search

panther-labs / panther-analysis

Built-in Panther detection rules and policies
https://panther.com/
Apache License 2.0
339 stars 173 forks source link

`aws_guardduty_context` helper function does not include `accountId` in the alert context #1403

Closed pbnj-dragon closed 2 weeks ago

pbnj-dragon commented 3 weeks ago

Problem

aws_guardduty_context helper function does not include accountId in the alert context

Proposed Solution

Improve the built-in aws_guardduty_context helper function to include the accountId

Workaround

Clone the managed detection to extend the aws_guardduty_context in the alert_context() function, like:

def alert_context(event):
    return aws_guardduty_context(event) | {"accountId": event.get("accountId", "<MISSING ACCOUNT ID>")}

Downsides:

  1. This workaround does not scale well (panther users have to clone many panther-managed detections)
  2. Lose out on future updates to panther-managed detections