Do you think it be possible to add support for GuardDuty message format,
Using as is the sample output from GuardDuty looks like this:
Message Description version: 0 id: 94fc31e1-8e7f-0234-12d6-4baa425fe901 detail-type: GuardDuty Finding source: aws.guardduty account: *** time: 2019-03-02T21:25:06Z region: eu-west-1 resources: [] detail: {"schemaVersion":"2.0","accountId":"***","region":"eu-west-1","partition":"aws","id":"00b4a024780657c85f1befc2286e957f","arn":"arn:aws:guardduty:eu-west-1:***:detector/1cb46e3bff812aa163e14334dd9751b4/finding/00b4a024780657c85f1befc2286e957f","type":"Persistence:IAMUser/NetworkPermissions","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"IAMUser","userName":"GeneratedFindingUserName"}},"service":{"serviceName":"guardduty","detectorId":"1cb46e3bff812aa163e14334dd9751b4","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"GeneratedFindingAPIName","serviceName":"GeneratedFindingAPIServiceName","callerType":"Remote IP","remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"recentApiCalls":[{"api":"GeneratedFindingAPIName1","count":2},{"api":"GeneratedFindingAPIName2","count":2}],"sample":true},"eventFirstSeen":"2019-03-02T21:21:55.724Z","eventLastSeen":"2019-03-02T21:21:55.724Z","archived":false,"count":1},"severity":5,"createdAt":"2019-03-02T21:21:55.724Z","updatedAt":"2019-03-02T21:21:55.724Z","title":"Unusual changes to network permissions by GeneratedFindingUserName.","description":"APIs commonly used to change the network access permissions for security groups, routes and ACLs, was invoked by IAM principal GeneratedFindingUserName. Such activity is not typically seen from this principal."}
Hi,
Do you think it be possible to add support for GuardDuty message format, Using as is the sample output from GuardDuty looks like this:
Message Description version: 0 id: 94fc31e1-8e7f-0234-12d6-4baa425fe901 detail-type: GuardDuty Finding source: aws.guardduty account: *** time: 2019-03-02T21:25:06Z region: eu-west-1 resources: [] detail: {"schemaVersion":"2.0","accountId":"***","region":"eu-west-1","partition":"aws","id":"00b4a024780657c85f1befc2286e957f","arn":"arn:aws:guardduty:eu-west-1:***:detector/1cb46e3bff812aa163e14334dd9751b4/finding/00b4a024780657c85f1befc2286e957f","type":"Persistence:IAMUser/NetworkPermissions","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"IAMUser","userName":"GeneratedFindingUserName"}},"service":{"serviceName":"guardduty","detectorId":"1cb46e3bff812aa163e14334dd9751b4","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"GeneratedFindingAPIName","serviceName":"GeneratedFindingAPIServiceName","callerType":"Remote IP","remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"recentApiCalls":[{"api":"GeneratedFindingAPIName1","count":2},{"api":"GeneratedFindingAPIName2","count":2}],"sample":true},"eventFirstSeen":"2019-03-02T21:21:55.724Z","eventLastSeen":"2019-03-02T21:21:55.724Z","archived":false,"count":1},"severity":5,"createdAt":"2019-03-02T21:21:55.724Z","updatedAt":"2019-03-02T21:21:55.724Z","title":"Unusual changes to network permissions by GeneratedFindingUserName.","description":"APIs commonly used to change the network access permissions for security groups, routes and ACLs, was invoked by IAM principal GeneratedFindingUserName. Such activity is not typically seen from this principal."}