search

awsdocs / amazon-guardduty-user-guide

The open source version of the Amazon GuardDuty documentation. You can provide feedback & requests for changes by submitting issues in this repo or by making proposed changes & submitting a pull request.
Other
21 stars 50 forks source link

Fix finding name for ObjectDestruction.Unusual #14

Closed dawhalen closed 4 years ago

dawhalen commented 4 years ago

Issue #, if available: N/A

Description of changes: Correct the finding name from Impact:S3/ObjectDelete.Unusual to Impact:S3/ObjectDestruction.Unusual

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

davlaur commented 4 years ago

Thank you for reaching out. Can you please provide more info on the rationale for this change (i.e., are you seeing this finding listed as Impact:S3/ObjectDestruction.Unusual somewhere)?

dawhalen commented 4 years ago

Hi @davlaur yes, we are seeing this finding listed as Impact:S3/ObjectDestruction.Unusual when GuardDuty generates the alert (we have seen this across multiple AWS environments)

davlaur commented 4 years ago

Thank you for your follow-up. I may need to bring this to our engineering team and I'd like to get as much info as possible. Can you please provide an example or any other potentially relevant details, such as: what format are you seeing this in? (console, findings JSON, CloudWatch Event etc) and what regions have you noticed this in?

dawhalen commented 4 years ago

Hi @davlaur We are seeing this in the findings JSON from the GuardDuty API. We've seen 2 of these alerts recently in the ap-southeast-2 region.

Here is an example:

{
  "CreatedAt": "2020-08-06T07:01:41.194Z",
  "Resource": {
    "ResourceType": "AccessKey",
    "AccessKeyDetails": {
      "AccessKeyId": "ASDF123",
      "UserName": "USERNAME",
      "UserType": "AssumedRole",
      "PrincipalId": "PRINCIPAL"
    }
  },
  "Description": "Impact:S3/ObjectDestruction.Unusual",
  "Severity": 5,
  "Id": "FINDINGID",
  "Arn": "arn:aws:guardduty:ap-southeast-2:ACCOUNTID:detector/DETECTORID/finding/FINDINGID",
  "SchemaVersion": "2.0",
  "Type": "Impact:S3/ObjectDestruction.Unusual",
  "UpdatedAt": "2020-08-06T07:01:41.194Z",
  "AccountId": "ACCOUNTID",
  "Title": "Impact:S3/ObjectDestruction.Unusual",
  "Partition": "aws",
  "Region": "ap-southeast-2",
  "Service": {
    "Archived": false,
    "ResourceRole": "TARGET",
    "DetectorId": "DETECTORID",
    "Count": 1,
    "ServiceName": "guardduty",
    "EventLastSeen": "2020-08-06T06:47:08Z",
    "Action": {
      "AwsApiCallAction": {
        "Api": "DeleteBucket",
        <.....>
        "CallerType": "Remote IP",
        "ServiceName": "s3.amazonaws.com"
      },
      "ActionType": "AWS_API_CALL"
    },
    "EventFirstSeen": "2020-08-06T06:46:46Z"
  }
}
davlaur commented 4 years ago

Hi @dawhalen This finding underwent a name change shortly after release from Impact:S3/ObjectDestruction.Unusual to Impact:S3/ObjectDelete.Unusual.

Going forward this finding should appear as Impact:S3/ObjectDelete.Unusual, however, if you continue to see the old name we encourage you to report this through the feedback button in the GuardDuty console.

I hope this helps, thank you for your request!