Skip to content
Permalink
Browse files

Handle the case when a single API call name is sent as a json dict in…

…stead of a single-element list
  • Loading branch information
mpurzynski committed Dec 12, 2019
1 parent ef636a1 commit ef3944fdbb70140c5abc72150396f58c09d5b890
Showing with 34 additions and 43 deletions.
  1. +9 −2 mq/esworker_guardduty.py
  2. +25 −41 mq/plugins/guardduty_mapping.yml
@@ -87,9 +87,16 @@ def on_message(self, message_raw):
message["details"]["finding"]["additionalInfo"]["apiCalls"] = message["details"]["finding"][
"action"
]["awsApiCallAction"]
for call in message["details"]["finding"]["additionalInfo"]["apiCalls"]:
if type(message["details"]["finding"]["additionalInfo"]["apiCalls"]) == list:
for call in message["details"]["finding"]["additionalInfo"]["apiCalls"]:
isolatedmessage = message
isolatedmessage["details"]["finding"]["apicalls"] = call
self.build_submit_message(isolatedmessage)
else:
isolatedmessage = message
isolatedmessage["details"]["finding"]["apicalls"] = call
isolatedmessage["details"]["finding"]["apicalls"] = message["details"]["finding"][
"additionalInfo"
]["apiCalls"]
self.build_submit_message(isolatedmessage)
else:
self.build_submit_message(message)
@@ -1048,111 +1048,95 @@
awsaccountid: details.accountId
awsregion: details.region
resourcetype: details.resource.resourceType
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId
usertype: details.resource.accessKeyDetails.userType
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
gdeventfirstseents: details.finding.eventFirstSeen
gdeventlastseents: details.finding.eventLastSeen
direction: details.finding.action.networkConnectionAction.connectionDirection
apiname: details.finding.apicalls.name
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId

Recon:IAMUser/MaliciousIPCaller.Custom:
findingid: details.id
arn: details.arn
awsaccountid: details.accountId
awsregion: details.region
resourcetype: details.resource.resourceType
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId
usertype: details.resource.accessKeyDetails.userType
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
gdeventfirstseents: details.finding.eventFirstSeen
gdeventlastseents: details.finding.eventLastSeen
direction: details.finding.action.networkConnectionAction.connectionDirection
apiname: details.finding.apicalls.name
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId

Recon:IAMUser/MaliciousIPCaller:
findingid: details.id
arn: details.arn
awsaccountid: details.accountId
awsregion: details.region
resourcetype: details.resource.resourceType
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId
usertype: details.resource.accessKeyDetails.userType
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
gdeventfirstseents: details.finding.eventFirstSeen
gdeventlastseents: details.finding.eventLastSeen
direction: details.finding.action.networkConnectionAction.connectionDirection
apiname: details.finding.apicalls.name
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId

Recon:IAMUser/NetworkPermissions:
findingid: details.id
arn: details.arn
awsaccountid: details.accountId
awsregion: details.region
resourcetype: details.resource.resourceType
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId
usertype: details.resource.accessKeyDetails.userType
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
gdeventfirstseents: details.finding.eventFirstSeen
gdeventlastseents: details.finding.eventLastSeen
direction: details.finding.action.networkConnectionAction.connectionDirection
apiname: details.finding.apicalls.name
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId

Recon:IAMUser/ResourcePermissions:
findingid: details.id
arn: details.arn
awsaccountid: details.accountId
awsregion: details.region
resourcetype: details.resource.resourceType
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId
usertype: details.resource.accessKeyDetails.userType
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
gdeventfirstseents: details.finding.eventFirstSeen
gdeventlastseents: details.finding.eventLastSeen
direction: details.finding.action.networkConnectionAction.connectionDirection
apiname: details.finding.apicalls.name
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId

Recon:IAMUser/UserPermissions:
findingid: details.id
arn: details.arn
awsaccountid: details.accountId
awsregion: details.region
resourcetype: details.resource.resourceType
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId
usertype: details.resource.accessKeyDetails.userType
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
gdeventfirstseents: details.finding.eventFirstSeen
gdeventlastseents: details.finding.eventLastSeen
direction: details.finding.action.networkConnectionAction.connectionDirection
apiname: details.finding.apicalls.name
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId

Persistence:IAMUser/ResourcePermissions:
findingid: details.id

0 comments on commit ef3944f

Please sign in to comment.
You can’t perform that action at this time.