the network connection involved in the finding. |
service.action .networkConnectionAction.remoteIpDetails .city.cityName |
target.location.city | The city name associated with the remote IP address involved in the network connection. |
service.action .networkConnectionAction.remoteIpDetails .country.countryName |
target.location.country_or_region | The country name associated with the remote IP address involved in the network connection. |
service.action .networkConnectionAction.remoteIpDetails .ipAddressV4 |
target.ip | The remote IP address involved in the network connection. |
service.action .networkConnectionAction.remotePortDetails .port |
target.port | The remote port involved in the network connection. |
service.action .networkConnectionAction.remotePortDetails .portName |
target.application | The name of the remote port involved in the network connection. |
service.action .portProbeAction.blocked |
security_result.action | Whether the port probe was blocked. |
service.action.portProbeAction .portProbeDetails .0.localPortDetails.port |
target.port | The local port that was probed. |
service.action.portProbeAction .portProbeDetails .0.localPortDetails.portName |
principal.application | The name of the local port that was probed. |
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.city .cityName |
target.location.city | The city name associated with the remote IP address that performed the port probe. |
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.country .countryName |
target.location.country_or_region | The country name associated with the remote IP address that performed the port probe. |
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.geoLocation .lat |
target.location.region_latitude | The latitude of the remote IP address that performed the port probe. |
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.geoLocation .lon |
target.location.region_longitude | The longitude of the remote IP address that performed the port probe. |
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.ipAddressV4 |
target.ip | The remote IP address that performed the port probe. |
service.additionalInfo .portsScannedSample |
event.idm.read_only_udm.about.port | A sample of the ports that were scanned. |
service.additionalInfo .recentCredentials |
event.idm.read_only_udm.intermediary | A list of recent credentials that were used. |
service.additionalInfo.sample | security_result.about .labels.value |
Indicates whether the finding is a sample finding. |
service.additionalInfo.threatListName | security_result.threat_feed_name | The name of the threat list that triggered the finding. |
service.additionalInfo.threatName | security_result.threat_name | The name of the threat that triggered the finding. |
service.additionalInfo .userAgent.fullUserAgent |
network.http.user_agent | The full user agent string associated with the finding. |
service.additionalInfo .userAgent.userAgentCategory |
security_result.detection_fields .value |
The category of the user agent associated with the finding. |
service.additionalInfo.value | security_result.about .resource.attribute.labels.value |
Additional information about the finding. |
service.archived | event.idm.read_only_udm .additional.fields.value.bool_value |
Whether the finding is archived. |
service.count | event.idm.read_only_udm .principal.resource.attribute.labels.value |
The number of times the event occurred. |
service.detectorId | event.idm.read_only_udm .additional.fields.value.string_value |
The ID of the GuardDuty detector that generated the finding. |
service.ebsVolumeScanDetails .scanDetections .threatDetectedByName.itemCount |
The total number of threats detected during the EBS volume scan. |
Changes
2024-03-11
- Mapped "service.action.awsApiCallAction.domainDetails.domain" to "network.dns.questions.name".
2024-03-05
- Mapped "service.additionalInfo.value" to "security_result.about.labels".
- Mapped "service.additionalInfo.value" to "security_result.about.resource.attribute.labels".
- Mapped "service.action.awsApiCallAction.affectedResources.AWS_CloudTrail_Trail" to "principal.resource.attribute.labels".
2024-02-26
- Bug Fix:
- Mapped "resource.eksClusterDetails.createdAt" to "target.resource.attribute.labels".
- Mapped "resource.s3BucketDetails.createdAt" to "principal.resource.attribute.labels".
- Mapped "resource.eksClusterDetails.tags" to "target.resource.attribute.labels".
- Mapped "resource.s3BucketDetails.tags" to "principal.resource.attribute.labels".
- If "type" is similar to ":Kubernetes" or ":S3", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
- If "service.action.actionType" is similar to "AWS_API_CALL" or "KUBERNETES_API_CALL", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
- If "service.action.actionType" is similar to "DNS_REQUEST", then mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id".
2023-08-18
- Mapped fields "security_result.attack_details.tactics", "security_result.attack_details.techniques" based on field "type".
- Mapped 'metadata.event_type' to more specific event_types wherever possible instead of GENERIC_EVENT.
- Mapped fields 'target.resource.resource_subtype', 'target.resource.resource_type' based on field "type".
- For all logs having the 'type' value ':EC2' -
- Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
- Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
- Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
- For all logs having the 'type' value ':RDSV' -
- Mapped 'resource.rdsDbInstanceDetails.dbInstanceIdentifier' to 'target.resource.product_object_id'.
- Mapped 'resource.rdsDbInstanceDetails.dbInstanceArn' to 'target.resource.name'.
- Mapped 'resource.rdsDbInstanceDetails.dbClusterIdentifier' to 'target.resource_ancestors.product_object_id'.
- Mapped 'resource.rdsDbUserDetails.user' to 'principal.user.userid'.
- For all logs having the 'type' value ':Kubernetes' -
- Mapped ' resource.eksClusterDetails.arn' to 'target.resource.name'.
- For all logs having the 'type' value ':Runtime' -
- Mapped 'resource.eksClusterDetails.arn' to 'target.resource_ancestors.name'.
- Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
- Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
- Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
- For all logs having the 'type' value ':IAMUser' -
- Mapped 'resource.accessKeyDetails.accessKeyId' to 'target.resource.product_object_id'.
- Mapped 'resource.instanceDetails.instanceId' to 'target.resource_ancestors.product_object_id'.
- For all logs having the 'type' value ':S3' -
- Mapped 'resource.s3BucketDetails.arn' or 'resource.s3BucketDetails.name' to 'target.resource.name'.
2023-08-02
- If 'resource.instanceDetails.networkInterfaces' is empty, then mapped 'metadata.event_type' to 'GENERIC_EVENT'.
- If 'detail.resource.accessKeyDetails.principalId' or 'resource.accessKeyDetails.principalId' are empty, then mapped 'metadata.event_type' to 'USER_RESOURCE_ACCESS'.
2023-06-19
- Added "security_result.attack_details" based on "type".
2023-02-07
- Enhancement -
- Mapped "threatdetails.threatListName" to "security_result.threat_feed_name".
- Mapped "service.additionalInfo.threatName" to "security_result.threat_name".
- If "product_event_type" in ["Backdoor:EC2/C&CActivity.B", "Backdoor:EC2/C&CActivity.B!DNS", "Trojan:EC2/BlackholeTraffic", "Trojan:EC2/BlackholeTraffic!DNS"] then mapped "T1071" to "technique_label.value".
- If "product_event_type" in ["PenTest:IAMUser/KaliLinux", "PenTest:IAMUser/ParrotLinux", "PenTest:IAMUser/PentooLinux", "PenTest:S3/KaliLinux", "PenTest:S3/ParrotLinux", "PenTest:S3/PentooLinux", "Policy:IAMUser/RootCredentialUsage", "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom", "UnauthorizedAccess:EC2/TorClient"] then mapped "T1078" to "technique_label.value".
- If "product_event_type" is "Discovery:IAMUser/AnomalousBehavior" then mapped "T1087" to "technique_label.value".
- If "product_event_type" is "Persistence:IAMUser/AnomalousBehavior" then mapped "T1098" to "technique_label.value".
- If "product_event_type" in ["UnauthorizedAccess:EC2/RDPBruteForce", "UnauthorizedAccess:EC2/SSHBruteForce"] then mapped "T1110" to "technique_label.value".
- If "product_event_type" in ["InitialAccess:IAMUser/AnomalousBehavior", "UnauthorizedAccess:IAMUser/MaliciousIPCaller", "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom", "UnauthorizedAccess:IAMUser/TorIPCaller", "UnauthorizedAccess:S3/MaliciousIPCaller.Custom", "UnauthorizedAccess:S3/TorIPCaller"] then mapped "T1133" to "technique_label.value".
- If "product_event_type" is "Trojan:EC2/DriveBySourceTraffic!DNS" then mapped "T1189" to "technique_label.value".
- If "product_event_type" is "PrivilegeEscalation:IAMUser/AnomalousBehavior" then mapped "T1484" to "technique_label.value".
- If "product_event_type" in ["Backdoor:EC2/Spambot", "CryptoCurrency:EC2/BitcoinTool.B", "CryptoCurrency:EC2/BitcoinTool.B!DNS", "Impact:EC2/AbusedDomainRequest.Reputation", "Impact:EC2/BitcoinDomainRequest.Reputation", "Impact:EC2/MaliciousDomainRequest.Reputation", "Impact:EC2/PortSweep", "Impact:EC2/SuspiciousDomainRequest.Reputation", "Impact:EC2/WinRMBruteForce", "UnauthorizedAccess:EC2/TorRelay"] then mapped "T1496" to "technique_label.value".
- If "product_event_type" in ["Backdoor:EC2/DenialOfService.Dns", "Backdoor:EC2/DenialOfService.Tcp", "Backdoor:EC2/DenialOfService.Udp", "Backdoor:EC2/DenialOfService.UdpOnTcpPorts", "Backdoor:EC2/DenialOfService.UnusualProtocol"] then mapped "T1498" to "technique_label.value".
- If "product_event_type" in ["Discovery:S3/MaliciousIPCaller", "Discovery:S3/MaliciousIPCaller.Custom", "Discovery:S3/TorIPCaller"] then mapped "T1526" to "technique_label.value".
- If "product_event_type" is "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B" then mapped "T1538" to "technique_label.value".
- If "product_event_type" is "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration" then mapped "T1552" to "technique_label.value".
- If "product_event_type" is "CredentialAccess:IAMUser/AnomalousBehavior" then mapped "T1555" to "technique_label.value".
- If "product_event_type" in ["DefenseEvasion:IAMUser/AnomalousBehavior", "Policy:S3/AccountBlockPublicAccessDisabled", "Policy:S3/BucketAnonymousAccessGranted", "Policy:S3/BucketBlockPublicAccessDisabled", "Policy:S3/BucketPublicAccessGranted", "Stealth:IAMUser/CloudTrailLoggingDisabled", "Stealth:IAMUser/PasswordPolicyChange", "Stealth:S3/ServerAccessLoggingDisabled"] then mapped "T1562" to "technique_label.value".
- If "product_event_type" in ["Impact:IAMUser/AnomalousBehavior", "Impact:S3/MaliciousIPCaller"] then mapped "T1565" to "technique_label.value".
- If "product_event_type" is "Trojan:EC2/PhishingDomainRequest!DNS" then mapped "T1566" to "technique_label.value".
- If "product_event_type" in ["Exfiltration:IAMUser/AnomalousBehavior", "Exfiltration:S3/MaliciousIPCaller", "Exfiltration:S3/ObjectRead.Unusual", "Trojan:EC2/DNSDataExfiltration", "Trojan:EC2/DropPoint", "Trojan:EC2/DropPoint!DNS"] then mapped "T1567" to "technique_label.value".
- If "product_event_type" in ["Trojan:EC2/DGADomainRequest.C!DNS", "Trojan:EC2/DGADomainRequest.B"] then mapped "T1568" to "technique_label.value".
- If "product_event_type" == "UnauthorizedAccess:EC2/MetadataDNSRebind" then mapped "T1580" to "technique_label.
- If "product_event_type" in ["Recon:IAMUser/MaliciousIPCaller", "Recon:IAMUser/MaliciousIPCaller.Custom", "Recon:IAMUser/TorIPCaller"] then mapped "T1589" to "technique_label.value".
- If "product_event_type" in ["Recon:EC2/PortProbeEMRUnprotectedPort", "Recon:EC2/PortProbeUnprotectedPort", "Recon:EC2/Portscan"] then mapped "T1595" to "technique_label.value".
- If [technique_label][value] in ["T1595", "T1592", "T1589", "T1590", "T1591", "T1598", "T1597", "T1596", "T1593", "T1594"] then mapped "Reconnaissance" to "tatic_label.value".
- If [technique_label][value] in ["T1583", "T1586", "T1584", "T1587", "T1585", "T1588"] then mapped "ResourceDevelopment" to "tatic_label.value".
- If [technique_label][value] in ["T1189", "T1190", "T1133", "T1200", "T1566", "T1091", "T1195", "T1199", "T1078"] then mapped "InitialAccess" to "tatic_label.value".
- If [technique_label][value] in ["T1059", "T1203", "T1559", "T1106", "T1053", "T1129", "T1072", "T1569", "T1204", "T1047"] then mapped "Execution" to "tatic_label.value".
- If [technique_label][value] in ["T1098", "T1197", "T1547", "T1037", "T1176", "T1554", "T1136", "T1543", "T1546", "T1133", "T1574", "T1525", "T1137", "T1542", "T1053", "T1505", "T1205", "T1078"] then mapped "Persistence" to "tatic_label.value".
- If [technique_label][value] in ["T1548", "T1134", "T1547", "T1037", "T1543", "T1484", "T1546", "T1068", "T1574", "T1055", "T1053", "T1078"] then mapped "PrivilegeEscalation" to "tatic_label.value".
- If [technique_label][value] in ["T1548", "T1134", "T1197", "T1140", "T1006", "T1484", "T1480", "T1211", "T1222", "T1564", "T1574", "T1562", "T1070", "T1202", "T1036", "T1556", "T1578", "T1112", "T1601", "T1599", "T1027", "T1542", "T1055", "T1207", "T1014", "T1218", "T1216", "T1553", "T1221", "T1205", "T1127", "T1535", "T1550", "T1078", "T1497", "T1600", "T1220"] then mapped "DefenseEvasion" to "tatic_label.value".
- If [technique_label][value] in ["T1110", "T1555", "T1212", "T1187", "T1606", "T1056", "T1557", "T1556", "T1040", "T1003", "T1528", "T1558", "T1539", "T1111", "T1552"] then mapped "CredentialAccess" to "tatic_label.value".
- If [technique_label][value] in ["T1087", "T1010", "T1217", "T1580", "T1538", "T1526", "T1482", "T1083", "T1046", "T1135", "T1040", "T1201", "T1120", "T1069", "T1057", "T1012", "T1018", "T1518", "T1082", "T1016", "T1049", "T1033", "T1007", "T1124", "T1497"] then mapped "Discovery" to "tatic_label.value".
- If [technique_label][value] in ["T1210", "T1534", "T1570", "T1563", "T1021", "T1091", "T1072", "T1080", "T1550"] then mapped "LateralMovement" to "tatic_label.value".
- If [technique_label][value] in ["T1560", "T1123", "T1119", "T1115", "T1530", "T1602", "T1213", "T1005", "T1039", "T1025", "T1074", "T1114", "T1056", "T1185", "T1557", "T1113", "T1125"] then mapped "Collection" to "tatic_label.value".
- If [technique_label][value] in ["T1071", "T1092", "T1132", "T1001", "T1568", "T1573", "T1008", "T1105", "T1104", "T1095", "T1571", "T1572", "T1090", "T1219", "T1205", "T1102"] then mapped "CommandAndControl" to "tatic_label.value".
- If [technique_label][value] in ["T1020", "T1030", "T1048", "T1041", "T1011", "T1052", "T1567", "T1029", "T1537"] then mapped "Exfiltration" to "tatic_label.value".
- If [technique_label][value] in ["T1531", "T1485", "T1486", "T1565", "T1491", "T1561", "T1499", "T1495", "T1490", "T1498", "T1496", "T1489", "T1529"] then mapped "Impact" to "tatic_label.value".
2022-11-10
- Enhancement
- Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash" to "principal.file.sha256".
- Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath" to "principal.file.full_path".
- Mapped "service.action.dnsRequestAction.domain" to "network.dns.questions.name".
- Mapped "resource.kubernetesDetails.kubernetesUserDetails.username" to "principal.user.userid".
2022-09-12
- Feature Request:
- Mapped 'security_result.category', 'metadata.event_type', 'resource_type', 'resource_subtype' appropriately for logs types - 'IAM', 'S3', 'KUBERNETES', 'MALWARE', 'EC2'.
2022-08-11
- Feature Request:
- Replaced 'GENERIC_EVENT' type to 'STATUS_UPDATE' or 'USER_RESOURCE_ACCESS' event_type.
2022-07-20
- Changed mapping for "service.resourceRole" from "additional.resource_role" to "principal.resource.attribute.roles.name".
- Changed mapping for "service.count" from "additional.fields" to "principal.resource.attribute.label"
- Changed mapping for "resource.instanceDetails.imageDescription" from "additional.fields" to "principal.resource.attribute.label"
- if "type" value in "Discovery:S3/MaliciousIPCaller", "Policy:S3/BucketPublicAccessGranted", "UnauthorizedAccess:S3/TorIPCaller", "Policy:S3/BucketAnonymousAccessGranted", "UnauthorizedAccess:EC2/TorRelay":
- mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id"
- mapped "resource.instanceDetails.instanceType" to "target.resource.name"
2022-07-08
- Modified mapping for "network_interface.securityGroups.0.groupId" from "target.user.groupid" to "target.user.group_identifiers".
2022-05-26
- Enhancement - Modified mappings for following fields
- Changed mapping for field "region" from "target.location.country_or_region" to "target.location.name"
- Changed mapping for field "resource.instanceDetails.tags[n]" from "additional.fields[n]" to "target.asset.attribute.labels[n]"
- "service.action.networkConnectionAction.remoteIpDetails.country.countryName" mapped to "target.location.country_or_region"
2022-05-27
- Enhancement - Modified the value stored in metadata.product_name to 'AWS GuardDuty' and metadata.vendor_name to 'AMAZON'.
2022-03-25
- Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.
2022-03-31
- Enhancement
- If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application.
- Entire list within "tags" field mapped to key-value fields.
- "service.action.networkConnectionAction.protocol" mapped to network.ip_protocol
- "service.action.networkConnectionAction.blocked" mapped to security_result.action
- "severity" mapped to security_result.severity_details
- If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id.
- In s3BucketDetails:
- "arn" mapped to target.asset.attribute.cloud.project.product_object_id.
- "name" mapped to target.resource.name.
- "encryptionType" mapped to network.tls.supported_ciphers.
- "owner.id mapped to target.resource.attribute.labels.
- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute. - --
- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute. - --
- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess:
- mapped "ignorePublicAcls" to additional.fields attribute.
- mapped "restrictPublicBuckets" to additional.fields attribute.
- mapped "blockPublicAcls" to additional.fields attribute.
- mapped "blockPublicPolicy" to additional.fields attribute. - --
- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess
- mapped ignorePublicAcls to additional.fields attribute.
- "restrictPublicBuckets" to additional.fields attribute.
- "blockPublicAcls" to additional.fields attribute.
- "blockPublicPolicy" to additional.fields attribute.
- Under service.action.awsApiCallAction.remoteIpDetails.organization:
- "asn" mapped to additional.fields attribute.
- "asnOrg" mapped to additional.fields attribute.
- "isp" mapped to additional.fields attribute.
- "org" mapped to additional.fields attribute.
- Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute.
- If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id.
- resource.instanceDetails.instanceId mapped to target.resource.id
- resource.instanceDetails.instanceType mapped to target.resource.name
- resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id
- Values under resource.instanceDetails.tags mapped the following fields:
- target.user.userid if the key is "ApplicationOwner".
- target.application if the key is "Application".
- user.email_addresses if the key is "Contact".
- additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule".
- service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0.
- service.action.networkConnectionAction.blocked mapped to security_result.action.
- "severity" mapped to security_result.severity_details.