Change log for GUARDDUTY
| Date | Changes |
|---|---|
| 2024-03-11 | Enhancement:
- Mapped "service.action.awsApiCallAction.domainDetails.domain" to "network.dns.questions.name". |
| 2024-03-05 | Enhancement:
- Mapped "service.additionalInfo.value" to "security_result.about.labels". - Mapped "service.additionalInfo.value" to "security_result.about.resource.attribute.labels". - Mapped "service.action.awsApiCallAction.affectedResources.AWS_CloudTrail_Trail" to "principal.resource.attribute.labels". |
| 2024-02-26 | Bug Fix:
- Mapped "resource.eksClusterDetails.createdAt" to "target.resource.attribute.labels". - Mapped "resource.s3BucketDetails.createdAt" to "principal.resource.attribute.labels". - Mapped "resource.eksClusterDetails.tags" to "target.resource.attribute.labels". - Mapped "resource.s3BucketDetails.tags" to "principal.resource.attribute.labels". - If "type" is similar to ":Kubernetes" or ":S3", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id". - If "service.action.actionType" is similar to "AWS_API_CALL" or "KUBERNETES_API_CALL", then mapped "resource.accessKeyDetails.accessKeyId" to "target.resource.product_object_id". - If "service.action.actionType" is similar to "DNS_REQUEST", then mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id". |
| 2023-08-18 | - Mapped fields "security_result.attack_details.tactics", "security_result.attack_details.techniques" based on field "type".
- Mapped 'metadata.event_type' to more specific event_types wherever possible instead of GENERIC_EVENT. - Mapped fields 'target.resource.resource_subtype', 'target.resource.resource_type' based on field "type". - For all logs having the 'type' value ':EC2' - Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'. Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'. Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'. - For all logs having the 'type' value ':RDSV' - Mapped 'resource.rdsDbInstanceDetails.dbInstanceIdentifier' to 'target.resource.product_object_id'. Mapped 'resource.rdsDbInstanceDetails.dbInstanceArn' to 'target.resource.name'. Mapped 'resource.rdsDbInstanceDetails.dbClusterIdentifier' to 'target.resource_ancestors.product_object_id'. Mapped 'resource.rdsDbUserDetails.user' to 'principal.user.userid'. - For all logs having the 'type' value ':Kubernetes' - Mapped ' resource.eksClusterDetails.arn' to 'target.resource.name'. - For all logs having the 'type' value ':Runtime' - Mapped 'resource.eksClusterDetails.arn' to 'target.resource_ancestors.name'. Mapped 'resource.instanceDetails.instanceId' to 'target.resource.product_object_id'. Mapped 'resource.instanceDetails.instanceType' to 'target.resource.attribute.labels'. Mapped 'resource.instanceDetails.launchTime' to 'target.resource.attribute.creation_time'. - For all logs having the 'type' value ':IAMUser' - Mapped 'resource.accessKeyDetails.accessKeyId' to 'target.resource.product_object_id'. Mapped 'resource.instanceDetails.instanceId' to 'target.resource_ancestors.product_object_id'. - For all logs having the 'type' value ':S3' - Mapped 'resource.s3BucketDetails.arn' or 'resource.s3BucketDetails.name' to 'target.resource.name'. |
| 2023-08-02 | - If 'resource.instanceDetails.networkInterfaces' is empty, then mapped 'metadata.event_type' to 'GENERIC_EVENT'.
- If 'detail.resource.accessKeyDetails.principalId' or 'resource.accessKeyDetails.principalId' are empty, then mapped 'metadata.event_type' to 'USER_RESOURCE_ACCESS'. |
| 2023-06-19 | - Added "security_result.attack_details" based on "type".
|
| 2023-02-07 | Enhancement -
- Mapped "threatdetails.threatListName" to "security_result.threat_feed_name". - Mapped "service.additionalInfo.threatName" to "security_result.threat_name". - If "product_event_type" in ["Backdoor:EC2/C&CActivity.B", "Backdoor:EC2/C&CActivity.B!DNS", "Trojan:EC2/BlackholeTraffic", "Trojan:EC2/BlackholeTraffic!DNS"] then mapped "T1071" to "technique_label.value". - If "product_event_type" in ["PenTest:IAMUser/KaliLinux", "PenTest:IAMUser/ParrotLinux", "PenTest:IAMUser/PentooLinux", "PenTest:S3/KaliLinux", "PenTest:S3/ParrotLinux", "PenTest:S3/PentooLinux", "Policy:IAMUser/RootCredentialUsage", "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom", "UnauthorizedAccess:EC2/TorClient"] then mapped "T1078" to "technique_label.value". - If "product_event_type" is "Discovery:IAMUser/AnomalousBehavior" then mapped "T1087" to "technique_label.value". - If "product_event_type" is "Persistence:IAMUser/AnomalousBehavior" then mapped "T1098" to "technique_label.value". - If "product_event_type" in ["UnauthorizedAccess:EC2/RDPBruteForce", "UnauthorizedAccess:EC2/SSHBruteForce"] then mapped "T1110" to "technique_label.value". - If "product_event_type" in ["InitialAccess:IAMUser/AnomalousBehavior", "UnauthorizedAccess:IAMUser/MaliciousIPCaller", "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom", "UnauthorizedAccess:IAMUser/TorIPCaller", "UnauthorizedAccess:S3/MaliciousIPCaller.Custom", "UnauthorizedAccess:S3/TorIPCaller"] then mapped "T1133" to "technique_label.value". - If "product_event_type" is "Trojan:EC2/DriveBySourceTraffic!DNS" then mapped "T1189" to "technique_label.value". - If "product_event_type" is "PrivilegeEscalation:IAMUser/AnomalousBehavior" then mapped "T1484" to "technique_label.value". - If "product_event_type" in ["Backdoor:EC2/Spambot", "CryptoCurrency:EC2/BitcoinTool.B", "CryptoCurrency:EC2/BitcoinTool.B!DNS", "Impact:EC2/AbusedDomainRequest.Reputation", "Impact:EC2/BitcoinDomainRequest.Reputation", "Impact:EC2/MaliciousDomainRequest.Reputation", "Impact:EC2/PortSweep", "Impact:EC2/SuspiciousDomainRequest.Reputation", "Impact:EC2/WinRMBruteForce", "UnauthorizedAccess:EC2/TorRelay"] then mapped "T1496" to "technique_label.value". - If "product_event_type" in ["Backdoor:EC2/DenialOfService.Dns", "Backdoor:EC2/DenialOfService.Tcp", "Backdoor:EC2/DenialOfService.Udp", "Backdoor:EC2/DenialOfService.UdpOnTcpPorts", "Backdoor:EC2/DenialOfService.UnusualProtocol"] then mapped "T1498" to "technique_label.value". - If "product_event_type" in ["Discovery:S3/MaliciousIPCaller", "Discovery:S3/MaliciousIPCaller.Custom", "Discovery:S3/TorIPCaller"] then mapped "T1526" to "technique_label.value". - If "product_event_type" is "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B" then mapped "T1538" to "technique_label.value". - If "product_event_type" is "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration" then mapped "T1552" to "technique_label.value". - If "product_event_type" is "CredentialAccess:IAMUser/AnomalousBehavior" then mapped "T1555" to "technique_label.value". - If "product_event_type" in ["DefenseEvasion:IAMUser/AnomalousBehavior", "Policy:S3/AccountBlockPublicAccessDisabled", "Policy:S3/BucketAnonymousAccessGranted", "Policy:S3/BucketBlockPublicAccessDisabled", "Policy:S3/BucketPublicAccessGranted", "Stealth:IAMUser/CloudTrailLoggingDisabled", "Stealth:IAMUser/PasswordPolicyChange", "Stealth:S3/ServerAccessLoggingDisabled"] then mapped "T1562" to "technique_label.value". - If "product_event_type" in ["Impact:IAMUser/AnomalousBehavior", "Impact:S3/MaliciousIPCaller"] then mapped "T1565" to "technique_label.value". - If "product_event_type" is "Trojan:EC2/PhishingDomainRequest!DNS" then mapped "T1566" to "technique_label.value". - If "product_event_type" in ["Exfiltration:IAMUser/AnomalousBehavior", "Exfiltration:S3/MaliciousIPCaller", "Exfiltration:S3/ObjectRead.Unusual", "Trojan:EC2/DNSDataExfiltration", "Trojan:EC2/DropPoint", "Trojan:EC2/DropPoint!DNS"] then mapped "T1567" to "technique_label.value". - If "product_event_type" in ["Trojan:EC2/DGADomainRequest.C!DNS", "Trojan:EC2/DGADomainRequest.B"] then mapped "T1568" to "technique_label.value". - If "product_event_type" == "UnauthorizedAccess:EC2/MetadataDNSRebind" then mapped "T1580" to "technique_label. - If "product_event_type" in ["Recon:IAMUser/MaliciousIPCaller", "Recon:IAMUser/MaliciousIPCaller.Custom", "Recon:IAMUser/TorIPCaller"] then mapped "T1589" to "technique_label.value". - If "product_event_type" in ["Recon:EC2/PortProbeEMRUnprotectedPort", "Recon:EC2/PortProbeUnprotectedPort", "Recon:EC2/Portscan"] then mapped "T1595" to "technique_label.value". - If [technique_label][value] in ["T1595", "T1592", "T1589", "T1590", "T1591", "T1598", "T1597", "T1596", "T1593", "T1594"] then mapped "Reconnaissance" to "tatic_label.value". - If [technique_label][value] in ["T1583", "T1586", "T1584", "T1587", "T1585", "T1588"] then mapped "ResourceDevelopment" to "tatic_label.value". - If [technique_label][value] in ["T1189", "T1190", "T1133", "T1200", "T1566", "T1091", "T1195", "T1199", "T1078"] then mapped "InitialAccess" to "tatic_label.value". - If [technique_label][value] in ["T1059", "T1203", "T1559", "T1106", "T1053", "T1129", "T1072", "T1569", "T1204", "T1047"] then mapped "Execution" to "tatic_label.value". - If [technique_label][value] in ["T1098", "T1197", "T1547", "T1037", "T1176", "T1554", "T1136", "T1543", "T1546", "T1133", "T1574", "T1525", "T1137", "T1542", "T1053", "T1505", "T1205", "T1078"] then mapped "Persistence" to "tatic_label.value". - If [technique_label][value] in ["T1548", "T1134", "T1547", "T1037", "T1543", "T1484", "T1546", "T1068", "T1574", "T1055", "T1053", "T1078"] then mapped "PrivilegeEscalation" to "tatic_label.value". - If [technique_label][value] in ["T1548", "T1134", "T1197", "T1140", "T1006", "T1484", "T1480", "T1211", "T1222", "T1564", "T1574", "T1562", "T1070", "T1202", "T1036", "T1556", "T1578", "T1112", "T1601", "T1599", "T1027", "T1542", "T1055", "T1207", "T1014", "T1218", "T1216", "T1553", "T1221", "T1205", "T1127", "T1535", "T1550", "T1078", "T1497", "T1600", "T1220"] then mapped "DefenseEvasion" to "tatic_label.value". - If [technique_label][value] in ["T1110", "T1555", "T1212", "T1187", "T1606", "T1056", "T1557", "T1556", "T1040", "T1003", "T1528", "T1558", "T1539", "T1111", "T1552"] then mapped "CredentialAccess" to "tatic_label.value". - If [technique_label][value] in ["T1087", "T1010", "T1217", "T1580", "T1538", "T1526", "T1482", "T1083", "T1046", "T1135", "T1040", "T1201", "T1120", "T1069", "T1057", "T1012", "T1018", "T1518", "T1082", "T1016", "T1049", "T1033", "T1007", "T1124", "T1497"] then mapped "Discovery" to "tatic_label.value". - If [technique_label][value] in ["T1210", "T1534", "T1570", "T1563", "T1021", "T1091", "T1072", "T1080", "T1550"] then mapped "LateralMovement" to "tatic_label.value". - If [technique_label][value] in ["T1560", "T1123", "T1119", "T1115", "T1530", "T1602", "T1213", "T1005", "T1039", "T1025", "T1074", "T1114", "T1056", "T1185", "T1557", "T1113", "T1125"] then mapped "Collection" to "tatic_label.value". - If [technique_label][value] in ["T1071", "T1092", "T1132", "T1001", "T1568", "T1573", "T1008", "T1105", "T1104", "T1095", "T1571", "T1572", "T1090", "T1219", "T1205", "T1102"] then mapped "CommandAndControl" to "tatic_label.value". - If [technique_label][value] in ["T1020", "T1030", "T1048", "T1041", "T1011", "T1052", "T1567", "T1029", "T1537"] then mapped "Exfiltration" to "tatic_label.value". - If [technique_label][value] in ["T1531", "T1485", "T1486", "T1565", "T1491", "T1561", "T1499", "T1495", "T1490", "T1498", "T1496", "T1489", "T1529"] then mapped "Impact" to "tatic_label.value". |
| 2022-11-10 | Enhancement
- Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash" to "principal.file.sha256". - Mapped "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath" to "principal.file.full_path". - Mapped "service.action.dnsRequestAction.domain" to "network.dns.questions.name". - Mapped "resource.kubernetesDetails.kubernetesUserDetails.username" to "principal.user.userid". |
| 2022-09-12 | Feature Request:
- Mapped 'security_result.category', 'metadata.event_type', 'resource_type', 'resource_subtype' appropriately for logs types - 'IAM', 'S3', 'KUBERNETES', 'MALWARE', 'EC2'. |
| 2022-08-11 | Feature Request:
- Replaced 'GENERIC_EVENT' type to 'STATUS_UPDATE' or 'USER_RESOURCE_ACCESS' event_type. |
| 2022-07-20 | Enhancement:
- Changed mapping for "service.resourceRole" from "additional.resource_role" to "principal.resource.attribute.roles.name". - Changed mapping for "service.count" from "additional.fields" to "principal.resource.attribute.label" - Changed mapping for "resource.instanceDetails.imageDescription" from "additional.fields" to "principal.resource.attribute.label" - if "type" value in "Discovery:S3/MaliciousIPCaller", "Policy:S3/BucketPublicAccessGranted", "UnauthorizedAccess:S3/TorIPCaller", "Policy:S3/BucketAnonymousAccessGranted", "UnauthorizedAccess:EC2/TorRelay": - mapped "resource.instanceDetails.instanceId" to "target.resource.product_object_id" - mapped "resource.instanceDetails.instanceType" to "target.resource.name" |
| 2022-07-08 | Enhancement:
- Modified mapping for "network_interface.securityGroups.0.groupId" from "target.user.groupid" to "target.user.group_identifiers". |
| 2022-05-27 | Enhancement - Modified the value stored in metadata.product_name to 'AWS GuardDuty' and metadata.vendor_name to 'AMAZON'.
|
| 2022-05-26 | Enhancement - Modified mappings for following fields
- Changed mapping for field "region" from "target.location.country_or_region" to "target.location.name" - Changed mapping for field "resource.instanceDetails.tags[n]" from "additional.fields[n]" to "target.asset.attribute.labels[n]" - "service.action.networkConnectionAction.remoteIpDetails.country.countryName" mapped to "target.location.country_or_region" |
| 2022-03-31 | Enhancement
If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application. Entire list within "tags" field mapped to key-value fields. "service.action.networkConnectionAction.protocol" mapped to network.ip_protocol "service.action.networkConnectionAction.blocked" mapped to security_result.action "severity" mapped to security_result.severity_details If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id. In s3BucketDetails: - "arn" mapped to target.asset.attribute.cloud.project.product_object_id. - "name" mapped to target.resource.name. - "encryptionType" mapped to network.tls.supported_ciphers. - "owner.id mapped to target.resource.attribute.labels. Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList: - mapped "allowsPublicReadAccess" to additional.fields attribute. - mapped "allowsPublicWriteAccess" to additional.fields attribute. --- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy: - mapped "allowsPublicReadAccess" to additional.fields attribute. - mapped "allowsPublicWriteAccess" to additional.fields attribute. --- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess: - mapped "ignorePublicAcls" to additional.fields attribute. - mapped "restrictPublicBuckets" to additional.fields attribute. - mapped "blockPublicAcls" to additional.fields attribute. - mapped "blockPublicPolicy" to additional.fields attribute. --- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess mapped ignorePublicAcls to additional.fields attribute. "restrictPublicBuckets" to additional.fields attribute. "blockPublicAcls" to additional.fields attribute. "blockPublicPolicy" to additional.fields attribute. Under service.action.awsApiCallAction.remoteIpDetails.organization: - "asn" mapped to additional.fields attribute. - "asnOrg" mapped to additional.fields attribute. - "isp" mapped to additional.fields attribute. - "org" mapped to additional.fields attribute. Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute. If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id. - resource.instanceDetails.instanceId mapped to target.resource.id - resource.instanceDetails.instanceType mapped to target.resource.name - resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id Values under resource.instanceDetails.tags mapped the following fields: - target.user.userid if the key is "ApplicationOwner". - target.application if the key is "Application". - user.email_addresses if the key is "Contact". - additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule". service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0. service.action.networkConnectionAction.blocked mapped to security_result.action. "severity" mapped to security_result.severity_details. |
| 2022-03-25 | Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.
|