Change log for GUARDDUTY

Date	Changes
2022-03-31	Enhancement If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application. Entire list within "tags" field mapped to key-value fields. "service.action.networkConnectionAction.protocol" mapped to network.ip_protocol "service.action.networkConnectionAction.blocked" mapped to security_result.action "severity" mapped to security_result.severity_details If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id. In s3BucketDetails: - "arn" mapped to target.asset.attribute.cloud.project.product_object_id. - "name" mapped to target.resource.name. - "encryptionType" mapped to network.tls.supported_ciphers. - "owner.id mapped to target.resource.attribute.labels. Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList: - mapped "allowsPublicReadAccess" to additional.fields attribute. - mapped "allowsPublicWriteAccess" to additional.fields attribute. --- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy: - mapped "allowsPublicReadAccess" to additional.fields attribute. - mapped "allowsPublicWriteAccess" to additional.fields attribute. --- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess: - mapped "ignorePublicAcls" to additional.fields attribute. - mapped "restrictPublicBuckets" to additional.fields attribute. - mapped "blockPublicAcls" to additional.fields attribute. - mapped "blockPublicPolicy" to additional.fields attribute. --- Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess mapped ignorePublicAcls to additional.fields attribute. "restrictPublicBuckets" to additional.fields attribute. "blockPublicAcls" to additional.fields attribute. "blockPublicPolicy" to additional.fields attribute. Under service.action.awsApiCallAction.remoteIpDetails.organization: - "asn" mapped to additional.fields attribute. - "asnOrg" mapped to additional.fields attribute. - "isp" mapped to additional.fields attribute. - "org" mapped to additional.fields attribute. Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute. If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id. - resource.instanceDetails.instanceId mapped to target.resource.id - resource.instanceDetails.instanceType mapped to target.resource.name - resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id Values under resource.instanceDetails.tags mapped the following fields: - target.user.userid if the key is "ApplicationOwner". - target.application if the key is "Application". - user.email_addresses if the key is "Contact". - additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule". service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0. service.action.networkConnectionAction.blocked mapped to security_result.action. "severity" mapped to security_result.severity_details.
2022-03-25	Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.

Date

Changes

2022-03-31

Enhancement
If service.action.networkConnectionAction.localPortDetails.portName is not "Unknown" value mapped to principal.application.
Entire list within "tags" field mapped to key-value fields.
"service.action.networkConnectionAction.protocol" mapped to network.ip_protocol
"service.action.networkConnectionAction.blocked" mapped to security_result.action
"severity" mapped to security_result.severity_details
If service.action.actionType is AWS_API_CALL, "accessKeyId" mapped to target.resource.id.
In s3BucketDetails:
- "arn" mapped to target.asset.attribute.cloud.project.product_object_id.
- "name" mapped to target.resource.name.
- "encryptionType" mapped to network.tls.supported_ciphers.
- "owner.id mapped to target.resource.attribute.labels.
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy:
- mapped "allowsPublicReadAccess" to additional.fields attribute.
- mapped "allowsPublicWriteAccess" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess:
- mapped "ignorePublicAcls" to additional.fields attribute.
- mapped "restrictPublicBuckets" to additional.fields attribute.
- mapped "blockPublicAcls" to additional.fields attribute.
- mapped "blockPublicPolicy" to additional.fields attribute.
---
Under resource.s3BucketDetails.0.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess
mapped ignorePublicAcls to additional.fields attribute.
"restrictPublicBuckets" to additional.fields attribute.
"blockPublicAcls" to additional.fields attribute.
"blockPublicPolicy" to additional.fields attribute.
Under service.action.awsApiCallAction.remoteIpDetails.organization:
- "asn" mapped to additional.fields attribute.
- "asnOrg" mapped to additional.fields attribute.
- "isp" mapped to additional.fields attribute.
- "org" mapped to additional.fields attribute.
Under service.action.awsApiCallAction.affectedResources, mapped "AWS::S3::Bucket" additional.fields attribute.
If service.action.actionType is DNS_REQUEST, "accessKeyId" mapped to target.resource.id.
- resource.instanceDetails.instanceId mapped to target.resource.id
- resource.instanceDetails.instanceType mapped to target.resource.name
- resource.instanceDetails.networkInterfaces.0.vpcId mapped to target.asset.attribute.cloud.vpc.id
Values under resource.instanceDetails.tags mapped the following fields:
- target.user.userid if the key is "ApplicationOwner".
- target.application if the key is "Application".
- user.email_addresses if the key is "Contact".
- additional.fields if the key is "Name", "DAM_Project", "Project", or "ehc:C3Schedule".
service.action.dnsRequestAction.protocol mapped network.ip_protocol if value is not 0.
service.action.networkConnectionAction.blocked mapped to security_result.action.
"severity" mapped to security_result.severity_details.

2022-03-25

Enhancement - Port udm is not a repeated field. This makes it unsuitable to capture a lot of ports from a log. This change uses about.port instead.