Collect AWS GuardDuty logs

Supported in:

Google SecOps SIEM

This document describes how you can collect AWS GuardDuty logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the GUARDDUTY ingestion label.

Before you begin

Ensure that an AWS S3 bucket is created. To create the AWS S3 bucket, see Create your first S3 bucket.
Ensure that a KMS key is created. To create the KMS key, see Creating asymmetric KMS keys.
Ensure that AWS GuardDuty has permission to access the KMS key. To grant access to the KMS key, see Exporting findings. GuardDuty encrypts the findings data in your bucket by using an AWS KMS key.

Configure AWS GuardDuty

To configure AWS GuardDuty, do the following:

Sign in to the AWS console.
Search for GuardDuty.
Select Settings.
In the Finding export option section, do the following:
1. From the Frequency for updated findings list, select Update CWE and S3 every 15 minutes. The frequency selection is for the updated findings. The new findings are exported after 5 minutes from the time of creation.
2. In the S3 bucket section, select the S3 bucket in which you want to export the GuardDuty findings.
3. In the Log file prefix section, provide the log file prefix.
4. In the KMS encryption section, select the KMS encryption.
5. From the Key alias list, select the key.
6. Click Save.
After the log files are stored in the S3 bucket, create an SQS queue and attach it with the S3 bucket.

Sample KMS policy

The following is a sample KMS policy:

{
            "Sid": "Allow GuardDuty to encrypt findings",
            "Effect": "Allow",
            "Principal": {
                "Service": "guardduty.AWS_REGION.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "KEY_ARN"
        }

Replace the following:

AWS_REGION: the chosen region.
KEY_ARN: Amazon Resource Name (ARN) of the KMS key.

Check the required IAM user and KMS key policies for S3, SQS, and KMS.

Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:

For information about any logging sources, see AWS Identity and Access Management endpoints and quotas.
For information about S3 logging sources, see Amazon Simple Storage Service endpoints and quotas.
For information about SQS logging sources, see Amazon Simple Queue Service endpoints and quotas.

Configure a feed in Google Security Operations to ingest AWS GuardDuty logs

From the Google Security Operations menu, select Settings.
Click Feeds.
Click Add new.
Select Amazon S3 or Amazon SQS as the Source type.
Select GuardDuty as the Log type.
Click Next.
Google Security Operations supports log collection using an access key ID and secret method. To create the access key ID and secret, see Configure tool authentication with AWS.
Based on the AWS GuardDuty configuration that you created, specify values for the following fields.
1. If using Amazon S3
2. If using Amazon SQS
Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support

What's next

Data ingestion to Google Security Operations

UDM mapping

This parser code processes AWS GuardDuty findings in JSON format, extracting relevant fields and mapping them to a unified data model (UDM). It performs data transformations, including string replacements, merging arrays, and converting data types, to create a structured representation of the security event for analysis and correlation.

UDM mapping table

Log Field	UDM Mapping	Logic
accountId	principal.group.product_object_id	The AWS account ID associated with the finding.
additionalInfo.portsScannedSample	event.idm.read_only_udm.about.port	List of ports scanned during a port sweep.
additionalInfo.sample	security_result.about.labels.value	Indicates whether the finding is a sample finding.
additionalInfo.threatListName	security_result.threat_feed_name	The name of the threat list that triggered the finding.
additionalInfo.threatName	security_result.threat_name	The name of the threat that triggered the finding.
additionalInfo.userAgent .fullUserAgent	network.http.user_agent	The full user agent string associated with the finding.
additionalInfo.userAgent .userAgentCategory	security_result.detection_fields.value	The category of the user agent associated with the finding.
arn	target.asset.attribute .cloud.project.product_object_id	The Amazon Resource Name (ARN) of the finding.
detail.accountId	principal.group.product_object_id	The AWS account ID associated with the finding.
detail.description	security_result.description	A detailed description of the finding.
detail.id	target.asset.attribute.cloud.project.id	A unique ID for the finding.
detail.resource.accessKeyDetails	principal.user	Details about the AWS access key involved in the finding.
detail.resource.accessKeyDetails .accessKeyId	principal.user.userid	The ID of the AWS access key involved in the finding.
detail.resource.accessKeyDetails .principalId	principal.user.userid	The principal ID of the AWS access key involved in the finding.
detail.resource.accessKeyDetails .userType	principal.user.attribute.roles.name	The type of user associated with the AWS access key involved in the finding.
detail.resource.accessKeyDetails .userName	principal.user.user_display_name	The name of the user associated with the AWS access key involved in the finding.
detail.resource.s3BucketDetails .0.arn	target.resource.name	The ARN of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails .0.defaultServerSideEncryption.encryptionType	network.tls.client.supported_ciphers	The type of server-side encryption used for the S3 bucket involved in the finding.
detail.resource.s3BucketDetails .0.name	target.resource.name	The name of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails .0.owner.id	target.resource.attribute.labels.value	The ID of the owner of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails .0.publicAccess.effectivePermission	target.resource.attribute.labels.value	The effective permission of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicPolicy	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .ignorePublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .restrictPublicBuckets	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicReadAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the access control list (ACL) allows public read access.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicWriteAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the access control list (ACL) allows public write access.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicPolicy	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .ignorePublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .restrictPublicBuckets	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicReadAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the bucket policy allows public read access.
detail.resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicWriteAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the bucket policy allows public write access.
detail.resource.s3BucketDetails .0.type	target.resource.attribute.labels.value	The type of S3 bucket involved in the finding.
detail.service.action .actionType	principal.group.attribute.labels.value	The type of action associated with the finding.
detail.service.action .awsApiCallAction.api	principal.application	The name of the AWS API call involved in the finding.
detail.service.action .awsApiCallAction.callerType	principal.group.attribute.labels.value	The type of caller that made the AWS API call involved in the finding.
detail.service.action .awsApiCallAction.domainDetails.domain	network.dns.questions.name	The domain name associated with the AWS API call involved in the finding.
detail.service.action.awsApiCallAction .remoteIpDetails.country.countryName	target.location.country_or_region	The country name associated with the remote IP address that made the AWS API call involved in the finding.
detail.service.action.awsApiCallAction .remoteIpDetails.geoLocation.lat	target.location.region_latitude	The latitude of the remote IP address that made the AWS API call involved in the finding.
detail.service.action.awsApiCallAction .remoteIpDetails.geoLocation.lon	target.location.region_longitude	The longitude of the remote IP address that made the AWS API call involved in the finding.
detail.service.action .awsApiCallAction.remoteIpDetails.ipAddressV4	target.ip	The IP address that made the AWS API call involved in the finding.
detail.service.action .awsApiCallAction.serviceName	metadata.description	The name of the AWS service involved in the finding.
detail.service.action .dnsRequestAction.blocked	security_result.action	Whether the DNS request was blocked.
detail.service.action .dnsRequestAction.domain	principal.administrative_domain	The domain name associated with the DNS request involved in the finding.
detail.service.action .dnsRequestAction.protocol	network.ip_protocol	The protocol used for the DNS request involved in the finding.
detail.service.action .networkConnectionAction.blocked	security_result.action	Whether the network connection was blocked.
detail.service.action .networkConnectionAction.connectionDirection	network.direction	The direction of the network connection involved in the finding.
detail.service.action .networkConnectionAction.localIpDetails .ipAddressV4	principal.ip	The local IP address involved in the network connection.
detail.service.action .networkConnectionAction.localPortDetails .port	principal.port	The local port involved in the network connection.
detail.service.action .networkConnectionAction.localPortDetails .portName	principal.application	The name of the local port involved in the network connection.
detail.service.action .networkConnectionAction.protocol	network.ip_protocol	The protocol used for the network connection involved in the finding.
detail.service.action .networkConnectionAction.remoteIpDetails .city.cityName	target.location.city	The city name associated with the remote IP address involved in the network connection.
detail.service.action .networkConnectionAction.remoteIpDetails .country.countryName	target.location.country_or_region	The country name associated with the remote IP address involved in the network connection.
detail.service.action .networkConnectionAction.remoteIpDetails .ipAddressV4	target.ip	The remote IP address involved in the network connection.
detail.service.action .networkConnectionAction.remotePortDetails .port	target.port	The remote port involved in the network connection.
detail.service.action .networkConnectionAction.remotePortDetails .portName	target.application	The name of the remote port involved in the network connection.
detail.service.action .portProbeAction.blocked	security_result.action	Whether the port probe was blocked.
detail.service.action .portProbeAction.portProbeDetails .0.localPortDetails.port	target.port	The local port that was probed.
detail.service.action .portProbeAction.portProbeDetails .0.localPortDetails.portName	principal.application	The name of the local port that was probed.
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.city.cityName	target.location.city	The city name associated with the remote IP address that performed the port probe.
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.country.countryName	target.location.country_or_region	The country name associated with the remote IP address that performed the port probe.
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.geoLocation.lat	target.location.region_latitude	The latitude of the remote IP address that performed the port probe.
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.geoLocation.lon	target.location.region_longitude	The longitude of the remote IP address that performed the port probe.
detail.service.action .portProbeAction.portProbeDetails .0.remoteIpDetails.ipAddressV4	target.ip	The remote IP address that performed the port probe.
detail.service.additionalInfo .threatListName	security_result.threat_feed_name	The name of the threat list that triggered the finding.
detail.service.additionalInfo .threatName	security_result.threat_name	The name of the threat that triggered the finding.
detail.service.additionalInfo .userAgent.fullUserAgent	network.http.user_agent	The full user agent string associated with the finding.
detail.service.additionalInfo .userAgent.userAgentCategory	security_result.detection_fields.value	The category of the user agent associated with the finding.
detail.service.additionalInfo .value	security_result.about .resource.attribute.labels.value	Additional information about the finding.
detail.title	security_result.summary	A short title for the finding.
detail.type	metadata.product_event_type	The type of finding.
detail.updatedAt	metadata.event_timestamp	The time the finding was last updated.
detail-type	event.idm.read_only_udm .additional.fields.value.string_value	The type of event that triggered the finding.
partition	target.asset.attribute .cloud.project.type	The AWS partition that the finding occurred in.
resource.accessKeyDetails	principal.user	Details about the AWS access key involved in the finding.
resource.accessKeyDetails.accessKeyId	principal.user.userid	The ID of the AWS access key involved in the finding.
resource.accessKeyDetails.principalId	principal.user.userid	The principal ID of the AWS access key involved in the finding.
resource.accessKeyDetails.userType	principal.user.attribute.roles.name	The type of user associated with the AWS access key involved in the finding.
resource.accessKeyDetails.userName	principal.user.user_display_name	The name of the user associated with the AWS access key involved in the finding.
resource.instanceDetails.availabilityZone	target.asset.attribute.cloud.availability_zone	The availability zone of the EC2 instance involved in the finding.
resource.instanceDetails.imageDescription	event.idm.read_only_udm .principal.resource.attribute.labels.value	The description of the AMI used to launch the EC2 instance involved in the finding.
resource.instanceDetails.imageId	event.idm.read_only_udm .additional.fields.value.string_value	The ID of the AMI used to launch the EC2 instance involved in the finding.
resource.instanceDetails .iamInstanceProfile.arn	target.resource.attribute.labels.value	The ARN of the IAM instance profile associated with the EC2 instance involved in the finding.
resource.instanceDetails .iamInstanceProfile.id	target.resource.attribute.labels.value	The ID of the IAM instance profile associated with the EC2 instance involved in the finding.
resource.instanceDetails.instanceId	target.resource.product_object_id	The ID of the EC2 instance involved in the finding.
resource.instanceDetails.instanceState	target.resource.attribute.labels.value	The state of the EC2 instance involved in the finding.
resource.instanceDetails.instanceType	target.resource.attribute.labels.value	The type of the EC2 instance involved in the finding.
resource.instanceDetails .launchTime	target.resource.attribute.creation_time	The time the EC2 instance involved in the finding was launched.
resource.instanceDetails .networkInterfaces.0.networkInterfaceId	target.resource.attribute.labels.value	The ID of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.privateDnsName	target.resource.attribute.labels.value	The private DNS name of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.publicDnsName	target.resource.attribute.labels.value	The public DNS name of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.publicIp	principal.ip	The public IP address of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.privateIpAddress	principal.ip	The private IP address of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.securityGroups .0.groupId	target.user.group_identifiers	The ID of the security group associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.securityGroups .0.groupName	target.user.group_identifiers	The name of the security group associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.subnetId	target.resource.attribute.labels.value	The ID of the subnet associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails .networkInterfaces.0.vpcId	target.asset.attribute.cloud.vpc.id	The ID of the VPC associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails.outpostArn	target.resource.attribute.labels.value	The ARN of the outpost associated with the EC2 instance involved in the finding.
resource.instanceDetails.platform	target.asset.platform_software.platform_version	The platform of the EC2 instance involved in the finding.
resource.instanceDetails .productCodes.0.productCodeType	target.resource.type	The type of product code associated with the EC2 instance involved in the finding.
resource.instanceDetails.tags	target.asset.attribute.labels	The tags associated with the EC2 instance involved in the finding.
resource.kubernetesDetails .kubernetesUserDetails.username	principal.user.userid	The username of the Kubernetes user involved in the finding.
resource.rdsDbInstanceDetails .dbClusterIdentifier	event.idm.read_only_udm .target.resource_ancestors.product_object_id	The identifier of the RDS DB cluster involved in the finding.
resource.rdsDbInstanceDetails .dbInstanceArn	target.resource.name	The ARN of the RDS DB instance involved in the finding.
resource.rdsDbInstanceDetails .dbInstanceIdentifier	target.resource.product_object_id	The identifier of the RDS DB instance involved in the finding.
resource.rdsDbUserDetails.user	principal.user.userid	The username of the RDS DB user involved in the finding.
resource.resourceType	target.resource.resource_subtype	The type of resource involved in the finding.
resource.s3BucketDetails	principal.resource.attribute.labels	Details about the S3 bucket involved in the finding.
resource.s3BucketDetails.0.arn	target.resource.name	The ARN of the S3 bucket involved in the finding.
resource.s3BucketDetails.0.createdAt	event.idm.read_only_udm .principal.resource.attribute.labels.value	The time the S3 bucket involved in the finding was created.
resource.s3BucketDetails.0 .defaultServerSideEncryption.encryptionType	network.tls.client.supported_ciphers	The type of server-side encryption used for the S3 bucket involved in the finding.
resource.s3BucketDetails.0.name	target.resource.name	The name of the S3 bucket involved in the finding.
resource.s3BucketDetails.0.owner.id	target.resource.attribute.labels.value	The ID of the owner of the S3 bucket involved in the finding.
resource.s3BucketDetails .0.publicAccess.effectivePermission	target.resource.attribute.labels.value	The effective permission of the S3 bucket involved in the finding.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .blockPublicPolicy	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .ignorePublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .accountLevelPermissions.blockPublicAccess .restrictPublicBuckets	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the account.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicReadAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the access control list (ACL) allows public read access.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.accessControlList .allowsPublicWriteAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the access control list (ACL) allows public write access.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .blockPublicPolicy	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .ignorePublicAcls	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.blockPublicAccess .restrictPublicBuckets	event.idm.read_only_udm .additional.fields.value.bool_value	Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicReadAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the bucket policy allows public read access.
resource.s3BucketDetails .0.publicAccess.permissionConfiguration .bucketLevelPermissions.bucketPolicy .allowsPublicWriteAccess	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the bucket policy allows public write access.
resource.s3BucketDetails.0.tags	event.idm.read_only_udm .principal.resource.attribute.labels	The tags associated with the S3 bucket involved in the finding.
resource.s3BucketDetails.0.type	target.resource.attribute.labels.value	The type of S3 bucket involved in the finding.
service.action .actionType	principal.group.attribute.labels.value	The type of action associated with the finding.
service.action .awsApiCallAction.affectedResources .AWS_CloudTrail_Trail	event.idm.read_only_udm .principal.resource.attribute.labels.value	The name of the AWS CloudTrail trail involved in the finding.
service.action .awsApiCallAction.affectedResources .AWS_S3_Bucket	event.idm.read_only_udm .principal.resource.attribute.labels.value	The name of the S3 bucket involved in the finding.
service.action .awsApiCallAction.api	principal.application	The name of the AWS API call involved in the finding.
service.action .awsApiCallAction.callerType	principal.group.attribute.labels.value	The type of caller that made the AWS API call involved in the finding.
service.action .awsApiCallAction.domainDetails.domain	network.dns.questions.name	The domain name associated with the AWS API call involved in the finding.
service.action .awsApiCallAction.errorCode	security_result.rule_type	The error code associated with the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .country.countryName	target.location.country_or_region	The country name associated with the remote IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .geoLocation.lat	target.location.region_latitude	The latitude of the remote IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .geoLocation.lon	target.location.region_longitude	The longitude of the remote IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .ipAddressV4	target.ip	The IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .organization.asn	event.idm.read_only_udm .additional.fields.value.string_value	The Autonomous System Number (ASN) of the organization associated with the remote IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .organization.asnOrg	event.idm.read_only_udm .additional.fields.value.string_value	The name of the organization associated with the remote IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .organization.isp	event.idm.read_only_udm .additional.fields.value.string_value	The name of the internet service provider (ISP) associated with the remote IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.remoteIpDetails .organization.org	event.idm.read_only_udm .additional.fields.value.string_value	The name of the organization associated with the remote IP address that made the AWS API call involved in the finding.
service.action .awsApiCallAction.serviceName	metadata.description	The name of the AWS service involved in the finding.
service.action .dnsRequestAction.blocked	security_result.action	Whether the DNS request was blocked.
service.action .dnsRequestAction.domain	principal.administrative_domain	The domain name associated with the DNS request involved in the finding.
service.action .dnsRequestAction.protocol	network.ip_protocol	The protocol used for the DNS request involved in the finding.
service.action .kubernetesApiCallAction.remoteIpDetails .country.countryName	target.location.country_or_region	The country name associated with the remote IP address that made the Kubernetes API call involved in the finding.
service.action .kubernetesApiCallAction.remoteIpDetails .geoLocation.lat	target.location.region_latitude	The latitude of the remote IP address that made the Kubernetes API call involved in the finding.
service.action .kubernetesApiCallAction.remoteIpDetails .geoLocation.lon	target.location.region_longitude	The longitude of the remote IP address that made the Kubernetes API call involved in the finding.
service.action .kubernetesApiCallAction.remoteIpDetails .ipAddressV4	target.ip	The IP address that made the Kubernetes API call involved in the finding.
service.action .networkConnectionAction.blocked	security_result.action	Whether the network connection was blocked.
service.action .networkConnectionAction.connectionDirection	network.direction	The direction of the network connection involved in the finding.
service.action .networkConnectionAction.localIpDetails .ipAddressV4	principal.ip	The local IP address involved in the network connection.
service.action .networkConnectionAction.localPortDetails .port	principal.port	The local port involved in the network connection.
service.action .networkConnectionAction.localPortDetails .portName	principal.application	The name of the local port involved in the network connection.
service.action .networkConnectionAction.protocol	network.ip_protocol	The protocol used for the network connection involved in the finding.
service.action .networkConnectionAction.remoteIpDetails .city.cityName	target.location.city	The city name associated with the remote IP address involved in the network connection.
service.action .networkConnectionAction.remoteIpDetails .country.countryName	target.location.country_or_region	The country name associated with the remote IP address involved in the network connection.
service.action .networkConnectionAction.remoteIpDetails .ipAddressV4	target.ip	The remote IP address involved in the network connection.
service.action .networkConnectionAction.remotePortDetails .port	target.port	The remote port involved in the network connection.
service.action .networkConnectionAction.remotePortDetails .portName	target.application	The name of the remote port involved in the network connection.
service.action .portProbeAction.blocked	security_result.action	Whether the port probe was blocked.
service.action.portProbeAction .portProbeDetails .0.localPortDetails.port	target.port	The local port that was probed.
service.action.portProbeAction .portProbeDetails .0.localPortDetails.portName	principal.application	The name of the local port that was probed.
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.city .cityName	target.location.city	The city name associated with the remote IP address that performed the port probe.
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.country .countryName	target.location.country_or_region	The country name associated with the remote IP address that performed the port probe.
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.geoLocation .lat	target.location.region_latitude	The latitude of the remote IP address that performed the port probe.
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.geoLocation .lon	target.location.region_longitude	The longitude of the remote IP address that performed the port probe.
service.action.portProbeAction .portProbeDetails .0.remoteIpDetails.ipAddressV4	target.ip	The remote IP address that performed the port probe.
service.additionalInfo .portsScannedSample	event.idm.read_only_udm.about.port	A sample of the ports that were scanned.
service.additionalInfo .recentCredentials	event.idm.read_only_udm.intermediary	A list of recent credentials that were used.
service.additionalInfo.sample	security_result.about .labels.value	Indicates whether the finding is a sample finding.
service.additionalInfo.threatListName	security_result.threat_feed_name	The name of the threat list that triggered the finding.
service.additionalInfo.threatName	security_result.threat_name	The name of the threat that triggered the finding.
service.additionalInfo .userAgent.fullUserAgent	network.http.user_agent	The full user agent string associated with the finding.
service.additionalInfo .userAgent.userAgentCategory	security_result.detection_fields .value	The category of the user agent associated with the finding.
service.additionalInfo.value	security_result.about .resource.attribute.labels.value	Additional information about the finding.
service.archived	event.idm.read_only_udm .additional.fields.value.bool_value	Whether the finding is archived.
service.count	event.idm.read_only_udm .principal.resource.attribute.labels.value	The number of times the event occurred.
service.detectorId	event.idm.read_only_udm .additional.fields.value.string_value	The ID of the GuardDuty detector that generated the finding.
service.ebsVolumeScanDetails .scanDetections .threatDetectedByName.itemCount		The total number of threats detected during the EBS volume scan.

Changes

2024-03-11

Mapped "service.action.awsApiCallAction.domainDetails.domain" to "network.dns.questions.name".

2024-03-05

Mapped "service.additionalInfo.value" to "security_result.about.labels".
Mapped "service.additionalInfo.value" to "security_result.about.resource.attribute.labels".
Mapped "service.action.awsApiCallAction.affectedResources.AWS_CloudTrail_Trail" to "principal.resource.attribute.labels".

2024-02-26

Bug Fix:
Mapped "resource.eksClusterDetails.createdAt" to "target.resource.attribute.labels".
Mapped "resource.s3BucketDetails.createdAt" to "principal.resource.attribute.labels".
Mapped "resource.eksClusterDetails.tags" to "target.resource.attribute.labels".
Mapped "resource.s3BucketDetails.tags" to "principal.resource.attribute.labels".
If "type" is similar to ":Kubernetes" or ":S3", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
If "service.action.actionType" is similar to "AWS_API_CALL" or "KUBERNETES_API_CALL", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
If "service.action.actionType" is similar to "DNS_REQUEST", then mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id".

2023-08-18

Mapped fields "security_result.attack_details.tactics", "security_result.attack_details.techniques" based on field "type".
Mapped 'metadata.event_type' to more specific event_types wherever possible instead of GENERIC_EVENT.
Mapped fields 'target.resource.resource_subtype', 'target.resource.resource_type' based on field "type".
For all logs having the 'type' value ':EC2' -
Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
For all logs having the 'type' value ':RDSV' -
Mapped 'resource.rdsDbInstanceDetails.dbInstanceIdentifier' to 'target.resource.product_object_id'.
Mapped 'resource.rdsDbInstanceDetails.dbInstanceArn' to 'target.resource.name'.
Mapped 'resource.rdsDbInstanceDetails.dbClusterIdentifier' to 'target.resource_ancestors.product_object_id'.
Mapped 'resource.rdsDbUserDetails.user' to 'principal.user.userid'.
For all logs having the 'type' value ':Kubernetes' -
Mapped ' resource.eksClusterDetails.arn' to 'target.resource.name'.
For all logs having the 'type' value ':Runtime' -
Mapped 'resource.eksClusterDetails.arn' to 'target.resource_ancestors.name'.
Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
For all logs having the 'type' value ':IAMUser' -
Mapped 'resource.accessKeyDetails.accessKeyId' to 'target.resource.product_object_id'.
Mapped 'resource.instanceDetails.instanceId' to 'target.resource_ancestors.product_object_id'.
For all logs having the 'type' value ':S3' -
Mapped 'resource.s3BucketDetails.arn' or 'resource.s3BucketDetails.name' to 'target.resource.name'.

2023-08-02

If 'resource.instanceDetails.networkInterfaces' is empty, then mapped 'metadata.event_type' to 'GENERIC_EVENT'.
If 'detail.resource.accessKeyDetails.principalId' or 'resource.accessKeyDetails.principalId' are empty, then mapped 'metadata.event_type' to 'USER_RESOURCE_ACCESS'.

2023-06-19

Added "security_result.attack_details" based on "type".

2023-02-07

Enhancement -
Mapped "threatdetails.threatListName" to "security_result.threat_feed_name".
Mapped "service.additionalInfo.threatName" to "security_result.threat_name".
If "product_event_type" in ["Backdoor:EC2/C&CActivity.B", "Backdoor:EC2/C&CActivity.B!DNS", "Trojan:EC2/BlackholeTraffic", "Trojan:EC2/BlackholeTraffic!DNS"] then mapped "T1071" to "technique_label.value".
If "product_event_type" in ["PenTest:IAMUser/KaliLinux", "PenTest:IAMUser/ParrotLinux", "PenTest:IAMUser/PentooLinux", "PenTest:S3/KaliLinux", "PenTest:S3/ParrotLinux", "PenTest:S3/PentooLinux", "Policy:IAMUser/RootCredentialUsage", "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom", "UnauthorizedAccess:EC2/TorClient"] then mapped "T1078" to "technique_label.value".
If "product_event_type" is "Discovery:IAMUser/AnomalousBehavior" then mapped "T1087" to "technique_label.value".
If "product_event_type" is "Persistence:IAMUser/AnomalousBehavior" then mapped "T1098" to "technique_label.value".
If "product_event_type" in ["UnauthorizedAccess:EC2/RDPBruteForce", "UnauthorizedAccess:EC2/SSHBruteForce"] then mapped "T1110" to "technique_label.value".
If "product_event_type" in ["InitialAccess:IAMUser/AnomalousBehavior", "UnauthorizedAccess:IAMUser/MaliciousIPCaller", "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom", "UnauthorizedAccess:IAMUser/TorIPCaller", "UnauthorizedAccess:S3/MaliciousIPCaller.Custom", "UnauthorizedAccess:S3/TorIPCaller"] then mapped "T1133" to "technique_label.value".
If "product_event_type" is "Trojan:EC2/DriveBySourceTraffic!DNS" then mapped "T1189" to "technique_label.value".
If "product_event_type" is "PrivilegeEscalation:IAMUser/AnomalousBehavior" then mapped "T1484" to "technique_label.value".
If "product_event_type" in ["Backdoor:EC2/Spambot", "CryptoCurrency:EC2/BitcoinTool.B", "CryptoCurrency:EC2/BitcoinTool.B!DNS", "Impact:EC2/AbusedDomainRequest.Reputation", "Impact:EC2/BitcoinDomainRequest.Reputation", "Impact:EC2/MaliciousDomainRequest.Reputation", "Impact:EC2/PortSweep", "Impact:EC2/SuspiciousDomainRequest.Reputation", "Impact:EC2/WinRMBruteForce", "UnauthorizedAccess:EC2/TorRelay"] then mapped "T1496" to "technique_label.value".
If "product_event_type" in ["Backdoor:EC2/DenialOfService.Dns", "Backdoor:EC2/DenialOfService.Tcp", "Backdoor:EC2/DenialOfService.Udp", "Backdoor:EC2/DenialOfService.UdpOnTcpPorts", "Backdoor:EC2/DenialOfService.UnusualProtocol"] then mapped "T1498" to "technique_label.value".
If "product_event_type" in ["Discovery:S3/MaliciousIPCaller", "Discovery:S3/MaliciousIPCaller.Custom", "Discovery:S3/TorIPCaller"] then mapped "T1526" to "technique_label.value".
If "product_event_type" is "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B" then mapped "T1538" to "technique_label.value".
If "product_event_type" is "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration" then mapped "T1552" to "technique_label.value".
If "product_event_type" is "CredentialAccess:IAMUser/AnomalousBehavior" then mapped "T1555" to "technique_label.value".
If "product_event_type" in ["DefenseEvasion:IAMUser/AnomalousBehavior", "Policy:S3/AccountBlockPublicAccessDisabled", "Policy:S3/BucketAnonymousAccessGranted", "Policy:S3/BucketBlockPublicAccessDisabled", "Policy:S3/BucketPublicAccessGranted", "Stealth:IAMUser/CloudTrailLoggingDisabled", "Stealth:IAMUser/PasswordPolicyChange", "Stealth:S3/ServerAccessLoggingDisabled"] then mapped "T1562" to "technique_label.value".
If "product_event_type" in ["Impact:IAMUser/AnomalousBehavior", "Impact:S3/MaliciousIPCaller"] then mapped "T1565" to "technique_label.value".
If "product_event_type" is "Trojan:EC2/PhishingDomainRequest!DNS" then mapped "T1566" to "technique_label.value".
If "product_event_type" in ["Exfiltration:IAMUser/AnomalousBehavior", "Exfiltration:S3/MaliciousIPCaller", "Exfiltration:S3/ObjectRead.Unusual", "Trojan:EC2/DNSDataExfiltration", "Trojan:EC2/DropPoint", "Trojan:EC2/DropPoint!DNS"] then mapped "T1567" to "technique_label.value".
If "product_event_type" in ["Trojan:EC2/DGADomainRequest.C!DNS", "Trojan:EC2/DGADomainRequest.B"] then mapped "T1568" to "technique_label.value".
If "product_event_type" == "UnauthorizedAccess:EC2/MetadataDNSRebind" then mapped "T1580" to "technique_label.
If "product_event_type" in ["Recon:IAMUser/MaliciousIPCaller", "Recon:IAMUser/MaliciousIPCaller.Custom", "Recon:IAMUser/TorIPCaller"] then mapped "T1589" to "technique_label.value".
If "product_event_type" in ["Recon:EC2/PortProbeEMRUnprotectedPort", "Recon:EC2/PortProbeUnprotectedPort", "Recon:EC2/Portscan"] then mapped "T1595" to "technique_label.value".
If [technique_label][value] in ["T1595", "T1592", "T1589", "T1590", "T1591", "T1598", "T1597", "T1596", "T1593", "T1594"] then mapped "Reconnaissance" to "tatic_label.value".
If [technique_label][value] in ["T1583", "T1586", "T1584", "T1587", "T1585", "T1588"] then mapped "ResourceDevelopment" to "tatic_label.value".
If [technique_label][value] in ["T1189", "T1190", "T1133", "T1200", "T1566", "T1091", "T1195", "T1199", "T1078"] then mapped "InitialAccess" to "tatic_label.value".
If [technique_label][value] in ["T1059", "T1203", "T1559", "T1106", "T1053", "T1129", "T1072", "T1569", "T1204", "T1047"] then mapped "Execution" to "tatic_label.value".
If [technique_label][value] in ["T1098", "T1197", "T1547", "T1037", "T1176", "T1554", "T1136", "T1543", "T1546", "T1133", "T1574", "T1525", "T1137", "T1542", "T1053", "T1505", "T1205", "T1078"] then mapped "Persistence" to "tatic_label.value".
If [technique_label][value] in ["T1548", "T1134", "T1547", "T1037", "T1543", "T1484", "T1546", "T1068", "T1574", "T1055", "T1053", "T1078"] then mapped "PrivilegeEscalation" to "tatic_label.value".
If [technique_label][value] in ["T1548", "T1134", "T1197", "T1140", "T1006", "T1484", "T1480", "T1211", "T1222", "T1564", "T1574", "T1562", "T1070", "T1202", "T1036", "T1556", "T1578", "T1112", "T1601", "T1599", "T1027", "T1542", "T1055", "T1207", "T1014", "T1218", "T1216", "T1553", "T1221", "T1205", "T1127", "T1535", "T1550", "T1078", "T1497", "T1600", "T1220"] then mapped "DefenseEvasion" to "tatic_label.value".
If [technique_label][value] in ["T1110", "T1555", "T1212", "T1187", "T1606", "T1056", "T1557", "T1556", "T1040", "T1003", "T1528", "T1558", "T1539", "T1111", "T1552"] then mapped "CredentialAccess" to "tatic_label.value".
If [technique_label][value] in ["T1087", "T1010", "T1217", "T1580", "T1538", "T1526", "T1482", "T1083", "T1046", "T1135", "T1040", "T1201", "T1120", "T1069", "T1057", "T1012", "T1018", "T1518", "T1082", "T1016", "T1049", "T1033", "T1007", "T1124", "T1497"] then mapped "Discovery" to "tatic_label.value".
If [technique_label][value] in ["T1210", "T1534", "T1570", "T1563", "T1021", "T1091", "T1072", "T1080", "T1550"] then mapped "LateralMovement" to "tatic_label.value".
If [technique_label][value] in ["T1560", "T1123", "T1119", "T1115", "T1530", "T1602", "T1213", "T1005", "T1039", "T1025", "T1074", "T1114", "T1056", "T1185", "T1557", "T1113", "T1125"] then mapped "Collection" to "tatic_label.value".
If [technique_label][value] in ["T1071", "T1092", "T1132", "T1001", "T1568", "T1573", "T1008", "T1105", "T1104", "T1095", "T1571", "T1572", "T1090", "T1219", "T1205", "T1102"] then mapped "CommandAndControl" to "tatic_label.value".
If [technique_label][value] in ["T1020", "T1030", "T1048", "T1041", "T1011", "T1052", "T1567", "T1029", "T1537"] then mapped "Exfiltration" to "tatic_label.value".
If [technique_label][value] in ["T1531", "T1485", "T1486", "T1565", "T1491", "T1561", "T1499", "T1495", "T1490", "T1498", "T1496", "T1489", "T1529"] then mapped "Impact" to "tatic_label.value".

2022-11-10

Enhancement
Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash" to "principal.file.sha256".
Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath" to "principal.file.full_path".
Mapped "service.action.dnsRequestAction.domain" to "network.dns.questions.name".
Mapped "resource.kubernetesDetails.kubernetesUserDetails.username" to "principal.user.userid".

2022-09-12

Feature Request:
Mapped 'security_result.category', 'metadata.event_type', 'resource_type', 'resource_subtype' appropriately for logs types - 'IAM', 'S3', 'KUBERNETES', 'MALWARE', 'EC2'.

2022-08-11

Feature Request:
Replaced 'GENERIC_EVENT' type to 'STATUS_UPDATE' or 'USER_RESOURCE_ACCESS' event_type.

2022-07-20

Changed mapping for "service.resourceRole" from "additional.resource_role" to "principal.resource.attribute.roles.name".
Changed mapping for "service.count" from "additional.fields" to "principal.resource.attribute.label"
Changed mapping for "resource.instanceDetails.imageDescription" from "additional.fields" to "principal.resource.attribute.label"
if "type" value in "Discovery:S3/MaliciousIPCaller", "Policy:S3/BucketPublicAccessGranted", "UnauthorizedAccess:S3/TorIPCaller", "Policy:S3/BucketAnonymousAccessGranted", "UnauthorizedAccess:EC2/TorRelay":
mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id"
mapped "resource.instanceDetails.instanceType" to "target.resource.name"

2022-07-08

Modified mapping for "network_interface.securityGroups.0.groupId" from "target.user.groupid" to "target.user.group_identifiers".

2022-05-26

Enhancement - Modified mappings for following fields
Changed mapping for field "region" from "target.location.country_or_region" to "target.location.name"
Changed mapping for field "resource.instanceDetails.tags[n]" from "additional.fields[n]" to "target.asset.attribute.labels[n]"
"service.action.networkConnectionAction.remoteIpDetails.country.countryName" mapped to "target.location.country_or_region"

2022-05-27

Enhancement - Modified the value stored in metadata.product_name to 'AWS GuardDuty' and metadata.vendor_name to 'AMAZON'.

2022-03-25

Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.

2022-03-31

Enhancement
If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application.
Entire list within "tags" field mapped to key-value fields.
"service.action.networkConnectionAction.protocol" mapped to network.ip_protocol
"service.action.networkConnectionAction.blocked" mapped to security_result.action
"severity" mapped to security_result.severity_details
If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id.
In s3BucketDetails:
"arn" mapped to target.asset.attribute.cloud.project.product_object_id.
"name" mapped to target.resource.name.
"encryptionType" mapped to network.tls.supported_ciphers.
"owner.id mapped to target.resource.attribute.labels.
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList:
mapped "allowsPublicReadAccess" to additional.fields attribute.
mapped "allowsPublicWriteAccess" to additional.fields attribute. - --
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy:
mapped "allowsPublicReadAccess" to additional.fields attribute.
mapped "allowsPublicWriteAccess" to additional.fields attribute. - --
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess:
mapped "ignorePublicAcls" to additional.fields attribute.
mapped "restrictPublicBuckets" to additional.fields attribute.
mapped "blockPublicAcls" to additional.fields attribute.
mapped "blockPublicPolicy" to additional.fields attribute. - --
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess
mapped ignorePublicAcls to additional.fields attribute.
"restrictPublicBuckets" to additional.fields attribute.
"blockPublicAcls" to additional.fields attribute.
"blockPublicPolicy" to additional.fields attribute.
Under service.action.awsApiCallAction.remoteIpDetails.organization:
"asn" mapped to additional.fields attribute.
"asnOrg" mapped to additional.fields attribute.
"isp" mapped to additional.fields attribute.
"org" mapped to additional.fields attribute.
Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute.
If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id.
resource.instanceDetails.instanceId mapped to target.resource.id
resource.instanceDetails.instanceType mapped to target.resource.name
resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id
Values under resource.instanceDetails.tags mapped the following fields:
target.user.userid if the key is "ApplicationOwner".
target.application if the key is "Application".
user.email_addresses if the key is "Contact".
additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule".
service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0.
service.action.networkConnectionAction.blocked mapped to security_result.action.
"severity" mapped to security_result.severity_details.