Skip to content

AWS GaurdDuty

AWS GaurdDuty

About

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Product Details

Vendor URL: https://aws.amazon.com/guardduty/

Product Type: EDR

Product Tier: Tier I

Integration Method: AWS S3 Bucket

Integration URL: AWS S3 Bucket

Parser Details

Fill in the following fields for parser details

Log Format: JSON

Expected Normalization Rate: 95-100%

Data Label: GUARDDUTY

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
id metadata.product_log_id
detail-type metadata.product_event_type
service.serviceName metadata.description
resource.instanceDetails.networkInterfaces.publicIp principal.ip
accountId principal.group.product_object_id
region principal.location.country_or_region
tag.value target.user.userid
network_interface.securityGroups.groupId target.user.groupid
securityGroup.groupName target.user.group_identifiers
resource.instanceDetails.platform target.asset.platform_software.platform_version
resource.instanceDetails.networkInterfaces.vpcId target.asset.attribute.cloud.vpc.id
partition target.asset.attribute.cloud.project.type
id target.asset.attribute.cloud.project.id
arn target.asset.attribute.cloud.project.product_object_id
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4 target.ip
service.action.portProbeAction.portProbeDetails.localPortDetails.port target.port
tag.value target.application
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName target.location.country_or_region
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat target.location.region_latitude
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon target.location.region_longitude
resource.instanceDetails.networkInterfaces.privateIpAddress intermediary.ip
service.additionalInfo.threatName security_result.threat_name
title security_result.summary
description security_result.description

Product Event Types

Event UDM Event Classification
Policy:S3/BucketBlockPublicAccessDisabled, Policy:S3/BucketBlockPublicAccessDisabled RESOURCE_READ
UnauthorizedAccess:EC2/RDPBruteForce, Impact:EC2/PortSweep, UnauthorizedAccess:EC2/TorClient, UnauthorizedAccess:EC2/SSHBruteForce, Backdoor:EC2/Spambot, Behavior:EC2/TrafficVolumeUnusual, Recon:EC2/Portscan, Behavior:EC2/NetworkPortUnusual NETWORK_CONNECTION
Recon:EC2/PortProbeUnprotectedPort SCAN_HOST
Stealth:IAMUser/CloudTrailLoggingDisabled, UnauthorizedAccess:IAMUser, Discovery:IAMUser/AnomalousBehavior, Policy:IAMUser/RootCredentialUsage, Discovery:IAMUser/AnomalousBehavior USER_RESOURCE_ACCESS
all others GENERIC_EVENT

Log Sample

{"schemaVersion":"2.0","accountId":"012345678901","region":"eu-central-1","partition":"aws","id":"0123456789abcdef0123456789abcdef","arn":"arn:aws:guardduty:eu-central-1:012345678901:detector/0123456789abcdef0123456789abcdef01/finding/0123456789abcdef0123456789abcdef02","type":"Recon:EC2/PortProbeUnprotectedPort","resource":{"resourceType":"Instance","instanceDetails":{"imageId":"ami-9876543210abcdef5","instanceId":"i-9876543210abcdef5","instanceType":"t2.xlarge","launchTime":"2021-08-11T09:38:17.000Z","platform":"windows","productCodes":[{"productCodeId":"dftg365wfgt145decsa2369fg","productCodeType":"marketplace"}],"iamInstanceProfile":{"arn":"arn:aws:iam::012345678901:instance-profile/SSMCloudWatchInstanceRole","id":"AIPASZSJUWL6VM3UMKZ5K"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-05d738c2a2978bf93","privateDnsName":"ip-172-16-217-212.eu-central-1.compute.internal","privateIpAddress":"172.16.217.212","privateIpAddresses":[{"privateDnsName":"ip-172-16-217-212.eu-central-1.compute.internal","privateIpAddress":"172.16.217.212"}],"subnetId":"subnet-01234567896543abc","vpcId":"vpc-01234567896543abc","securityGroups":[{"groupName":"SC-012345678901-pp-0123dfjenchtl-InstanceSG-1SH4ISOMF8BK","groupId":"sg-01234567896543abc"}],"publicDnsName":"ec1-2-34-567-890.eu-central-1.compute.amazonaws.com","publicIp":"192.168.8.10"}],"outpostArn":null,"tags":[{"key":"aws:cloudformation:logical-id","value":"EC2Instance"},{"key":"aws:servicecatalog:portfolioArn","value":"arn:aws:catalog:eu-central-1:654321987321:portfolio/port-abrncfgd12345"},{"key":"aws:cloudformation:stack-name","value":"SC-012345678901-pp-abdhrcjk12345"},{"key":"AppCat","value":"bronze"},{"key":"Environment","value":"dev"},{"key":"flagged","value":"y"},{"key":"aws:cloudformation:stack-id","value":"arn:aws:cloudformation:eu-central-1:012345678901:stack/SC-012345678901-pp-abdhrcjk12345/1a61df80-f48d-11eb-a6bf-0a87f8db6abe"},{"key":"backup","value":"n"},{"key":"aws:servicecatalog:provisionedProductArn","value":"arn:aws:servicecatalog:eu-central-1:012345678901:stack/Windows_EC2_Instance__IOT_-_Model_5_-08031832/pp-abdhrcjk12345"},{"key":"BusinessUnit","value":"HVAC"},{"key":"Application","value":"jon.doe@gmail.com,jane.doe@gmail.com"},{"key":"lxAppId","value":"APP-01664"},{"key":"Version","value":""},{"key":"MaxLifeTime","value":"1y"},{"key":"Stopped","value":"True"},{"key":"FQDN","value":""},{"key":"aws:servicecatalog:provisioningPrincipalArn","value":"arn:aws:sts::012345678901:assumed-role/AWSReservedSSO_SupportG-AWS-GCSOps_605778c0e395721b/jane.doe@gmail.com"},{"key":"ServerRole","value":"Database Server"},{"key":"CostCenter","value":"IC990272"},{"key":"ApplicationOwner","value":"jon.doe@gmail.com"},{"key":"ComplianceRequirement","value":""},{"key":"timestamp","value":"1629887588.0"},{"key":"Name","value":"VMC12345SA678"},{"key":"Patching","value":"Excluded from patching - LTI"},{"key":"Patching_Tag","value":"Excluded from patching - LTI"},{"key":"aws:servicecatalog:provisioningArtifactIdentifier","value":"pa-0123456789012"},{"key":"aws:servicecatalog:productArn","value":"arn:aws:catalog:eu-central-1:012345678901:product/prod-9876543210987"}],"instanceState":"running","availabilityZone":"eu-central-1a"}},"service":{"serviceName":"guardduty","detectorId":"9876543210dfg0123456789d","action":{"actionType":"PORT_PROBE","portProbeAction":{"portProbeDetails":[{"localPortDetails":{"port":443,"portName":"Unknown"},"remoteIpDetails":{"ipAddressV4":"192.168.3.5","organization":{"asn":"555555","asnOrg":"My Org","isp":"My ISP","org":"My ISPs Org"},"country":{"countryName":"United States"},"city":{"cityName":""},"geoLocation":{"lat":38.123,"lon":-94.321}}},{"localPortDetails":{"port":445,"portName":"SMB"},"remoteIpDetails":{"ipAddressV4":"192.168.3.2","organization":{"asn":"555555","asnOrg":"My Org","isp":"My ISP","org":"My ISPs Org"},"country":{"countryName":"United States"},"city":{"cityName":""},"geoLocation":{"lat":12.345,"lon":-54.321}}},{"localPortDetails":{"port":135,"portName":"Unknown"},"remoteIpDetails":{"ipAddressV4":"192.168.5.1","organization":{"asn":"555555","asnOrg":"My Org","isp":"My ISP","org":"My ISPs Org"},"country":{"countryName":"United States"},"city":{"cityName":""},"geoLocation":{"lat":98.765,"lon":-56.789}}},{"localPortDetails":{"port":139,"portName":"NetBIOS"},"remoteIpDetails":{"ipAddressV4":"192.168.5.4","organization":{"asn":"55555","asnOrg":"Your Org.","isp":"Your ISP","org":"Your ISPs Org"},"country":{"countryName":"Monaco"},"city":{"cityName":"Monaco"},"geoLocation":{"lat":98.876,"lon":56.789}}},{"localPortDetails":{"port":5986,"portName":"Unknown"},"remoteIpDetails":{"ipAddressV4":"192.168.1.1","organization":{"asn":"444444","asnOrg":"Their Org","isp":"Their ISP","org":"Their ISPs Org"},"country":{"countryName":"United States"},"city":{"cityName":""},"geoLocation":{"lat":12.345,"lon":-54.321}}}],"blocked":false}},"resourceRole":"TARGET","additionalInfo":{"threatListName":"ProofPoint","value":"{\"threatListName\":\"ProofPoint\"}","type":"default"},"evidence":{"threatIntelligenceDetails":[{"threatNames":[],"threatListName":"ProofPoint"}]},"eventFirstSeen":"2023-05-23T18:46:03.000Z","eventLastSeen":"2023-05-31T20:43:04.000Z","archived":false,"count":205},"severity":2,"createdAt":"2023-05-23T19:04:41.461Z","updatedAt":"2023-05-31T20:57:49.939Z","title":"Unprotected port on EC2 instance i-1234567890abcdef5 is being probed.","description":"EC2 instance has an unprotected port which is being probed by a known malicious host."}

Sample Parsing

metadata.product_log_id = "0123456789abcdef0123456789abcdef"
metadata.product_event_type = "Recon:EC2/PortProbeUnprotectedPort"
metadata.event_type = "SCAN_HOST"
metadata.description = "guardduty"
principal.ip = "192.168.8.10"
principal.group.product_object_id = "012345678901"
principal.location.country_or_region = "eu-central-1"
target.user.userid = "jon.doe@gmail.com"
target.user.groupid = "sg-01234567896543abc"
target.user.group_identifiers = "SC-012345678901-pp-0123dfjenchtl-InstanceSG-1SH4ISOMF8BK"
target.asset.platform_software.platform_version = "windows"
target.asset.attribute.cloud.vpc.id = "vpc-01234567896543abc"
target.asset.attribute.cloud.project.type = "aws"
target.asset.attribute.cloud.project.id = "0123456789abcdef0123456789abcdef"
target.asset.attribute.cloud.project.product_object_id = "arn:aws:guardduty:eu-central-1:012345678901:detector/0123456789abcdef0123456789abcdef01/finding/0123456789abcdef0123456789abcdef0"
target.ip = "192.168.3.5"
target.ip = "192.168.3.2"
target.ip = "192.168.5.1"
target.ip = "192.168.5.4"
target.ip = "192.168.1.1"
target.port = "5986"
target.application = "jon.doe@gmail.com,jane.doe@gmail.com"
target.location.country_or_region = "United States"
target.location.region_latitude = "38.123"
target.location.region_longitude = "-94.321"
intermediary.ip = "172.16.217.212"
security_result.threat_name = "ProofPoint"
security_result.summary = "Unprotected port on EC2 instance i-1234567890abcdef5 is being probed."
security_result.description = "EC2 instance has an unprotected port which is being probed by a known malicious host."