Change log for GUARDDUTY

Date Changes
2024-11-28 Enhancement:
- Mapped "service.additionalInfo.unusualBehavior" and "service.additionalInfo.profiledBehavior" to "security_result.about.resource.attribute.labels".
2024-10-23 Enhancement:
- Added support to parse unparsed logs.
2024-10-17 Enhancement:
- Mapped "resource.eksClusterDetails.status", "resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser", "resource.kubernetesDetails.kubernetesUserDetails.groups", "resource.kubernetesDetails.kubernetesUserDetails.sessionName", "service.action.kubernetesApiCallAction.verb", "service.detection.anomaly.profiles.namespace.asnInfo", "service.detection.anomaly.profiles.namespace.userAgent", "service.detection.anomaly.profiles.namespace.dayOfWeek", "service.detection.anomaly.profiles.namespace.impersonatedUsername", "service.detection.anomaly.profiles.namespace.api", "service.detection.anomaly.profiles.namespace.username", "service.detection.anomaly.profiles.cluster.asnInfo", "service.detection.anomaly.profiles.cluster.userAgent", "service.detection.anomaly.profiles.cluster.dayOfWeek", "service.detection.anomaly.profiles.cluster.impersonatedUsername", "service.detection.anomaly.profiles.cluster.api", "service.detection.anomaly.profiles.cluster.username", "service.detection.anomaly.profiles.account.asnInfo", "service.detection.anomaly.profiles.account.userAgent", "service.detection.anomaly.profiles.account.dayOfWeek", "service.detection.anomaly.profiles.account.impersonatedUsername", "service.detection.anomaly.profiles.account.api", "service.detection.anomaly.profiles.account.username", "service.detection.anomaly.profiles.username.asnInfo", "service.detection.anomaly.profiles.username.userAgent", "service.detection.anomaly.profiles.username.dayOfWeek", "service.detection.anomaly.profiles.username.impersonatedUsername", "service.detection.anomaly.profiles.username.api", "service.detection.anomaly.profiles.username.username", "service.detection.anomaly.unusual.behavior.namespace.asnInfo", "service.detection.anomaly.unusual.behavior.namespace.userAgent", "service.detection.anomaly.unusual.behavior.namespace.dayOfWeek", "service.detection.anomaly.unusual.behavior.namespace.impersonatedUsername", "service.detection.anomaly.unusual.behavior.namespace.api", "service.detection.anomaly.unusual.behavior.namespace.username", "service.detection.anomaly.unusual.behavior.cluster.asnInfo", "service.detection.anomaly.unusual.behavior.cluster.userAgent", "service.detection.anomaly.unusual.behavior.cluster.dayOfWeek", "service.detection.anomaly.unusual.behavior.cluster.impersonatedUsername", "service.detection.anomaly.unusual.behavior.cluster.api", "service.detection.anomaly.unusual.behavior.cluster.username", "service.detection.anomaly.unusual.behavior.account.asnInfo", "service.detection.anomaly.unusual.behavior.account.userAgent", "service.detection.anomaly.unusual.behavior.account.dayOfWeek", "service.detection.anomaly.unusual.behavior.account.impersonatedUsername", "service.detection.anomaly.unusual.behavior.account.api", "service.detection.anomaly.unusual.behavior.account.username", "service.detection.anomaly.unusual.behavior.username.asnInfo", "service.detection.anomaly.unusual.behavior.username.userAgent", "service.detection.anomaly.unusual.behavior.username.dayOfWeek", "service.detection.anomaly.unusual.behavior.username.impersonatedUsername", "service.detection.anomaly.unusual.behavior.username.api", and "service.detection.anomaly.unusual.behavior.username.username" to "additional.fields".
- Mapped "service.action.kubernetesApiCallAction.statusCode" to "network.http.response_code".
- Mapped "resource.eksClusterDetails.vpcId" to "principal.cloud.vpc.id".
- Mapped "service.action.kubernetesApiCallAction.namespace" to "principal.namespace".
- Mapped "service.action.kubernetesApiCallAction.requestUri" to "target.url".
2024-03-11 Enhancement:
- Mapped "service.action.awsApiCallAction.domainDetails.domain" to "network.dns.questions.name".
2024-03-05 Enhancement:
- Mapped "service.additionalInfo.value" to "security_result.about.labels".
- Mapped "service.additionalInfo.value" to "security_result.about.resource.attribute.labels".
- Mapped "service.action.awsApiCallAction.affectedResources.AWS_CloudTrail_Trail" to "principal.resource.attribute.labels".
2024-02-26 Bug Fix:
- Mapped "resource.eksClusterDetails.createdAt" to "target.resource.attribute.labels".
- Mapped "resource.s3BucketDetails.createdAt" to "principal.resource.attribute.labels".
- Mapped "resource.eksClusterDetails.tags" to "target.resource.attribute.labels".
- Mapped "resource.s3BucketDetails.tags" to "principal.resource.attribute.labels".
- If "type" is similar to ":Kubernetes" or ":S3", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
- If "service.action.actionType" is similar to "AWS_API_CALL" or "KUBERNETES_API_CALL", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id".
- If "service.action.actionType" is similar to "DNS_REQUEST", then mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id".
2023-08-18 - Mapped fields "security_result.attack_details.tactics", "security_result.attack_details.techniques" based on field "type".
- Mapped 'metadata.event_type' to more specific event_types wherever possible instead of GENERIC_EVENT.
- Mapped fields 'target.resource.resource_subtype', 'target.resource.resource_type' based on field "type".
- For all logs having the 'type' value ':EC2' -
Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
- For all logs having the 'type' value ':RDSV' -
Mapped 'resource.rdsDbInstanceDetails.dbInstanceIdentifier' to 'target.resource.product_object_id'.
Mapped 'resource.rdsDbInstanceDetails.dbInstanceArn' to 'target.resource.name'.
Mapped 'resource.rdsDbInstanceDetails.dbClusterIdentifier' to 'target.resource_ancestors.product_object_id'.
Mapped 'resource.rdsDbUserDetails.user' to 'principal.user.userid'.
- For all logs having the 'type' value ':Kubernetes' -
Mapped ' resource.eksClusterDetails.arn' to 'target.resource.name'.
- For all logs having the 'type' value ':Runtime' -
Mapped 'resource.eksClusterDetails.arn' to 'target.resource_ancestors.name'.
Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'.
Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'.
Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'.
- For all logs having the 'type' value ':IAMUser' -
Mapped 'resource.accessKeyDetails.accessKeyId' to 'target.resource.product_object_id'.
Mapped 'resource.instanceDetails.instanceId' to 'target.resource_ancestors.product_object_id'.
- For all logs having the 'type' value ':S3' -
Mapped 'resource.s3BucketDetails.arn' or 'resource.s3BucketDetails.name' to 'target.resource.name'.
2023-08-02 - If 'resource.instanceDetails.networkInterfaces' is empty, then mapped 'metadata.event_type' to 'GENERIC_EVENT'.
- If 'detail.resource.accessKeyDetails.principalId' or 'resource.accessKeyDetails.principalId' are empty, then mapped 'metadata.event_type' to 'USER_RESOURCE_ACCESS'.
2023-06-19 - Added "security_result.attack_details" based on "type".
2023-02-07 Enhancement -
- Mapped "threatdetails.threatListName" to "security_result.threat_feed_name".
- Mapped "service.additionalInfo.threatName" to "security_result.threat_name".
- If "product_event_type" in ["Backdoor:EC2/C&CActivity.B", "Backdoor:EC2/C&CActivity.B!DNS", "Trojan:EC2/BlackholeTraffic", "Trojan:EC2/BlackholeTraffic!DNS"] then mapped "T1071" to "technique_label.value".
- If "product_event_type" in ["PenTest:IAMUser/KaliLinux", "PenTest:IAMUser/ParrotLinux", "PenTest:IAMUser/PentooLinux", "PenTest:S3/KaliLinux", "PenTest:S3/ParrotLinux", "PenTest:S3/PentooLinux", "Policy:IAMUser/RootCredentialUsage", "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom", "UnauthorizedAccess:EC2/TorClient"] then mapped "T1078" to "technique_label.value".
- If "product_event_type" is "Discovery:IAMUser/AnomalousBehavior" then mapped "T1087" to "technique_label.value".
- If "product_event_type" is "Persistence:IAMUser/AnomalousBehavior" then mapped "T1098" to "technique_label.value".
- If "product_event_type" in ["UnauthorizedAccess:EC2/RDPBruteForce", "UnauthorizedAccess:EC2/SSHBruteForce"] then mapped "T1110" to "technique_label.value".
- If "product_event_type" in ["InitialAccess:IAMUser/AnomalousBehavior", "UnauthorizedAccess:IAMUser/MaliciousIPCaller", "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom", "UnauthorizedAccess:IAMUser/TorIPCaller", "UnauthorizedAccess:S3/MaliciousIPCaller.Custom", "UnauthorizedAccess:S3/TorIPCaller"] then mapped "T1133" to "technique_label.value".
- If "product_event_type" is "Trojan:EC2/DriveBySourceTraffic!DNS" then mapped "T1189" to "technique_label.value".
- If "product_event_type" is "PrivilegeEscalation:IAMUser/AnomalousBehavior" then mapped "T1484" to "technique_label.value".
- If "product_event_type" in ["Backdoor:EC2/Spambot", "CryptoCurrency:EC2/BitcoinTool.B", "CryptoCurrency:EC2/BitcoinTool.B!DNS", "Impact:EC2/AbusedDomainRequest.Reputation", "Impact:EC2/BitcoinDomainRequest.Reputation", "Impact:EC2/MaliciousDomainRequest.Reputation", "Impact:EC2/PortSweep", "Impact:EC2/SuspiciousDomainRequest.Reputation", "Impact:EC2/WinRMBruteForce", "UnauthorizedAccess:EC2/TorRelay"] then mapped "T1496" to "technique_label.value".
- If "product_event_type" in ["Backdoor:EC2/DenialOfService.Dns", "Backdoor:EC2/DenialOfService.Tcp", "Backdoor:EC2/DenialOfService.Udp", "Backdoor:EC2/DenialOfService.UdpOnTcpPorts", "Backdoor:EC2/DenialOfService.UnusualProtocol"] then mapped "T1498" to "technique_label.value".
- If "product_event_type" in ["Discovery:S3/MaliciousIPCaller", "Discovery:S3/MaliciousIPCaller.Custom", "Discovery:S3/TorIPCaller"] then mapped "T1526" to "technique_label.value".
- If "product_event_type" is "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B" then mapped "T1538" to "technique_label.value".
- If "product_event_type" is "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration" then mapped "T1552" to "technique_label.value".
- If "product_event_type" is "CredentialAccess:IAMUser/AnomalousBehavior" then mapped "T1555" to "technique_label.value".
- If "product_event_type" in ["DefenseEvasion:IAMUser/AnomalousBehavior", "Policy:S3/AccountBlockPublicAccessDisabled", "Policy:S3/BucketAnonymousAccessGranted", "Policy:S3/BucketBlockPublicAccessDisabled", "Policy:S3/BucketPublicAccessGranted", "Stealth:IAMUser/CloudTrailLoggingDisabled", "Stealth:IAMUser/PasswordPolicyChange", "Stealth:S3/ServerAccessLoggingDisabled"] then mapped "T1562" to "technique_label.value".
- If "product_event_type" in ["Impact:IAMUser/AnomalousBehavior", "Impact:S3/MaliciousIPCaller"] then mapped "T1565" to "technique_label.value".
- If "product_event_type" is "Trojan:EC2/PhishingDomainRequest!DNS" then mapped "T1566" to "technique_label.value".
- If "product_event_type" in ["Exfiltration:IAMUser/AnomalousBehavior", "Exfiltration:S3/MaliciousIPCaller", "Exfiltration:S3/ObjectRead.Unusual", "Trojan:EC2/DNSDataExfiltration", "Trojan:EC2/DropPoint", "Trojan:EC2/DropPoint!DNS"] then mapped "T1567" to "technique_label.value".
- If "product_event_type" in ["Trojan:EC2/DGADomainRequest.C!DNS", "Trojan:EC2/DGADomainRequest.B"] then mapped "T1568" to "technique_label.value".
- If "product_event_type" == "UnauthorizedAccess:EC2/MetadataDNSRebind" then mapped "T1580" to "technique_label.
- If "product_event_type" in ["Recon:IAMUser/MaliciousIPCaller", "Recon:IAMUser/MaliciousIPCaller.Custom", "Recon:IAMUser/TorIPCaller"] then mapped "T1589" to "technique_label.value".
- If "product_event_type" in ["Recon:EC2/PortProbeEMRUnprotectedPort", "Recon:EC2/PortProbeUnprotectedPort", "Recon:EC2/Portscan"] then mapped "T1595" to "technique_label.value".
- If [technique_label][value] in ["T1595", "T1592", "T1589", "T1590", "T1591", "T1598", "T1597", "T1596", "T1593", "T1594"] then mapped "Reconnaissance" to "tatic_label.value".
- If [technique_label][value] in ["T1583", "T1586", "T1584", "T1587", "T1585", "T1588"] then mapped "ResourceDevelopment" to "tatic_label.value".
- If [technique_label][value] in ["T1189", "T1190", "T1133", "T1200", "T1566", "T1091", "T1195", "T1199", "T1078"] then mapped "InitialAccess" to "tatic_label.value".
- If [technique_label][value] in ["T1059", "T1203", "T1559", "T1106", "T1053", "T1129", "T1072", "T1569", "T1204", "T1047"] then mapped "Execution" to "tatic_label.value".
- If [technique_label][value] in ["T1098", "T1197", "T1547", "T1037", "T1176", "T1554", "T1136", "T1543", "T1546", "T1133", "T1574", "T1525", "T1137", "T1542", "T1053", "T1505", "T1205", "T1078"] then mapped "Persistence" to "tatic_label.value".
- If [technique_label][value] in ["T1548", "T1134", "T1547", "T1037", "T1543", "T1484", "T1546", "T1068", "T1574", "T1055", "T1053", "T1078"] then mapped "PrivilegeEscalation" to "tatic_label.value".
- If [technique_label][value] in ["T1548", "T1134", "T1197", "T1140", "T1006", "T1484", "T1480", "T1211", "T1222", "T1564", "T1574", "T1562", "T1070", "T1202", "T1036", "T1556", "T1578", "T1112", "T1601", "T1599", "T1027", "T1542", "T1055", "T1207", "T1014", "T1218", "T1216", "T1553", "T1221", "T1205", "T1127", "T1535", "T1550", "T1078", "T1497", "T1600", "T1220"] then mapped "DefenseEvasion" to "tatic_label.value".
- If [technique_label][value] in ["T1110", "T1555", "T1212", "T1187", "T1606", "T1056", "T1557", "T1556", "T1040", "T1003", "T1528", "T1558", "T1539", "T1111", "T1552"] then mapped "CredentialAccess" to "tatic_label.value".
- If [technique_label][value] in ["T1087", "T1010", "T1217", "T1580", "T1538", "T1526", "T1482", "T1083", "T1046", "T1135", "T1040", "T1201", "T1120", "T1069", "T1057", "T1012", "T1018", "T1518", "T1082", "T1016", "T1049", "T1033", "T1007", "T1124", "T1497"] then mapped "Discovery" to "tatic_label.value".
- If [technique_label][value] in ["T1210", "T1534", "T1570", "T1563", "T1021", "T1091", "T1072", "T1080", "T1550"] then mapped "LateralMovement" to "tatic_label.value".
- If [technique_label][value] in ["T1560", "T1123", "T1119", "T1115", "T1530", "T1602", "T1213", "T1005", "T1039", "T1025", "T1074", "T1114", "T1056", "T1185", "T1557", "T1113", "T1125"] then mapped "Collection" to "tatic_label.value".
- If [technique_label][value] in ["T1071", "T1092", "T1132", "T1001", "T1568", "T1573", "T1008", "T1105", "T1104", "T1095", "T1571", "T1572", "T1090", "T1219", "T1205", "T1102"] then mapped "CommandAndControl" to "tatic_label.value".
- If [technique_label][value] in ["T1020", "T1030", "T1048", "T1041", "T1011", "T1052", "T1567", "T1029", "T1537"] then mapped "Exfiltration" to "tatic_label.value".
- If [technique_label][value] in ["T1531", "T1485", "T1486", "T1565", "T1491", "T1561", "T1499", "T1495", "T1490", "T1498", "T1496", "T1489", "T1529"] then mapped "Impact" to "tatic_label.value".
2022-11-10 Enhancement
- Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash" to "principal.file.sha256".
- Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath" to "principal.file.full_path".
- Mapped "service.action.dnsRequestAction.domain" to "network.dns.questions.name".
- Mapped "resource.kubernetesDetails.kubernetesUserDetails.username" to "principal.user.userid".
2022-09-12 Feature Request:
- Mapped 'security_result.category', 'metadata.event_type', 'resource_type', 'resource_subtype' appropriately for logs types - 'IAM', 'S3', 'KUBERNETES', 'MALWARE', 'EC2'.
2022-08-11 Feature Request:
- Replaced 'GENERIC_EVENT' type to 'STATUS_UPDATE' or 'USER_RESOURCE_ACCESS' event_type.
2022-07-20 Enhancement:
- Changed mapping for "service.resourceRole" from "additional.resource_role" to "principal.resource.attribute.roles.name".
- Changed mapping for "service.count" from "additional.fields" to "principal.resource.attribute.label"
- Changed mapping for "resource.instanceDetails.imageDescription" from "additional.fields" to "principal.resource.attribute.label"
- if "type" value in "Discovery:S3/MaliciousIPCaller", "Policy:S3/BucketPublicAccessGranted", "UnauthorizedAccess:S3/TorIPCaller", "Policy:S3/BucketAnonymousAccessGranted", "UnauthorizedAccess:EC2/TorRelay":
- mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id"
- mapped "resource.instanceDetails.instanceType" to "target.resource.name"
2022-07-08 Enhancement:
- Modified mapping for "network_interface.securityGroups.0.groupId" from "target.user.groupid" to "target.user.group_identifiers".
2022-05-27 Enhancement - Modified the value stored in metadata.product_name to 'AWS GuardDuty' and metadata.vendor_name to 'AMAZON'.
2022-05-26 Enhancement - Modified mappings for following fields
- Changed mapping for field "region" from "target.location.country_or_region" to "target.location.name"
- Changed mapping for field "resource.instanceDetails.tags[n]" from "additional.fields[n]" to "target.asset.attribute.labels[n]"
- "service.action.networkConnectionAction.remoteIpDetails.country.countryName" mapped to "target.location.country_or_region"
2022-03-31 Enhancement
If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application.
Entire list within "tags" field mapped to key-value fields.
"service.action.networkConnectionAction.protocol" mapped to network.ip_protocol
"service.action.networkConnectionAction.blocked" mapped to security_result.action
"severity" mapped to security_result.severity_details
If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id.
In s3BucketDetails:
- "arn" mapped to target.asset.attribute.cloud.project.product_object_id.
- "name" mapped to target.resource.name.
- "encryptionType" mapped to network.tls.supported_ciphers.
- "owner.id mapped to target.resource.attribute.labels.
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess:
- mapped "ignorePublicAcls" to additional.fields attribute.
- mapped "restrictPublicBuckets" to additional.fields attribute.
- mapped "blockPublicAcls" to additional.fields attribute.
- mapped "blockPublicPolicy" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess
mapped ignorePublicAcls to additional.fields attribute.
"restrictPublicBuckets" to additional.fields attribute.
"blockPublicAcls" to additional.fields attribute.
"blockPublicPolicy" to additional.fields attribute.
Under service.action.awsApiCallAction.remoteIpDetails.organization:
- "asn" mapped to additional.fields attribute.
- "asnOrg" mapped to additional.fields attribute.
- "isp" mapped to additional.fields attribute.
- "org" mapped to additional.fields attribute.
Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute.
If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id.
- resource.instanceDetails.instanceId mapped to target.resource.id
- resource.instanceDetails.instanceType mapped to target.resource.name
- resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id
Values under resource.instanceDetails.tags mapped the following fields:
- target.user.userid if the key is "ApplicationOwner".
- target.application if the key is "Application".
- user.email_addresses if the key is "Contact".
- additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule".
service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0.
service.action.networkConnectionAction.blocked mapped to security_result.action.
"severity" mapped to security_result.severity_details.
2022-03-25 Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.