Collect AWS GuardDuty logs

Supported in:

This document describes how you can collect AWS GuardDuty logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the GUARDDUTY ingestion label.

Before you begin

  • Ensure that an AWS S3 bucket is created. To create the AWS S3 bucket, see Create your first S3 bucket.
  • Ensure that a KMS key is created. To create the KMS key, see Creating asymmetric KMS keys.
  • Ensure that AWS GuardDuty has permission to access the KMS key. To grant access to the KMS key, see Exporting findings. GuardDuty encrypts the findings data in your bucket by using an AWS KMS key.

Configure AWS GuardDuty

To configure AWS GuardDuty, do the following:

  1. Sign in to the AWS console.
  2. Search for GuardDuty.
  3. Select Settings.
  4. In the Finding export option section, do the following:

    1. From the Frequency for updated findings list, select Update CWE and S3 every 15 minutes. The frequency selection is for the updated findings. The new findings are exported after 5 minutes from the time of creation.
    2. In the S3 bucket section, select the S3 bucket in which you want to export the GuardDuty findings.
    3. In the Log file prefix section, provide the log file prefix.
    4. In the KMS encryption section, select the KMS encryption.
    5. From the Key alias list, select the key.
    6. Click Save.

  5. After the log files are stored in the S3 bucket, create an SQS queue and attach it with the S3 bucket.

Sample KMS policy

The following is a sample KMS policy:

{
            "Sid": "Allow GuardDuty to encrypt findings",
            "Effect": "Allow",
            "Principal": {
                "Service": "guardduty.AWS_REGION.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "KEY_ARN"
        }

Replace the following:

  • AWS_REGION: the chosen region.
  • KEY_ARN: Amazon Resource Name (ARN) of the KMS key.

Check the required IAM user and KMS key policies for S3, SQS, and KMS.

Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:

Configure a feed in Google Security Operations to ingest AWS GuardDuty logs

  1. From the Google Security Operations menu, select Settings.
  2. Click Feeds.
  3. Click Add new.
  4. Select Amazon S3 or Amazon SQS as the Source type.
  5. Select GuardDuty as the Log type.
  6. Click Next.
  7. Google Security Operations supports log collection using an access key ID and secret method. To create the access key ID and secret, see Configure tool authentication with AWS.
  8. Based on the AWS GuardDuty configuration that you created, specify values for the following fields.

    1. If using Amazon S3
      • Region
      • S3 URI
      • URI is a
      • Source deletion option

    2. If using Amazon SQS
      • Region
      • Queue name
      • Account number
      • Queue access key ID
      • Queue secret access key
      • Source deletion option

  9. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support

What's next

UDM mapping

This parser code processes AWS GuardDuty findings in JSON format, extracting relevant fields and mapping them to a unified data model (UDM). It performs data transformations, including string replacements, merging arrays, and converting data types, to create a structured representation of the security event for analysis and correlation.

UDM mapping table

Log Field UDM Mapping Logic
accountId principal.group.product_object_id The AWS account ID associated with the finding.
additionalInfo.portsScannedSample event.idm.read_only_udm.about.port List of ports scanned during a port sweep.
additionalInfo.sample security_result.about.labels.value Indicates whether the finding is a sample finding.
additionalInfo.threatListName security_result.threat_feed_name The name of the threat list that triggered the finding.
additionalInfo.threatName security_result.threat_name The name of the threat that triggered the finding.
additionalInfo.userAgent
.fullUserAgent
network.http.user_agent The full user agent string associated with the finding.
additionalInfo.userAgent
.userAgentCategory
security_result.detection_fields.value The category of the user agent associated with the finding.
arn target.asset.attribute
.cloud.project.product_object_id
The Amazon Resource Name (ARN) of the finding.
detail.accountId principal.group.product_object_id The AWS account ID associated with the finding.
detail.description security_result.description A detailed description of the finding.
detail.id target.asset.attribute.cloud.project.id A unique ID for the finding.
detail.resource.accessKeyDetails principal.user Details about the AWS access key involved in the finding.
detail.resource.accessKeyDetails
.accessKeyId
principal.user.userid The ID of the AWS access key involved in the finding.
detail.resource.accessKeyDetails
.principalId
principal.user.userid The principal ID of the AWS access key involved in the finding.
detail.resource.accessKeyDetails
.userType
principal.user.attribute.roles.name The type of user associated with the AWS access key involved in the finding.
detail.resource.accessKeyDetails
.userName
principal.user.user_display_name The name of the user associated with the AWS access key involved in the finding.
detail.resource.s3BucketDetails
.0.arn
target.resource.name The ARN of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails
.0.defaultServerSideEncryption.encryptionType
network.tls.client.supported_ciphers The type of server-side encryption used for the S3 bucket involved in the finding.
detail.resource.s3BucketDetails
.0.name
target.resource.name The name of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails
.0.owner.id
target.resource.attribute.labels.value The ID of the owner of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails
.0.publicAccess.effectivePermission
target.resource.attribute.labels.value The effective permission of the S3 bucket involved in the finding.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.blockPublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.blockPublicPolicy
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.ignorePublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.restrictPublicBuckets
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.accessControlList
.allowsPublicReadAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the access control list (ACL) allows public read access.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.accessControlList
.allowsPublicWriteAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the access control list (ACL) allows public write access.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.blockPublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.blockPublicPolicy
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.ignorePublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.restrictPublicBuckets
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.bucketPolicy
.allowsPublicReadAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the bucket policy allows public read access.
detail.resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.bucketPolicy
.allowsPublicWriteAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the bucket policy allows public write access.
detail.resource.s3BucketDetails
.0.type
target.resource.attribute.labels.value The type of S3 bucket involved in the finding.
detail.service.action
.actionType
principal.group.attribute.labels.value The type of action associated with the finding.
detail.service.action
.awsApiCallAction.api
principal.application The name of the AWS API call involved in the finding.
detail.service.action
.awsApiCallAction.callerType
principal.group.attribute.labels.value The type of caller that made the AWS API call involved in the finding.
detail.service.action
.awsApiCallAction.domainDetails.domain
network.dns.questions.name The domain name associated with the AWS API call involved in the finding.
detail.service.action.awsApiCallAction
.remoteIpDetails.country.countryName
target.location.country_or_region The country name associated with the remote IP address that made the AWS API call involved in the finding.
detail.service.action.awsApiCallAction
.remoteIpDetails.geoLocation.lat
target.location.region_latitude The latitude of the remote IP address that made the AWS API call involved in the finding.
detail.service.action.awsApiCallAction
.remoteIpDetails.geoLocation.lon
target.location.region_longitude The longitude of the remote IP address that made the AWS API call involved in the finding.
detail.service.action
.awsApiCallAction.remoteIpDetails.ipAddressV4
target.ip The IP address that made the AWS API call involved in the finding.
detail.service.action
.awsApiCallAction.serviceName
metadata.description The name of the AWS service involved in the finding.
detail.service.action
.dnsRequestAction.blocked
security_result.action Whether the DNS request was blocked.
detail.service.action
.dnsRequestAction.domain
principal.administrative_domain The domain name associated with the DNS request involved in the finding.
detail.service.action
.dnsRequestAction.protocol
network.ip_protocol The protocol used for the DNS request involved in the finding.
detail.service.action
.networkConnectionAction.blocked
security_result.action Whether the network connection was blocked.
detail.service.action
.networkConnectionAction.connectionDirection
network.direction The direction of the network connection involved in the finding.
detail.service.action
.networkConnectionAction.localIpDetails
.ipAddressV4
principal.ip The local IP address involved in the network connection.
detail.service.action
.networkConnectionAction.localPortDetails
.port
principal.port The local port involved in the network connection.
detail.service.action
.networkConnectionAction.localPortDetails
.portName
principal.application The name of the local port involved in the network connection.
detail.service.action
.networkConnectionAction.protocol
network.ip_protocol The protocol used for the network connection involved in the finding.
detail.service.action
.networkConnectionAction.remoteIpDetails
.city.cityName
target.location.city The city name associated with the remote IP address involved in the network connection.
detail.service.action
.networkConnectionAction.remoteIpDetails
.country.countryName
target.location.country_or_region The country name associated with the remote IP address involved in the network connection.
detail.service.action
.networkConnectionAction.remoteIpDetails
.ipAddressV4
target.ip The remote IP address involved in the network connection.
detail.service.action
.networkConnectionAction.remotePortDetails
.port
target.port The remote port involved in the network connection.
detail.service.action
.networkConnectionAction.remotePortDetails
.portName
target.application The name of the remote port involved in the network connection.
detail.service.action
.portProbeAction.blocked
security_result.action Whether the port probe was blocked.
detail.service.action
.portProbeAction.portProbeDetails
.0.localPortDetails.port
target.port The local port that was probed.
detail.service.action
.portProbeAction.portProbeDetails
.0.localPortDetails.portName
principal.application The name of the local port that was probed.
detail.service.action
.portProbeAction.portProbeDetails
.0.remoteIpDetails.city.cityName
target.location.city The city name associated with the remote IP address that performed the port probe.
detail.service.action
.portProbeAction.portProbeDetails
.0.remoteIpDetails.country.countryName
target.location.country_or_region The country name associated with the remote IP address that performed the port probe.
detail.service.action
.portProbeAction.portProbeDetails
.0.remoteIpDetails.geoLocation.lat
target.location.region_latitude The latitude of the remote IP address that performed the port probe.
detail.service.action
.portProbeAction.portProbeDetails
.0.remoteIpDetails.geoLocation.lon
target.location.region_longitude The longitude of the remote IP address that performed the port probe.
detail.service.action
.portProbeAction.portProbeDetails
.0.remoteIpDetails.ipAddressV4
target.ip The remote IP address that performed the port probe.
detail.service.additionalInfo
.threatListName
security_result.threat_feed_name The name of the threat list that triggered the finding.
detail.service.additionalInfo
.threatName
security_result.threat_name The name of the threat that triggered the finding.
detail.service.additionalInfo
.userAgent.fullUserAgent
network.http.user_agent The full user agent string associated with the finding.
detail.service.additionalInfo
.userAgent.userAgentCategory
security_result.detection_fields.value The category of the user agent associated with the finding.
detail.service.additionalInfo
.value
security_result.about
.resource.attribute.labels.value
Additional information about the finding.
detail.title security_result.summary A short title for the finding.
detail.type metadata.product_event_type The type of finding.
detail.updatedAt metadata.event_timestamp The time the finding was last updated.
detail-type event.idm.read_only_udm
.additional.fields.value.string_value
The type of event that triggered the finding.
partition target.asset.attribute
.cloud.project.type
The AWS partition that the finding occurred in.
resource.accessKeyDetails principal.user Details about the AWS access key involved in the finding.
resource.accessKeyDetails.accessKeyId principal.user.userid The ID of the AWS access key involved in the finding.
resource.accessKeyDetails.principalId principal.user.userid The principal ID of the AWS access key involved in the finding.
resource.accessKeyDetails.userType principal.user.attribute.roles.name The type of user associated with the AWS access key involved in the finding.
resource.accessKeyDetails.userName principal.user.user_display_name The name of the user associated with the AWS access key involved in the finding.
resource.instanceDetails.availabilityZone target.asset.attribute.cloud.availability_zone The availability zone of the EC2 instance involved in the finding.
resource.instanceDetails.imageDescription event.idm.read_only_udm
.principal.resource.attribute.labels.value
The description of the AMI used to launch the EC2 instance involved in the finding.
resource.instanceDetails.imageId event.idm.read_only_udm
.additional.fields.value.string_value
The ID of the AMI used to launch the EC2 instance involved in the finding.
resource.instanceDetails
.iamInstanceProfile.arn
target.resource.attribute.labels.value The ARN of the IAM instance profile associated with the EC2 instance involved in the finding.
resource.instanceDetails
.iamInstanceProfile.id
target.resource.attribute.labels.value The ID of the IAM instance profile associated with the EC2 instance involved in the finding.
resource.instanceDetails.instanceId target.resource.product_object_id The ID of the EC2 instance involved in the finding.
resource.instanceDetails.instanceState target.resource.attribute.labels.value The state of the EC2 instance involved in the finding.
resource.instanceDetails.instanceType target.resource.attribute.labels.value The type of the EC2 instance involved in the finding.
resource.instanceDetails
.launchTime
target.resource.attribute.creation_time The time the EC2 instance involved in the finding was launched.
resource.instanceDetails
.networkInterfaces.0.networkInterfaceId
target.resource.attribute.labels.value The ID of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.privateDnsName
target.resource.attribute.labels.value The private DNS name of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.publicDnsName
target.resource.attribute.labels.value The public DNS name of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.publicIp
principal.ip The public IP address of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.privateIpAddress
principal.ip The private IP address of the network interface associated with the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.securityGroups
.0.groupId
target.user.group_identifiers The ID of the security group associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.securityGroups
.0.groupName
target.user.group_identifiers The name of the security group associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.subnetId
target.resource.attribute.labels.value The ID of the subnet associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails
.networkInterfaces.0.vpcId
target.asset.attribute.cloud.vpc.id The ID of the VPC associated with the network interface of the EC2 instance involved in the finding.
resource.instanceDetails.outpostArn target.resource.attribute.labels.value The ARN of the outpost associated with the EC2 instance involved in the finding.
resource.instanceDetails.platform target.asset.platform_software.platform_version The platform of the EC2 instance involved in the finding.
resource.instanceDetails
.productCodes.0.productCodeType
target.resource.type The type of product code associated with the EC2 instance involved in the finding.
resource.instanceDetails.tags target.asset.attribute.labels The tags associated with the EC2 instance involved in the finding.
resource.kubernetesDetails
.kubernetesUserDetails.username
principal.user.userid The username of the Kubernetes user involved in the finding.
resource.rdsDbInstanceDetails
.dbClusterIdentifier
event.idm.read_only_udm
.target.resource_ancestors.product_object_id
The identifier of the RDS DB cluster involved in the finding.
resource.rdsDbInstanceDetails
.dbInstanceArn
target.resource.name The ARN of the RDS DB instance involved in the finding.
resource.rdsDbInstanceDetails
.dbInstanceIdentifier
target.resource.product_object_id The identifier of the RDS DB instance involved in the finding.
resource.rdsDbUserDetails.user principal.user.userid The username of the RDS DB user involved in the finding.
resource.resourceType target.resource.resource_subtype The type of resource involved in the finding.
resource.s3BucketDetails principal.resource.attribute.labels Details about the S3 bucket involved in the finding.
resource.s3BucketDetails.0.arn target.resource.name The ARN of the S3 bucket involved in the finding.
resource.s3BucketDetails.0.createdAt event.idm.read_only_udm
.principal.resource.attribute.labels.value
The time the S3 bucket involved in the finding was created.
resource.s3BucketDetails.0
.defaultServerSideEncryption.encryptionType
network.tls.client.supported_ciphers The type of server-side encryption used for the S3 bucket involved in the finding.
resource.s3BucketDetails.0.name target.resource.name The name of the S3 bucket involved in the finding.
resource.s3BucketDetails.0.owner.id target.resource.attribute.labels.value The ID of the owner of the S3 bucket involved in the finding.
resource.s3BucketDetails
.0.publicAccess.effectivePermission
target.resource.attribute.labels.value The effective permission of the S3 bucket involved in the finding.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.blockPublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.blockPublicPolicy
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.ignorePublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.accountLevelPermissions.blockPublicAccess
.restrictPublicBuckets
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the account.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.accessControlList
.allowsPublicReadAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the access control list (ACL) allows public read access.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.accessControlList
.allowsPublicWriteAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the access control list (ACL) allows public write access.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.blockPublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.blockPublicPolicy
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.ignorePublicAcls
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.blockPublicAccess
.restrictPublicBuckets
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether public access blocks are enabled for the bucket.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.bucketPolicy
.allowsPublicReadAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the bucket policy allows public read access.
resource.s3BucketDetails
.0.publicAccess.permissionConfiguration
.bucketLevelPermissions.bucketPolicy
.allowsPublicWriteAccess
event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the bucket policy allows public write access.
resource.s3BucketDetails.0.tags event.idm.read_only_udm
.principal.resource.attribute.labels
The tags associated with the S3 bucket involved in the finding.
resource.s3BucketDetails.0.type target.resource.attribute.labels.value The type of S3 bucket involved in the finding.
service.action
.actionType
principal.group.attribute.labels.value The type of action associated with the finding.
service.action
.awsApiCallAction.affectedResources
.AWS_CloudTrail_Trail
event.idm.read_only_udm
.principal.resource.attribute.labels.value
The name of the AWS CloudTrail trail involved in the finding.
service.action
.awsApiCallAction.affectedResources
.AWS_S3_Bucket
event.idm.read_only_udm
.principal.resource.attribute.labels.value
The name of the S3 bucket involved in the finding.
service.action
.awsApiCallAction.api
principal.application The name of the AWS API call involved in the finding.
service.action
.awsApiCallAction.callerType
principal.group.attribute.labels.value The type of caller that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.domainDetails.domain
network.dns.questions.name The domain name associated with the AWS API call involved in the finding.
service.action
.awsApiCallAction.errorCode
security_result.rule_type The error code associated with the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.country.countryName
target.location.country_or_region The country name associated with the remote IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.geoLocation.lat
target.location.region_latitude The latitude of the remote IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.geoLocation.lon
target.location.region_longitude The longitude of the remote IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.ipAddressV4
target.ip The IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.organization.asn
event.idm.read_only_udm
.additional.fields.value.string_value
The Autonomous System Number (ASN) of the organization associated with the remote IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.organization.asnOrg
event.idm.read_only_udm
.additional.fields.value.string_value
The name of the organization associated with the remote IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.organization.isp
event.idm.read_only_udm
.additional.fields.value.string_value
The name of the internet service provider (ISP) associated with the remote IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.remoteIpDetails
.organization.org
event.idm.read_only_udm
.additional.fields.value.string_value
The name of the organization associated with the remote IP address that made the AWS API call involved in the finding.
service.action
.awsApiCallAction.serviceName
metadata.description The name of the AWS service involved in the finding.
service.action
.dnsRequestAction.blocked
security_result.action Whether the DNS request was blocked.
service.action
.dnsRequestAction.domain
principal.administrative_domain The domain name associated with the DNS request involved in the finding.
service.action
.dnsRequestAction.protocol
network.ip_protocol The protocol used for the DNS request involved in the finding.
service.action
.kubernetesApiCallAction.remoteIpDetails
.country.countryName
target.location.country_or_region The country name associated with the remote IP address that made the Kubernetes API call involved in the finding.
service.action
.kubernetesApiCallAction.remoteIpDetails
.geoLocation.lat
target.location.region_latitude The latitude of the remote IP address that made the Kubernetes API call involved in the finding.
service.action
.kubernetesApiCallAction.remoteIpDetails
.geoLocation.lon
target.location.region_longitude The longitude of the remote IP address that made the Kubernetes API call involved in the finding.
service.action
.kubernetesApiCallAction.remoteIpDetails
.ipAddressV4
target.ip The IP address that made the Kubernetes API call involved in the finding.
service.action
.networkConnectionAction.blocked
security_result.action Whether the network connection was blocked.
service.action
.networkConnectionAction.connectionDirection
network.direction The direction of the network connection involved in the finding.
service.action
.networkConnectionAction.localIpDetails
.ipAddressV4
principal.ip The local IP address involved in the network connection.
service.action
.networkConnectionAction.localPortDetails
.port
principal.port The local port involved in the network connection.
service.action
.networkConnectionAction.localPortDetails
.portName
principal.application The name of the local port involved in the network connection.
service.action
.networkConnectionAction.protocol
network.ip_protocol The protocol used for the network connection involved in the finding.
service.action
.networkConnectionAction.remoteIpDetails
.city.cityName
target.location.city The city name associated with the remote IP address involved in the network connection.
service.action
.networkConnectionAction.remoteIpDetails
.country.countryName
target.location.country_or_region The country name associated with the remote IP address involved in the network connection.
service.action
.networkConnectionAction.remoteIpDetails
.ipAddressV4
target.ip The remote IP address involved in the network connection.
service.action
.networkConnectionAction.remotePortDetails
.port
target.port The remote port involved in the network connection.
service.action
.networkConnectionAction.remotePortDetails
.portName
target.application The name of the remote port involved in the network connection.
service.action
.portProbeAction.blocked
security_result.action Whether the port probe was blocked.
service.action.portProbeAction
.portProbeDetails
.0.localPortDetails.port
target.port The local port that was probed.
service.action.portProbeAction
.portProbeDetails
.0.localPortDetails.portName
principal.application The name of the local port that was probed.
service.action.portProbeAction
.portProbeDetails
.0.remoteIpDetails.city
.cityName
target.location.city The city name associated with the remote IP address that performed the port probe.
service.action.portProbeAction
.portProbeDetails
.0.remoteIpDetails.country
.countryName
target.location.country_or_region The country name associated with the remote IP address that performed the port probe.
service.action.portProbeAction
.portProbeDetails
.0.remoteIpDetails.geoLocation
.lat
target.location.region_latitude The latitude of the remote IP address that performed the port probe.
service.action.portProbeAction
.portProbeDetails
.0.remoteIpDetails.geoLocation
.lon
target.location.region_longitude The longitude of the remote IP address that performed the port probe.
service.action.portProbeAction
.portProbeDetails
.0.remoteIpDetails.ipAddressV4
target.ip The remote IP address that performed the port probe.
service.additionalInfo
.portsScannedSample
event.idm.read_only_udm.about.port A sample of the ports that were scanned.
service.additionalInfo
.recentCredentials
event.idm.read_only_udm.intermediary A list of recent credentials that were used.
service.additionalInfo.sample security_result.about
.labels.value
Indicates whether the finding is a sample finding.
service.additionalInfo.threatListName security_result.threat_feed_name The name of the threat list that triggered the finding.
service.additionalInfo.threatName security_result.threat_name The name of the threat that triggered the finding.
service.additionalInfo
.userAgent.fullUserAgent
network.http.user_agent The full user agent string associated with the finding.
service.additionalInfo
.userAgent.userAgentCategory
security_result.detection_fields
.value
The category of the user agent associated with the finding.
service.additionalInfo.value security_result.about
.resource.attribute.labels.value
Additional information about the finding.
service.archived event.idm.read_only_udm
.additional.fields.value.bool_value
Whether the finding is archived.
service.count event.idm.read_only_udm
.principal.resource.attribute.labels.value
The number of times the event occurred.
service.detectorId event.idm.read_only_udm
.additional.fields.value.string_value
The ID of the GuardDuty detector that generated the finding.
service.ebsVolumeScanDetails
.scanDetections
.threatDetectedByName.itemCount
The total number of threats detected during the EBS volume scan.

Changes

2024-03-11

  • Mapped "service.action.awsApiCallAction.domainDetails.domain" to "network.dns.questions.name".

2024-03-05

  • Mapped "service.additionalInfo.value" to "security_result.about.labels".
  • Mapped "service.additionalInfo.value" to "security_result.about.resource.attribute.labels".
  • Mapped "service.action.awsApiCallAction.affectedResources.AWS_CloudTrail_Trail" to "principal.resource.attribute.labels".

2024-02-26

  • Bug Fix:
  • Mapped "resource.eksClusterDetails.createdAt" to "target.resource.attribute.labels".
  • Mapped "resource.s3BucketDetails.createdAt" to "principal.resource.attribute.labels".
  • Mapped "resource.eksClusterDetails.tags" to "target.resource.attribute.labels".
  • Mapped "resource.s3BucketDetails.tags" to "principal.resource.attribute.labels".
  • If "type" is similar to ":Kubernetes" or ":S3", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
  • If "service.action.actionType" is similar to "AWS_API_CALL" or "KUBERNETES_API_CALL", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
  • If "service.action.actionType" is similar to "DNS_REQUEST", then mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id".

2023-08-18

  • Mapped fields "security_result.attack_details.tactics", "security_result.attack_details.techniques" based on field "type".
  • Mapped 'metadata.event_type' to more specific event_types wherever possible instead of GENERIC_EVENT.
  • Mapped fields 'target.resource.resource_subtype', 'target.resource.resource_type' based on field "type".
  • For all logs having the 'type' value ':EC2' -
  • Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
  • Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
  • Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
  • For all logs having the 'type' value ':RDSV' -
  • Mapped 'resource.rdsDbInstanceDetails.dbInstanceIdentifier' to 'target.resource.product_object_id'.
  • Mapped 'resource.rdsDbInstanceDetails.dbInstanceArn' to 'target.resource.name'.
  • Mapped 'resource.rdsDbInstanceDetails.dbClusterIdentifier' to 'target.resource_ancestors.product_object_id'.
  • Mapped 'resource.rdsDbUserDetails.user' to 'principal.user.userid'.
  • For all logs having the 'type' value ':Kubernetes' -
  • Mapped ' resource.eksClusterDetails.arn' to 'target.resource.name'.
  • For all logs having the 'type' value ':Runtime' -
  • Mapped 'resource.eksClusterDetails.arn' to 'target.resource_ancestors.name'.
  • Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
  • Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
  • Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
  • For all logs having the 'type' value ':IAMUser' -
  • Mapped 'resource.accessKeyDetails.accessKeyId' to 'target.resource.product_object_id'.
  • Mapped 'resource.instanceDetails.instanceId' to 'target.resource_ancestors.product_object_id'.
  • For all logs having the 'type' value ':S3' -
  • Mapped 'resource.s3BucketDetails.arn' or 'resource.s3BucketDetails.name' to 'target.resource.name'.

2023-08-02

  • If 'resource.instanceDetails.networkInterfaces' is empty, then mapped 'metadata.event_type' to 'GENERIC_EVENT'.
  • If 'detail.resource.accessKeyDetails.principalId' or 'resource.accessKeyDetails.principalId' are empty, then mapped 'metadata.event_type' to 'USER_RESOURCE_ACCESS'.

2023-06-19

  • Added "security_result.attack_details" based on "type".

2023-02-07

  • Enhancement -
  • Mapped "threatdetails.threatListName" to "security_result.threat_feed_name".
  • Mapped "service.additionalInfo.threatName" to "security_result.threat_name".
  • If "product_event_type" in ["Backdoor:EC2/C&CActivity.B", "Backdoor:EC2/C&CActivity.B!DNS", "Trojan:EC2/BlackholeTraffic", "Trojan:EC2/BlackholeTraffic!DNS"] then mapped "T1071" to "technique_label.value".
  • If "product_event_type" in ["PenTest:IAMUser/KaliLinux", "PenTest:IAMUser/ParrotLinux", "PenTest:IAMUser/PentooLinux", "PenTest:S3/KaliLinux", "PenTest:S3/ParrotLinux", "PenTest:S3/PentooLinux", "Policy:IAMUser/RootCredentialUsage", "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom", "UnauthorizedAccess:EC2/TorClient"] then mapped "T1078" to "technique_label.value".
  • If "product_event_type" is "Discovery:IAMUser/AnomalousBehavior" then mapped "T1087" to "technique_label.value".
  • If "product_event_type" is "Persistence:IAMUser/AnomalousBehavior" then mapped "T1098" to "technique_label.value".
  • If "product_event_type" in ["UnauthorizedAccess:EC2/RDPBruteForce", "UnauthorizedAccess:EC2/SSHBruteForce"] then mapped "T1110" to "technique_label.value".
  • If "product_event_type" in ["InitialAccess:IAMUser/AnomalousBehavior", "UnauthorizedAccess:IAMUser/MaliciousIPCaller", "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom", "UnauthorizedAccess:IAMUser/TorIPCaller", "UnauthorizedAccess:S3/MaliciousIPCaller.Custom", "UnauthorizedAccess:S3/TorIPCaller"] then mapped "T1133" to "technique_label.value".
  • If "product_event_type" is "Trojan:EC2/DriveBySourceTraffic!DNS" then mapped "T1189" to "technique_label.value".
  • If "product_event_type" is "PrivilegeEscalation:IAMUser/AnomalousBehavior" then mapped "T1484" to "technique_label.value".
  • If "product_event_type" in ["Backdoor:EC2/Spambot", "CryptoCurrency:EC2/BitcoinTool.B", "CryptoCurrency:EC2/BitcoinTool.B!DNS", "Impact:EC2/AbusedDomainRequest.Reputation", "Impact:EC2/BitcoinDomainRequest.Reputation", "Impact:EC2/MaliciousDomainRequest.Reputation", "Impact:EC2/PortSweep", "Impact:EC2/SuspiciousDomainRequest.Reputation", "Impact:EC2/WinRMBruteForce", "UnauthorizedAccess:EC2/TorRelay"] then mapped "T1496" to "technique_label.value".
  • If "product_event_type" in ["Backdoor:EC2/DenialOfService.Dns", "Backdoor:EC2/DenialOfService.Tcp", "Backdoor:EC2/DenialOfService.Udp", "Backdoor:EC2/DenialOfService.UdpOnTcpPorts", "Backdoor:EC2/DenialOfService.UnusualProtocol"] then mapped "T1498" to "technique_label.value".
  • If "product_event_type" in ["Discovery:S3/MaliciousIPCaller", "Discovery:S3/MaliciousIPCaller.Custom", "Discovery:S3/TorIPCaller"] then mapped "T1526" to "technique_label.value".
  • If "product_event_type" is "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B" then mapped "T1538" to "technique_label.value".
  • If "product_event_type" is "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration" then mapped "T1552" to "technique_label.value".
  • If "product_event_type" is "CredentialAccess:IAMUser/AnomalousBehavior" then mapped "T1555" to "technique_label.value".
  • If "product_event_type" in ["DefenseEvasion:IAMUser/AnomalousBehavior", "Policy:S3/AccountBlockPublicAccessDisabled", "Policy:S3/BucketAnonymousAccessGranted", "Policy:S3/BucketBlockPublicAccessDisabled", "Policy:S3/BucketPublicAccessGranted", "Stealth:IAMUser/CloudTrailLoggingDisabled", "Stealth:IAMUser/PasswordPolicyChange", "Stealth:S3/ServerAccessLoggingDisabled"] then mapped "T1562" to "technique_label.value".
  • If "product_event_type" in ["Impact:IAMUser/AnomalousBehavior", "Impact:S3/MaliciousIPCaller"] then mapped "T1565" to "technique_label.value".
  • If "product_event_type" is "Trojan:EC2/PhishingDomainRequest!DNS" then mapped "T1566" to "technique_label.value".
  • If "product_event_type" in ["Exfiltration:IAMUser/AnomalousBehavior", "Exfiltration:S3/MaliciousIPCaller", "Exfiltration:S3/ObjectRead.Unusual", "Trojan:EC2/DNSDataExfiltration", "Trojan:EC2/DropPoint", "Trojan:EC2/DropPoint!DNS"] then mapped "T1567" to "technique_label.value".
  • If "product_event_type" in ["Trojan:EC2/DGADomainRequest.C!DNS", "Trojan:EC2/DGADomainRequest.B"] then mapped "T1568" to "technique_label.value".
  • If "product_event_type" == "UnauthorizedAccess:EC2/MetadataDNSRebind" then mapped "T1580" to "technique_label.
  • If "product_event_type" in ["Recon:IAMUser/MaliciousIPCaller", "Recon:IAMUser/MaliciousIPCaller.Custom", "Recon:IAMUser/TorIPCaller"] then mapped "T1589" to "technique_label.value".
  • If "product_event_type" in ["Recon:EC2/PortProbeEMRUnprotectedPort", "Recon:EC2/PortProbeUnprotectedPort", "Recon:EC2/Portscan"] then mapped "T1595" to "technique_label.value".
  • If [technique_label][value] in ["T1595", "T1592", "T1589", "T1590", "T1591", "T1598", "T1597", "T1596", "T1593", "T1594"] then mapped "Reconnaissance" to "tatic_label.value".
  • If [technique_label][value] in ["T1583", "T1586", "T1584", "T1587", "T1585", "T1588"] then mapped "ResourceDevelopment" to "tatic_label.value".
  • If [technique_label][value] in ["T1189", "T1190", "T1133", "T1200", "T1566", "T1091", "T1195", "T1199", "T1078"] then mapped "InitialAccess" to "tatic_label.value".
  • If [technique_label][value] in ["T1059", "T1203", "T1559", "T1106", "T1053", "T1129", "T1072", "T1569", "T1204", "T1047"] then mapped "Execution" to "tatic_label.value".
  • If [technique_label][value] in ["T1098", "T1197", "T1547", "T1037", "T1176", "T1554", "T1136", "T1543", "T1546", "T1133", "T1574", "T1525", "T1137", "T1542", "T1053", "T1505", "T1205", "T1078"] then mapped "Persistence" to "tatic_label.value".
  • If [technique_label][value] in ["T1548", "T1134", "T1547", "T1037", "T1543", "T1484", "T1546", "T1068", "T1574", "T1055", "T1053", "T1078"] then mapped "PrivilegeEscalation" to "tatic_label.value".
  • If [technique_label][value] in ["T1548", "T1134", "T1197", "T1140", "T1006", "T1484", "T1480", "T1211", "T1222", "T1564", "T1574", "T1562", "T1070", "T1202", "T1036", "T1556", "T1578", "T1112", "T1601", "T1599", "T1027", "T1542", "T1055", "T1207", "T1014", "T1218", "T1216", "T1553", "T1221", "T1205", "T1127", "T1535", "T1550", "T1078", "T1497", "T1600", "T1220"] then mapped "DefenseEvasion" to "tatic_label.value".
  • If [technique_label][value] in ["T1110", "T1555", "T1212", "T1187", "T1606", "T1056", "T1557", "T1556", "T1040", "T1003", "T1528", "T1558", "T1539", "T1111", "T1552"] then mapped "CredentialAccess" to "tatic_label.value".
  • If [technique_label][value] in ["T1087", "T1010", "T1217", "T1580", "T1538", "T1526", "T1482", "T1083", "T1046", "T1135", "T1040", "T1201", "T1120", "T1069", "T1057", "T1012", "T1018", "T1518", "T1082", "T1016", "T1049", "T1033", "T1007", "T1124", "T1497"] then mapped "Discovery" to "tatic_label.value".
  • If [technique_label][value] in ["T1210", "T1534", "T1570", "T1563", "T1021", "T1091", "T1072", "T1080", "T1550"] then mapped "LateralMovement" to "tatic_label.value".
  • If [technique_label][value] in ["T1560", "T1123", "T1119", "T1115", "T1530", "T1602", "T1213", "T1005", "T1039", "T1025", "T1074", "T1114", "T1056", "T1185", "T1557", "T1113", "T1125"] then mapped "Collection" to "tatic_label.value".
  • If [technique_label][value] in ["T1071", "T1092", "T1132", "T1001", "T1568", "T1573", "T1008", "T1105", "T1104", "T1095", "T1571", "T1572", "T1090", "T1219", "T1205", "T1102"] then mapped "CommandAndControl" to "tatic_label.value".
  • If [technique_label][value] in ["T1020", "T1030", "T1048", "T1041", "T1011", "T1052", "T1567", "T1029", "T1537"] then mapped "Exfiltration" to "tatic_label.value".
  • If [technique_label][value] in ["T1531", "T1485", "T1486", "T1565", "T1491", "T1561", "T1499", "T1495", "T1490", "T1498", "T1496", "T1489", "T1529"] then mapped "Impact" to "tatic_label.value".

2022-11-10

  • Enhancement
  • Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash" to "principal.file.sha256".
  • Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath" to "principal.file.full_path".
  • Mapped "service.action.dnsRequestAction.domain" to "network.dns.questions.name".
  • Mapped "resource.kubernetesDetails.kubernetesUserDetails.username" to "principal.user.userid".

2022-09-12

  • Feature Request:
  • Mapped 'security_result.category', 'metadata.event_type', 'resource_type', 'resource_subtype' appropriately for logs types - 'IAM', 'S3', 'KUBERNETES', 'MALWARE', 'EC2'.

2022-08-11

  • Feature Request:
  • Replaced 'GENERIC_EVENT' type to 'STATUS_UPDATE' or 'USER_RESOURCE_ACCESS' event_type.

2022-07-20

  • Changed mapping for "service.resourceRole" from "additional.resource_role" to "principal.resource.attribute.roles.name".
  • Changed mapping for "service.count" from "additional.fields" to "principal.resource.attribute.label"
  • Changed mapping for "resource.instanceDetails.imageDescription" from "additional.fields" to "principal.resource.attribute.label"
  • if "type" value in "Discovery:S3/MaliciousIPCaller", "Policy:S3/BucketPublicAccessGranted", "UnauthorizedAccess:S3/TorIPCaller", "Policy:S3/BucketAnonymousAccessGranted", "UnauthorizedAccess:EC2/TorRelay":
  • mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id"
  • mapped "resource.instanceDetails.instanceType" to "target.resource.name"

2022-07-08

  • Modified mapping for "network_interface.securityGroups.0.groupId" from "target.user.groupid" to "target.user.group_identifiers".

2022-05-26

  • Enhancement - Modified mappings for following fields
  • Changed mapping for field "region" from "target.location.country_or_region" to "target.location.name"
  • Changed mapping for field "resource.instanceDetails.tags[n]" from "additional.fields[n]" to "target.asset.attribute.labels[n]"
  • "service.action.networkConnectionAction.remoteIpDetails.country.countryName" mapped to "target.location.country_or_region"

2022-05-27

  • Enhancement - Modified the value stored in metadata.product_name to 'AWS GuardDuty' and metadata.vendor_name to 'AMAZON'.

2022-03-25

  • Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.

2022-03-31

  • Enhancement
  • If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application.
  • Entire list within "tags" field mapped to key-value fields.
  • "service.action.networkConnectionAction.protocol" mapped to network.ip_protocol
  • "service.action.networkConnectionAction.blocked" mapped to security_result.action
  • "severity" mapped to security_result.severity_details
  • If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id.
  • In s3BucketDetails:
  • "arn" mapped to target.asset.attribute.cloud.project.product_object_id.
  • "name" mapped to target.resource.name.
  • "encryptionType" mapped to network.tls.supported_ciphers.
  • "owner.id mapped to target.resource.attribute.labels.
  • Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList:
  • mapped "allowsPublicReadAccess" to additional.fields attribute.
  • mapped "allowsPublicWriteAccess" to additional.fields attribute. - --
  • Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy:
  • mapped "allowsPublicReadAccess" to additional.fields attribute.
  • mapped "allowsPublicWriteAccess" to additional.fields attribute. - --
  • Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess:
  • mapped "ignorePublicAcls" to additional.fields attribute.
  • mapped "restrictPublicBuckets" to additional.fields attribute.
  • mapped "blockPublicAcls" to additional.fields attribute.
  • mapped "blockPublicPolicy" to additional.fields attribute. - --
  • Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess
  • mapped ignorePublicAcls to additional.fields attribute.
  • "restrictPublicBuckets" to additional.fields attribute.
  • "blockPublicAcls" to additional.fields attribute.
  • "blockPublicPolicy" to additional.fields attribute.
  • Under service.action.awsApiCallAction.remoteIpDetails.organization:
  • "asn" mapped to additional.fields attribute.
  • "asnOrg" mapped to additional.fields attribute.
  • "isp" mapped to additional.fields attribute.
  • "org" mapped to additional.fields attribute.
  • Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute.
  • If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id.
  • resource.instanceDetails.instanceId mapped to target.resource.id
  • resource.instanceDetails.instanceType mapped to target.resource.name
  • resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id
  • Values under resource.instanceDetails.tags mapped the following fields:
  • target.user.userid if the key is "ApplicationOwner".
  • target.application if the key is "Application".
  • user.email_addresses if the key is "Contact".
  • additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule".
  • service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0.
  • service.action.networkConnectionAction.blocked mapped to security_result.action.
  • "severity" mapped to security_result.severity_details.