Change log for GUARDDUTY

Date Changes
2022-03-31 Enhancement
If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application.
Entire list within "tags" field mapped to key-value fields.
"service.action.networkConnectionAction.protocol" mapped to network.ip_protocol
"service.action.networkConnectionAction.blocked" mapped to security_result.action
"severity" mapped to security_result.severity_details
If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id.
In s3BucketDetails:
- "arn" mapped to target.asset.attribute.cloud.project.product_object_id.
- "name" mapped to target.resource.name.
- "encryptionType" mapped to network.tls.supported_ciphers.
- "owner.id mapped to target.resource.attribute.labels.
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess:
- mapped "ignorePublicAcls" to additional.fields attribute.
- mapped "restrictPublicBuckets" to additional.fields attribute.
- mapped "blockPublicAcls" to additional.fields attribute.
- mapped "blockPublicPolicy" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess
mapped ignorePublicAcls to additional.fields attribute.
"restrictPublicBuckets" to additional.fields attribute.
"blockPublicAcls" to additional.fields attribute.
"blockPublicPolicy" to additional.fields attribute.
Under service.action.awsApiCallAction.remoteIpDetails.organization:
- "asn" mapped to additional.fields attribute.
- "asnOrg" mapped to additional.fields attribute.
- "isp" mapped to additional.fields attribute.
- "org" mapped to additional.fields attribute.
Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute.
If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id.
- resource.instanceDetails.instanceId mapped to target.resource.id
- resource.instanceDetails.instanceType mapped to target.resource.name
- resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id
Values under resource.instanceDetails.tags mapped the following fields:
- target.user.userid if the key is "ApplicationOwner".
- target.application if the key is "Application".
- user.email_addresses if the key is "Contact".
- additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule".
service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0.
service.action.networkConnectionAction.blocked mapped to security_result.action.
"severity" mapped to security_result.severity_details.
2022-03-25 Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.