Skip to content

Commit

Permalink
Merge pull request #554 from Cargill/guardduty_mapped_security_group
Browse files Browse the repository at this point in the history 
Mapped security groups for AWS Guarduty
  • Loading branch information
@MehaSal
MehaSal authored Oct 24, 2024
2 parents 4ed0915 + bfb9609 commit d5e8e39
Showing 1 changed file with 100 additions and 30 deletions.
130 changes: 100 additions & 30 deletions config/processors/api_security_aws.guardduty.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,56 +12,123 @@ filter {
}
mutate {
add_field => { "[cloud][provider]" => "aws" }
add_field => { "[log][source][hostname]" => "%{[guard][accountId]}" }
add_field => { "[event][module]" => "aws" }
add_field => { "[event][dataset]" => "aws.guardduty" }
}
add_field => { "[event][dataset]" => "aws.guardduty" }
remove_field => [ "host", "event" ]
}
ruby {
init => '@ignore = [ "path", "@timestamp", "@metadata", "host", "@version" ]'
code => '
def processArray(a)
newArray = []
a.each { |x|
newArray << processObject(x)
}
newArray
end
def processHash(h)
newHash = {}
h.each { |k, v|
newHash[k.downcase] = processObject(v)
}
newHash
end
def processObject(v)
if v.kind_of?(Array)
processArray(v)
elsif v.kind_of?(Hash)
processHash(v)
else
v
end
end
def filter(i_event)
i_event.to_hash.each { |k, v|
unless @ignore.include?(k)
i_event.remove(k)
i_event.set(k.downcase, processObject(v))
end
}
[i_event]
end
filter(event)
'
}
mutate {
tag_on_failure => "mutate 1 failure"
rename => { "[guard][severity]" => "[event][severity]" }
rename => { "[guard][createdAt]" => "[event][created]" }
rename => { "[guard][updatedAt]" => "[event][modified]" }
rename => { "[guard][createdat]" => "[event][created]" }
rename => { "[guard][updatedat]" => "[event][modified]" }
rename => { "[guard][title]" => "[event][reason]" }
rename => { "[guard][description]" => "[rule][description]" }
rename => { "[guard][schemaVersion]" => "[service][version]" }
rename => { "[guard][accountId]" => "[cloud][account][id]" }
rename => { "[guard][schemaversion]" => "[service][version]" }
rename => { "[guard][accountid]" => "[cloud][account][id]" }
rename => { "[guard][region]" => "[cloud][region]" }
rename => { "[guard][partition]" => "[cloud][provider]" }
rename => { "[guard][id]" => "[event][id]" }
rename => { "[guard][type]" => "[rule][name]" }
rename => { "[guard][resource][instanceDetails][availabilityZone]" => "[cloud][availability_zone]" }
rename => { "[guard][resource][instanceDetails][imageDescription]" => "[container][image][name]" }
rename => { "[guard][resource][instanceDetails][instanceId]" => "[cloud][instance][id]" }
rename => { "[guard][resource][instanceDetails][instanceState]" => "[service][state]" }
rename => { "[guard][resource][instanceDetails][instanceType]" => "[cloud][machine][type]" }
rename => { "[guard][resource][instanceDetails][networkInterfaces][subnetId]" => "[network][name]" }
rename => { "[guard][resource][instanceDetails][networkInterfaces][securityGroups][groupName]" => "[user][group][name]" }
rename => { "[guard][resource][instanceDetails][networkInterfaces][securityGroups][groupId]" => "[user][group][id]" }
rename => { "[guard][resource][accessKeyDetails][userName]" => "[user][name]" }
rename => { "[guard][service][action][awsApiCallAction][remoteIpDetails][organization][asn]" => "[source][as][number]" }
rename => { "[guard][service][action][awsApiCallAction][remoteIpDetails][organization][asnOrg]" => "[source][as][organization][name]" }
rename => { "[guard][service][action][awsApiCallAction][serviceName]" => "[service][name]" }
rename => { "[guard][service][action][networkConnectionAction][remoteIpDetails][ipAddressV4]" => "[source][ip]" }
rename => { "[guard][service][action][networkConnectionAction][localIpDetails][ipAddressV4]" => "[destination][ip]" }
rename => { "[guard][service][action][actionType]" => "[rule][category]" }
rename => { "[guard][service][action][portProbeAction][portProbeDetails][localPortDetails][port]" => "[destination][port]" }
rename => { "[guard][service][detectorId]" => "[rule][id]" }
rename => { "[guard][service][eventFirstSeen]" => "[event][start]" }
rename => { "[guard][service][eventLastSeen]" => "[event][end]" }
rename => { "[guard][resource][instancedetails][availabilityzone]" => "[cloud][availability_zone]" }
rename => { "[guard][resource][instancedetails][imagedescription]" => "[container][image][name]" }
rename => { "[guard][resource][instancedetails][instanceid]" => "[cloud][instance][id]" }
rename => { "[guard][resource][instancedetails][instancestate]" => "[service][state]" }
rename => { "[guard][resource][instancedetails][instancetype]" => "[cloud][machine][type]" }
rename => { "[guard][resource][instancedetails][networkinterfaces][subnetid]" => "[network][name]" }
rename => { "[guard][resource][instancedetails][networkinterfaces][securitygroups][groupname]" => "[user][group][name]" }
rename => { "[guard][resource][instancedetails][networkinterfaces][securitygroups][groupid]" => "[user][group][id]" }
rename => { "[guard][resource][accesskeydetails][username]" => "[user][name]" }
rename => { "[guard][service][action][awsapicallaction][remoteipdetails][organization][asn]" => "[source][as][number]" }
rename => { "[guard][service][action][awsapicallaction][remoteipdetails][organization][asnorg]" => "[source][as][organization][name]" }
rename => { "[guard][service][action][awsapicallaction][servicename]" => "[service][name]" }
rename => { "[guard][service][action][networkconnectionaction][remoteipdetails][ipaddressv4]" => "[source][ip]" }
rename => { "[guard][service][action][networkconnectionaction][localipdetails][ipaddressv4]" => "[destination][ip]" }
rename => { "[guard][service][action][actiontype]" => "[rule][category]" }
rename => { "[guard][service][action][portprobeaction][portprobedetails][localportdetails][port]" => "[destination][port]" }
rename => { "[guard][service][detectorid]" => "[rule][id]" }
rename => { "[guard][service][eventfirstseen]" => "[event][start]" }
rename => { "[guard][service][eventlastseen]" => "[event][end]" }
rename => { "[guard][resource][instancedetails][networkinterfaces][privateipaddresses][privateipaddress]" => "[source][ip]" }
rename => { "[guard][resource][instancedetails][tags][value]" => "[source][tmp]" }
}
mutate {
add_field => { "[log][source][hostname]" => "%{[cloud][account][id]}" }
}
if [guard][service][additionalinfo][sample] {
mutate {
add_field => { "[log][syslog][priority]" => "0" }
}
}


if "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][0][groupname]" {
mutate {
rename => { "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][0][groupname]" => "[cloud][project][name]" }
}
}
if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][1][groupname] {
mutate {
merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][1][groupname]" }
}
}
if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][2][groupname] {
mutate {
merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][2][groupname]" }
}
}
if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][3][groupname] {
mutate {
merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][3][groupname]" }
}
}
if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][4][groupname] {
mutate {
merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][4][groupname]" }
}
}
if ![source][ip] and [source][ip] == "" {
mutate {
update => { "[source][ip]" => "%{[tmp][resource][instanceDetails][networkInterfaces][0][ipv6Addresses]}" }
update => { "[source][ip]" => "%{[tmp][resource][instanceDetails][networkInterfaces][0][ipv6addresses]}" }
}
}
mutate {
remove_field => [ "[guard]" ]
}
date {
match => ["[event][created]","yyyy-MM-dd HH:mm:ss.SSS", "ISO8601"]
timezone => "GMT"
Expand Down Expand Up @@ -110,6 +177,9 @@ filter {
remove_field => ["[event][end]"]
}
}
mutate {
remove_field => [ "guard" ]
}
}
output {
pipeline { send_to => [enrichments] }
Expand Down

0 comments on commit d5e8e39

Please sign in to comment.