search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
199 stars 429 forks source link

aws: guardduty datastream request intervals appear to be incorrectly calculated #8602

Open efd6 opened 10 months ago

efd6 commented 10 months ago

In the AWS GuardDuty data stream, the request time interval appears to be incorrectly calculated. It looks like the httpjson configuration is not correctly handling the updatedAt time interval; during the initial spin up it repeatedly asks for intervals that are zero length when ISTM they should span from the look-back interval to now. For example ({"updatedAt":{"greaterThan":"1701140400000","lessThan":"1701140400000"}}, both at 2023-11-28T03:00:00Z):

{
  "log.level": "debug",
  "@timestamp": "2023-11-28T03:27:21.233Z",
  "message": "HTTP request",
  "transaction.id": "... -388",
  "url.original": "https://guardduty. ... .amazonaws.com/detector/.../findings",
  "url.scheme": "https",
  "url.path": "/detector/.../findings",
  "url.domain": "guardduty. ... .amazonaws.com",
  "url.port": "",
  "url.query": "",
  "http.request.method": "POST",
  "user_agent.original": "...",
  "http.request.body.content": "{\"findingCriteria\":{\"criterion\":{\"updatedAt\":{\"greaterThan\":\"1701140400000\",\"lessThan\":\"1701140400000\"}}},\"maxResults\":50,\"sortCriteria\":{\"attributeName
\":\"updatedAt\",\"orderBy\":\"ASC\"}}",
  "http.request.body.bytes": 183,
  "http.request.mime_type": "application/json",
  "ecs.version": "1.6.0"
}

This appears to be due to differential time calculations in the templates and occasionally we end up with non-zero intervals.

elasticmachine commented 10 months ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)