From bfb9609a25c5abe8652efbfceb8e761c822d6bdb Mon Sep 17 00:00:00 2001
From: Brian Grabau <brian_grabau@cargill.com>
Date: Thu, 24 Oct 2024 15:25:54 -0500
Subject: [PATCH] Mapped security groups for AWS Guarduty

---
 .../api_security_aws.guardduty.conf           | 130 ++++++++++++++----
 1 file changed, 100 insertions(+), 30 deletions(-)

diff --git a/config/processors/api_security_aws.guardduty.conf b/config/processors/api_security_aws.guardduty.conf
index c09ceb6e..67b838c0 100644
--- a/config/processors/api_security_aws.guardduty.conf
+++ b/config/processors/api_security_aws.guardduty.conf
@@ -12,56 +12,123 @@ filter {
   }
   mutate {
     add_field => { "[cloud][provider]" => "aws" }
-    add_field => { "[log][source][hostname]" => "%{[guard][accountId]}" }
     add_field => { "[event][module]" => "aws" }
-    add_field => { "[event][dataset]" => "aws.guardduty" }
-  } 
+    add_field => { "[event][dataset]" => "aws.guardduty" } 
+    remove_field => [ "host", "event" ]   
+  }
+  ruby {
+    init => '@ignore = [ "path", "@timestamp", "@metadata", "host", "@version" ]'
+    code => '
+      def processArray(a)
+        newArray = []
+        a.each { |x|
+          newArray << processObject(x)
+        }
+        newArray
+      end
+      def processHash(h)
+        newHash = {}
+        h.each { |k, v|
+          newHash[k.downcase] = processObject(v)
+        }
+        newHash
+      end
+      def processObject(v)
+        if v.kind_of?(Array)
+          processArray(v)
+        elsif v.kind_of?(Hash)
+          processHash(v)
+        else
+          v
+        end
+      end
+      def filter(i_event)
+        i_event.to_hash.each { |k, v|
+          unless @ignore.include?(k)
+            i_event.remove(k)
+            i_event.set(k.downcase, processObject(v))
+          end
+        }
+        [i_event]
+      end
+      filter(event)
+    '
+  }  
   mutate {
     tag_on_failure => "mutate 1 failure"
     rename => { "[guard][severity]" => "[event][severity]" }
-    rename => { "[guard][createdAt]" => "[event][created]" }
-    rename => { "[guard][updatedAt]" => "[event][modified]" }
+    rename => { "[guard][createdat]" => "[event][created]" }
+    rename => { "[guard][updatedat]" => "[event][modified]" }
     rename => { "[guard][title]" => "[event][reason]" }
     rename => { "[guard][description]" => "[rule][description]" }
-    rename => { "[guard][schemaVersion]" => "[service][version]" }
-    rename => { "[guard][accountId]" => "[cloud][account][id]" }
+    rename => { "[guard][schemaversion]" => "[service][version]" }
+    rename => { "[guard][accountid]" => "[cloud][account][id]" }
     rename => { "[guard][region]" => "[cloud][region]" }
     rename => { "[guard][partition]" => "[cloud][provider]" }
     rename => { "[guard][id]" => "[event][id]" }
     rename => { "[guard][type]" => "[rule][name]" }
-    rename => { "[guard][resource][instanceDetails][availabilityZone]" => "[cloud][availability_zone]" }
-    rename => { "[guard][resource][instanceDetails][imageDescription]" => "[container][image][name]" }
-    rename => { "[guard][resource][instanceDetails][instanceId]" => "[cloud][instance][id]" }
-    rename => { "[guard][resource][instanceDetails][instanceState]" => "[service][state]" }
-    rename => { "[guard][resource][instanceDetails][instanceType]" => "[cloud][machine][type]" }
-    rename => { "[guard][resource][instanceDetails][networkInterfaces][subnetId]" => "[network][name]" }
-    rename => { "[guard][resource][instanceDetails][networkInterfaces][securityGroups][groupName]" => "[user][group][name]" }
-    rename => { "[guard][resource][instanceDetails][networkInterfaces][securityGroups][groupId]" => "[user][group][id]" }
-    rename => { "[guard][resource][accessKeyDetails][userName]" => "[user][name]" }
-    rename => { "[guard][service][action][awsApiCallAction][remoteIpDetails][organization][asn]" => "[source][as][number]" }
-    rename => { "[guard][service][action][awsApiCallAction][remoteIpDetails][organization][asnOrg]" => "[source][as][organization][name]" }
-    rename => { "[guard][service][action][awsApiCallAction][serviceName]" => "[service][name]" }  
-    rename => { "[guard][service][action][networkConnectionAction][remoteIpDetails][ipAddressV4]" => "[source][ip]" } 
-    rename => { "[guard][service][action][networkConnectionAction][localIpDetails][ipAddressV4]" => "[destination][ip]" } 
-    rename => { "[guard][service][action][actionType]" => "[rule][category]" }
-    rename => { "[guard][service][action][portProbeAction][portProbeDetails][localPortDetails][port]" => "[destination][port]"	}
-    rename => { "[guard][service][detectorId]" => "[rule][id]" }
-    rename => { "[guard][service][eventFirstSeen]" => "[event][start]" }
-    rename => { "[guard][service][eventLastSeen]" => "[event][end]" }
+    rename => { "[guard][resource][instancedetails][availabilityzone]" => "[cloud][availability_zone]" }
+    rename => { "[guard][resource][instancedetails][imagedescription]" => "[container][image][name]" }
+    rename => { "[guard][resource][instancedetails][instanceid]" => "[cloud][instance][id]" }
+    rename => { "[guard][resource][instancedetails][instancestate]" => "[service][state]" }
+    rename => { "[guard][resource][instancedetails][instancetype]" => "[cloud][machine][type]" }
+    rename => { "[guard][resource][instancedetails][networkinterfaces][subnetid]" => "[network][name]" }
+    rename => { "[guard][resource][instancedetails][networkinterfaces][securitygroups][groupname]" => "[user][group][name]" }
+    rename => { "[guard][resource][instancedetails][networkinterfaces][securitygroups][groupid]" => "[user][group][id]" }
+    rename => { "[guard][resource][accesskeydetails][username]" => "[user][name]" }
+    rename => { "[guard][service][action][awsapicallaction][remoteipdetails][organization][asn]" => "[source][as][number]" }
+    rename => { "[guard][service][action][awsapicallaction][remoteipdetails][organization][asnorg]" => "[source][as][organization][name]" }
+    rename => { "[guard][service][action][awsapicallaction][servicename]" => "[service][name]" }  
+    rename => { "[guard][service][action][networkconnectionaction][remoteipdetails][ipaddressv4]" => "[source][ip]" } 
+    rename => { "[guard][service][action][networkconnectionaction][localipdetails][ipaddressv4]" => "[destination][ip]" } 
+    rename => { "[guard][service][action][actiontype]" => "[rule][category]" }
+    rename => { "[guard][service][action][portprobeaction][portprobedetails][localportdetails][port]" => "[destination][port]"	}
+    rename => { "[guard][service][detectorid]" => "[rule][id]" }
+    rename => { "[guard][service][eventfirstseen]" => "[event][start]" }
+    rename => { "[guard][service][eventlastseen]" => "[event][end]" }
+    rename => { "[guard][resource][instancedetails][networkinterfaces][privateipaddresses][privateipaddress]" => "[source][ip]" }
+    rename => { "[guard][resource][instancedetails][tags][value]" => "[source][tmp]" }
+  }
+  mutate {
+    add_field => { "[log][source][hostname]" => "%{[cloud][account][id]}" }
   }
   if [guard][service][additionalinfo][sample] {  
     mutate {
       add_field => { "[log][syslog][priority]" => "0" }
     }
   }
+
+
+  if "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][0][groupname]" {
+    mutate {
+      rename => { "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][0][groupname]" => "[cloud][project][name]" }
+    }    
+  }
+  if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][1][groupname] {
+      mutate {
+         merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][1][groupname]" }
+      }
+  }
+  if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][2][groupname] {
+      mutate {
+         merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][2][groupname]" }
+      }
+  }
+  if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][3][groupname] {
+      mutate {
+         merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][3][groupname]" }
+      }
+  }
+  if [guard][resource][instancedetails][networkinterfaces][0][securitygroups][4][groupname] {
+      mutate {
+         merge => { "[cloud][project][name]" => "[guard][resource][instancedetails][networkinterfaces][0][securitygroups][4][groupname]" }
+      }
+  }  
   if ![source][ip] and [source][ip] == "" {
     mutate {
-      update => { "[source][ip]" => "%{[tmp][resource][instanceDetails][networkInterfaces][0][ipv6Addresses]}" }
+      update => { "[source][ip]" => "%{[tmp][resource][instanceDetails][networkInterfaces][0][ipv6addresses]}" }
     }
   }
-  mutate {
-    remove_field => [ "[guard]" ]
-  }
   date {
     match => ["[event][created]","yyyy-MM-dd HH:mm:ss.SSS", "ISO8601"]
     timezone => "GMT"
@@ -110,6 +177,9 @@ filter {
       remove_field => ["[event][end]"]
     }
   }
+  mutate {
+    remove_field => [ "guard" ]
+  }
 }
 output {
   pipeline { send_to => [enrichments] }