Skip to content

Files

Latest commit

 

History

History

fn_aws_guardduty

AWS GuardDuty

Table of Contents


Release Notes

Version Date Notes
1.0.0 03/2021 Initial Release
1.1.0 04/2024 Add Playbooks

AWS GuardDuty App 1.1.0 Changes

In v1.1.0, the existing rules and workflows have been replaced with playbooks. This change is made to support the ongoing, newer capabilities of playbooks. Each playbook has the same functionality as the previous, corresponding rule/workflow.

If upgrading from a previous release, you'll noticed that the previous release's rules/workflows remain in place. Both sets of rules and playbooks are active. For manual actions, playbooks will have the same name as it's corresponding rule, but with "(PB)" added at the end. For automatic actions, the playbooks will be disabled by default.

You can continue to use the rules/workflows. But migrating to playbooks will provide greater functionality along with future app enhancements and bug fixes.

Overview

Amazon AWS GuardDuty Integration for Resilient.

screenshot: main

Amazon AWS GuardDuty is a continuous security monitoring service that identifies unexpected and potentially unauthorized and malicious activity within an AWS environment. GuardDuty informs the user of the status of their AWS environment by producing security findings that can be viewed in the GuardDuty console. A finding is a potential security issue discovered by GuardDuty.

The Amazon AWS GuardDuty Integration for Resilient allows you to process and respond to GuardDuty findings within the IBM Resilient Platform.

Key Features

The GuardDuty Integration provides the following functionality:

  • A poller which gathers current findings from GuardDuty and escalates to the Resilient platform as incidents.
  • A function to archive a GuardDuty finding when the corresponding Resilient incident is closed.
  • A function to refresh a Resilient incident with the latest information from the corresponding GuardDuty finding.
  • Close Resilient incidents if the corresponding GuardDuty findings are archived.
  • Archive GuardDuty findings if the corresponding Resilient incidents are closed.
  • Trigger a refresh for a Resilient incident if the corresponding GuardDuty finding gets updated.
  • A refresh of Resilient incidents can be executed manually.

Requirements

This app supports the IBM Security QRadar SOAR Platform and the IBM Security QRadar SOAR for IBM Cloud Pak for Security.

SOAR platform

The SOAR platform supports two app deployment mechanisms, Edge Gateway (also known as App Host) and integration server.

If deploying to a SOAR platform with an App Host, the requirements are:

  • SOAR platform >= 51.0.0.0.9339.
  • The app is in a container-based format (available from the AppExchange as a zip file).

If deploying to a SOAR platform with an integration server, the requirements are:

  • SOAR platform >= 51.0.0.0.9339.
  • The app is in the older integration format (available from the AppExchange as a zip file which contains a tar.gz file).
  • Integration server is running resilient_circuits>=51.0.1.1.824.
  • If using an API key account, make sure the account provides the following minimum permissions:
    Name Permissions
    Org Data Read
    Function Read
    incident create
    all_incidents Read

The following SOAR platform guides provide additional information:

  • Edge Gateway Deployment Guide or App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
  • Integration Server Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
  • System Administrator Guide: provides the procedure to install, configure and deploy apps.

The above guides are available on the IBM Documentation website at ibm.biz/soar-docs. On this web page, select your SOAR platform version. On the follow-on page, you can find the Edge Gateway Deployment Guide, App Host Deployment Guide, or Integration Server Guide by expanding Apps in the Table of Contents pane. The System Administrator Guide is available by expanding System Administrator.

Cloud Pak for Security

If you are deploying to IBM Cloud Pak for Security, the requirements are:

  • IBM Cloud Pak for Security >= 1.10.15.
  • Cloud Pak is configured with an Edge Gateway.
  • The app is in a container-based format (available from the AppExchange as a zip file).

The following Cloud Pak guides provide additional information:

  • Edge Gateway Deployment Guide or App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings. From the Table of Contents, select Case Management and Orchestration & Automation > Orchestration and Automation Apps.
  • System Administrator Guide: provides information to install, configure, and deploy apps. From the IBM Cloud Pak for Security IBM Documentation table of contents, select Case Management and Orchestration & Automation > System administrator.

These guides are available on the IBM Documentation website at ibm.biz/cp4s-docs. From this web page, select your IBM Cloud Pak for Security version. From the version-specific IBM Documentation page, select Case Management and Orchestration & Automation.

Proxy Server

The app does support a proxy server.

Python Environment

Python 3.6 and Python 3.9 are supported. Additional package dependencies may exist for each of these packages:

  • boto3>=1.16.19
  • resilient_circuits>=45.0.0

Installation

Install

  • To install or uninstall an App or Integration on the SOAR platform, see the documentation at ibm.biz/soar-docs.
  • To install or uninstall an App on IBM Cloud Pak for Security, see the documentation at ibm.biz/cp4s-docs and follow the instructions above to navigate to Orchestration and Automation.

App Configuration

The following table provides the settings you need to configure the app. These settings are made in the app.config file. See the documentation discussed in the Requirements section for the procedure.

Config Required Example Description
aws_gd_access_key_id Yes ABCD1EFGHI2JK3L4MNOP AWS access key id of user with programmatic (API) access to AWS GuardDuty services for an AWS account. Note: User must have sufficent permissions to be able to manage GuardDuty resources for the AWS account.
aws_gd_secret_access_key Yes aBcdeFGH/iJkl1MNo2P3Q4rs5tuV6wXYZAbc+Def AWS secret access key used for programmatic (API) access to AWS services.
aws_gd_master_region Yes us-west-1 Default or master region for the integration.
aws_gd_regions Yes "^us.*" Filter by GuardDuty region names. Can be a string or regular expression.
aws_gd_regions_interval Yes 60 Interval to refresh regions information (in minutes).
aws_gd_polling_interval Yes 15 Interval to poll GuardDuty for findings (in minutes).
aws_gd_severity_threshold No 7 Severity threshold (int) to use in criterion to filter findings .
aws_gd_lookback_interval No 60 How long, (in minutes) to check back for previous findings at startup. Filter to process only more recent findings.
aws_gd_close_incident_template No `` User defined JSON template file to use for closing Resilient incidents.
http_proxy No http://proxy:80 Optional setting for an http proxy if required.
https_proxy No https://proxy:443 Optional setting for an https proxy if required.

Poller - AWS GuardDuty: Escalate Findings

The GuardDuty integration poller starts querying GuardDuty for findings as soon as the app begins running.

The poller provide the following functionality.

  • For any new findings discovered, creates a matching incident in the Resilient platform.
  • Enhances the incidents by adding artifacts, data tables and a note with data from the findings. The note includes the JSON content of the finding.
  • Can be configured to filter the findings, which are escalated to the Resilient incidents.
  • Closes Resilient incidents if the corresponding GuardDuty findings are archived.
  • Archives GuardDuty findings if the corresponding Resilient incidents are closed.
  • Triggers a refresh of GuardDuty information for a Resilient incident if the corresponding GuardDuty finding is updated.

The following screenshot shows examples of Resilient incidents created by the poller from GuardDuty findings:

screenshot: fn-aws-guardduty-incidents

The following screenshot shows an example of a Resilient incident Details tab created by the poller:

screenshot: fn-aws-guardduty-incident-details

The following screenshot shows an example of GuardDuty finding custom properties in the Details tab of a Resilient incident created by the poller:

screenshot: fn-aws-guardduty-incident-properties

The following screenshot shows examples of artifacts added to a Resilient incident created by the poller:

screenshot: fn-aws-guardduty-incident-artifacts

The following screenshot shows an example of a note added to a Resilient incident created by the poller:

screenshot: fn-aws-guardduty-incident-note

Note: See the data tables section for examples of data tables added by the poller.


Function - AWS GuardDuty: Archive finding

Resilient Function to archive an AWS GuardDuty finding when the corresponding incident is closed.

screenshot: fn-aws-guardduty-archive-finding

Inputs:

Name Type Required Example Tooltip
aws_gd_detector_id text No - AWS GuardDuty detector ID.
aws_gd_finding_id text No - AWS GuardDuty finding ID.
aws_gd_region text No - AWS GuardDuty region.

Outputs:

NOTE: This example might be in JSON format, but results is a Python Dictionary on the SOAR platform.

results = {
  "content": {
    "status": "ok"
  },
  "inputs": {
    "aws_gd_detector_id": "48bbf98612290af2215c7a02b7ccbc82",
    "aws_gd_finding_id": "xxxxyyyyzzzz",
    "aws_gd_region": "us-east-1"
  },
  "metrics": {
    "execution_time_ms": 2058,
    "host": "IBM-dummy-MacBookPro.local",
    "package": "fn-aws-guardduty",
    "package_version": "1.1.0",
    "timestamp": "2024-04-11 14:09:19",
    "version": "1.0"
  },
  "raw": "{\"status\": \"ok\"}",
  "reason": null,
  "success": true,
  "version": "1.0"
}

Example Function Input Script:

inputs.aws_gd_region = incident.properties.aws_guardduty_region
inputs.aws_gd_detector_id = incident.properties.aws_guardduty_detector_id
inputs.aws_gd_finding_id = incident.properties.aws_guardduty_finding_id

Example Function Post Process Script:

##  wf_aws_guardduty_refresh_finding ##
# Example result:
"""
Good
====
Result: {'version': '1.0', 'success': True, 'reason': None,
         'content': {'status': 'ok'},
         'raw': '{"status": "ok"}',
         'inputs': {'aws_gd_finding_id': 'c2bb95a17b879bffc96c58f8a1689785', 'aws_gd_region': 'us-east-2',
                    'aws_gd_detector_id': '32b7017d2019dfe922abc4e07c3fdded'
                    },
         'metrics': {'version': '1.0', 'package': 'fn-aws-guardduty', 'package_version': '1.0.0',
         'host': 'myhost.ibm.com', 'execution_time_ms': 1310, 'timestamp': '2021-01-28 11:31:30'
        }
}
Error:
Result: {'version': '1.0', 'success': True, 'reason': None,
         'content': {'status': 'error',
                     'msg': 'An error occurred (BadRequestException) when calling the ArchiveFindings operation:
                     The request is rejected because the input detectorId is not owned by the current account.'},
                     'raw': '<content_as_string>',
         'inputs': {'aws_gd_finding_id': 'c2bb95a17b879bffc96c58f8a1689784', 'aws_gd_region': 'us-east-2',
                    'aws_gd_detector_id': '32b7017d2019dfe922abc4e07c3fdfff'
                    },
         'metrics': {'version': '1.0', 'package': 'fn-aws-guardduty', 'package_version': '1.0.0',
         'host': 'myhost.ibm.com', 'execution_time_ms': 1446, 'timestamp': '2021-01-28 11:34:53'
         }
}
"""
#  Globals
FN_NAME = "func_aws_guardduty_archive_finding"
WF_NAME = "Example: AWS GuardDuty: Archive Finding"
# Resilient artifact names to api names.
# Processing
# Processing
CONTENT = playbook.functions.results.output
INPUTS = playbook.functions.results.inputs
QUERY_EXECUTION_DATE = playbook.functions.results.output["metrics"]["timestamp"]


# Processing

def main():
    note_text = ''
    if CONTENT:
        if CONTENT["status"] == "ok":
            note_text = "AWS IAM Integration: Workflow <b>{0}</b>: The finding with id <b>{1}</b> and detector id " \
                        "<b>{2}</b> in region <b>{3}</b> was successfully archived for Resilient function <b>{4}</b>"\
                .format(WF_NAME, INPUTS["aws_gd_finding_id"], INPUTS["aws_gd_detector_id"], INPUTS["aws_gd_region"], FN_NAME)
            # Update archived property.
            incident.properties.aws_guardduty_archived = "True"  
            

        elif CONTENT["status"] == "error":
            note_text = "AWS IAM Integration: Workflow <b>{0}</b>: The finding with id <b>{1}</b> and detector id " \
                        "<b>{2}</b> in region <b>{3}</b> failed archive with error <b>{4}</b> for Resilient function <b>{5}</b>"\
                .format(WF_NAME, INPUTS["aws_gd_finding_id"], INPUTS["aws_gd_detector_id"], INPUTS["aws_gd_region"],
                        CONTENT["msg"], FN_NAME)

        else:
            note_text = "AWS IAM Integration: Workflow <b>{0}</b>: The finding with id <b>{1}</b> and detector id " \
                        "<b>{2}</b> in region <b>{3}</b> got unexpected status <b>{4}</b> for Resilient function <b>{5}</b>" \
                .format(WF_NAME, INPUTS["aws_gd_finding_id"], INPUTS["aws_gd_detector_id"], CONTENT["status"], INPUTS["aws_gd_region"],
                        FN_NAME)

    else:
        note_text += "AWS IAM Integration: Workflow <b>{0}</b>: There was no result returned for Resilient function <b>{0}</b>"\
            .format(WF_NAME, FN_NAME)

    incident.addNote(helper.createRichText(note_text))

if __name__ == "__main__":
    main()


Function - AWS GuardDuty: Refresh Finding

Resilient Function to refresh AWS GuardDuty finding details in an incident.

screenshot: fn-aws-guardduty-refresh-finding

Inputs:

Name Type Required Example Tooltip
aws_gd_detector_id text No - AWS GuardDuty detector ID.
aws_gd_finding_id text No - AWS GuardDuty finding ID.
aws_gd_region text No - AWS GuardDuty region.
incident_id number No - Resilient incident ID.

Outputs:

NOTE: This example might be in JSON format, but results is a Python Dictionary on the SOAR platform.

results = {
  "content": {
    "data_tables": {
      "gd_access_key_details": [
        {
          "cells": {
            "access_key_id": {
              "value": "xxxxyyyy"
            },
            "principal_id": {
              "value": "xxxxyyyy"
            },
            "query_execution_date": {
              "value": "2024-04-11 14:08:54"
            },
            "user_name": {
              "value": "dummy"
            },
            "user_type": {
              "value": "IAMUser"
            }
          }
        }
      ],
      "gd_action_details": [
        {
          "cells": {
            "action_api": {
              "value": "ListFindings"
            },
            "action_type": {
              "value": "AWS_API_CALL"
            },
            "actor_caller_type": {
              "value": "Remote IP"
            },
            "asn": {
              "value": "17390"
            },
            "asn_org": {
              "value": "CIO-ORGANIZATION"
            },
            "city_name": {
              "value": "Singapore"
            },
            "country_name": {
              "value": "Singapore"
            },
            "event_first_seen": {
              "value": "2024-04-11T05:26:01.000Z"
            },
            "event_last_seen": {
              "value": "2024-04-11T05:32:48.000Z"
            },
            "isp": {
              "value": "IBM Corporation"
            },
            "org": {
              "value": "IBM Corporation"
            },
            "query_execution_date": {
              "value": "2024-04-11 14:08:54"
            },
            "remote_ip": {
              "value": "129.41.56.2"
            },
            "service_name": {
              "value": "guardduty.amazonaws.com"
            }
          }
        }
      ],
      "gd_finding_overview": [
        {
          "cells": {
            "account_id": {
              "value": "xxxxyyyyzzzz"
            },
            "count": {
              "value": "1"
            },
            "created_at": {
              "value": "2024-04-11T05:47:16.625Z"
            },
            "query_execution_date": {
              "value": "2024-04-11 14:08:54"
            },
            "region": {
              "value": "us-east-1"
            },
            "severity": {
              "value": "2"
            },
            "updated_at": {
              "value": "2024-04-11T05:47:16.625Z"
            }
          }
        }
      ],
      "gd_instance_details": [],
      "gd_resource_affected": [
        {
          "cells": {
            "query_execution_date": {
              "value": "2024-04-11 14:08:54"
            },
            "resource_role": {
              "value": "TARGET"
            },
            "resource_type": {
              "value": "AccessKey"
            }
          }
        }
      ],
      "gd_s3_bucket_details": []
    },
    "finding": {
      "AccountId": "xxxxyyyyzzzz",
      "Arn": "arn:aws:guardduty:us-east-1:xxxxyyyyzzzz:detector/48bbf98612290af2215c7a02b7ccbc82/finding/xxxxyyyyzzzz",
      "CreatedAt": "2024-04-11T05:47:16.625Z",
      "Description": "APIs commonly used in Discovery tactics were invoked by user IAMUser : dummy under unusual circumstances. Such activity is not typically seen from this user.",
      "Id": "xxxxyyyyzzzz",
      "Partition": "aws",
      "Region": "us-east-1",
      "Resource": {
        "AccessKeyDetails": {
          "AccessKeyId": "xxxxyyyy",
          "PrincipalId": "xxxxyyyy",
          "UserName": "dummy",
          "UserType": "IAMUser"
        },
        "ResourceType": "AccessKey"
      },
      "SchemaVersion": "2.0",
      "Service": {
        "Action": {
          "ActionType": "AWS_API_CALL",
          "AwsApiCallAction": {
            "AffectedResources": {},
            "Api": "ListFindings",
            "CallerType": "Remote IP",
            "RemoteIpDetails": {
              "City": {
                "CityName": "Singapore"
              },
              "Country": {
                "CountryName": "Singapore"
              },
              "GeoLocation": {
                "Lat": 1.2868,
                "Lon": 103.8503
              },
              "IpAddressV4": "129.41.56.2",
              "Organization": {
                "Asn": "17390",
                "AsnOrg": "CIO-ORGANIZATION",
                "Isp": "IBM Corporation",
                "Org": "IBM Corporation"
              }
            },
            "ServiceName": "guardduty.amazonaws.com"
          }
        },
        "AdditionalInfo": {
          "Type": "default",
          "Value": "{\"userAgent\":{\"fullUserAgent\":\"Boto3/1.34.82 md/Botocore#1.34.82 ua/2.0 os/macos#23.4.0 md/arch#x86_64 lang/python#3.9.16 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.82\",\"userAgentCategory\":\"Botocore\"},\"anomalies\":{\"anomalousAPIs\":\"guardduty.amazonaws.com:[ListFindings:success , ListDetectors:success , GetFindings:success , ArchiveFindings:success] , ec2.amazonaws.com:[DescribeRegions:success]\"},\"profiledBehavior\":{\"rareProfiledAPIsAccountProfiling\":\"\",\"infrequentProfiledAPIsAccountProfiling\":\"\",\"frequentProfiledAPIsAccountProfiling\":\"ListFindings , DescribeVolumes , GetResources , BatchGetResourceConfig , ListHostedZones , SelectResourceConfig , DescribeConfigurationRecorderStatus , ListResourceRecordSets , DescribeTrails , DescribeRegions , GetBucketLocation , DescribeDBInstances , GetAccountPublicAccessBlock , GetBucketLifecycle , GenerateCredentialReport , DescribeMetricFilters , DescribeInstances , DescribeDBClusters , GetTrailStatus , ListBuckets\",\"rareProfiledAPIsUserIdentityProfiling\":\"ListFindings , TerminateInstances , EnableAlarmActions , CreateImage , ListMembers , GetBucketPolicy , DeleteAlarms , ModifyVolume , DescribeRegions , StartInstances , CreateSnapshot , GetFindings\",\"infrequentProfiledAPIsUserIdentityProfiling\":\"DescribeInstances , AllocateAddress , ListDetectors , PutBucketPolicy , RebootInstances , CreateTags\",\"frequentProfiledAPIsUserIdentityProfiling\":\"CreateBucket , ListBuckets\",\"rareProfiledUserTypesAccountProfiling\":\"\",\"infrequentProfiledUserTypesAccountProfiling\":\"\",\"frequentProfiledUserTypesAccountProfiling\":\"IAM_USER , ASSUMED_ROLE , ROOT\",\"rareProfiledUserNamesAccountProfiling\":\"aws:ec2-instance\",\"infrequentProfiledUserNamesAccountProfiling\":\"\",\"frequentProfiledUserNamesAccountProfiling\":\"dummy , AWSServiceRoleForSecurityHub , AWSServiceRoleForTrustedAdvisor , CloudabilityRole , AWSServiceRoleForAccessAnalyzer , AWSServiceRoleForConfig , gtrotman , mscherfling , Root , aws-controltower-ForwardSnsNotificationRole , AWSServiceRoleForAmazonGuardDuty\",\"rareProfiledASNsAccountProfiling\":\"asnNumber: 12271 asnOrg: TWC-12271-NYC asnNumber: 23908 asnOrg: IIAC asnNumber: 6167 asnOrg: CELLCO-PART asnNumber: 701 asnOrg: UUNET asnNumber: 209 asnOrg: CENTURYLINK-US-LEGACY-QWEST\",\"infrequentProfiledASNsAccountProfiling\":\"asnNumber: 4766 asnOrg: Korea Telecom\",\"frequentProfiledASNsAccountProfiling\":\"asnNumber: 17390 asnOrg: CIO-ORGANIZATION asnNumber: 16509 asnOrg: AMAZON-02 asnNumber: 36351 asnOrg: SOFTLAYER asnNumber: 2386 asnOrg: INS-AS asnNumber: 3462 asnOrg: Data Communication Business Group asnNumber: 15502 asnOrg: Vodafone Ireland Limited asnNumber: 14618 asnOrg: AMAZON-AES asnNumber: 7018 asnOrg: ATT-INTERNET4\",\"rareProfiledASNsUserIdentityProfiling\":\"\",\"infrequentProfiledASNsUserIdentityProfiling\":\"\",\"frequentProfiledASNsUserIdentityProfiling\":\"asnNumber: 2386 asnOrg: INS-AS\",\"rareProfiledUserAgentsAccountProfiling\":\"aws-sdk-go\",\"infrequentProfiledUserAgentsAccountProfiling\":\"aws-internal/account-settings\",\"frequentProfiledUserAgentsAccountProfiling\":\"AWS Service , aws-sdk-java , Botocore , AWS Internal , browser , aws-internal/3 , OTHER\",\"rareProfiledUserAgentsUserIdentityProfiling\":\"\",\"infrequentProfiledUserAgentsUserIdentityProfiling\":\"\",\"frequentProfiledUserAgentsUserIdentityProfiling\":\"Botocore\"},\"unusualBehavior\":{\"unusualAPIsAccountProfiling\":\"ArchiveFindings\",\"unusualUserTypesAccountProfiling\":\"\",\"unusualUserNamesAccountProfiling\":\"\",\"unusualASNsAccountProfiling\":\"\",\"unusualUserAgentsAccountProfiling\":\"\",\"unusualAPIsUserIdentityProfiling\":\"ArchiveFindings\",\"unusualASNsUserIdentityProfiling\":\"asnNumber: 17390 asnOrg: CIO-ORGANIZATION\",\"unusualUserAgentsUserIdentityProfiling\":\"\",\"isUnusualUserIdentity\":\"false\"}}"
        },
        "Archived": false,
        "Count": 1,
        "DetectorId": "48bbf98612290af2215c7a02b7ccbc82",
        "EventFirstSeen": "2024-04-11T05:26:01.000Z",
        "EventLastSeen": "2024-04-11T05:32:48.000Z",
        "ResourceRole": "TARGET",
        "ServiceName": "guardduty"
      },
      "Severity": 2,
      "Title": "The user IAMUser : dummy is anomalously invoking APIs commonly used in Discovery tactics.",
      "Type": "Discovery:IAMUser/AnomalousBehavior",
      "UpdatedAt": "2024-04-11T05:47:16.625Z"
    },
    "payload": {
      "artifacts": [],
      "comments": [],
      "description": {
        "content": "APIs commonly used in Discovery tactics were invoked by user IAMUser : dummy under unusual circumstances. Such activity is not typically seen from this user.",
        "format": "text"
      },
      "discovered_date": "2024-04-11T05:47:16.625Z",
      "name": "AWS GuardDuty: The user IAMUser : dummy is anomalously invoking APIs commonly used in Discovery tactics.",
      "properties": {
        "aws_guardduty_archived": "False",
        "aws_guardduty_count": "1",
        "aws_guardduty_detector_id": "48bbf98612290af2215c7a02b7ccbc82",
        "aws_guardduty_finding_arn": "arn:aws:guardduty:us-east-1:xxxxyyyyzzzz:detector/48bbf98612290af2215c7a02b7ccbc82/finding/xxxxyyyyzzzz",
        "aws_guardduty_finding_id": "xxxxyyyyzzzz",
        "aws_guardduty_finding_type": "Discovery:IAMUser/AnomalousBehavior",
        "aws_guardduty_finding_updated_at": "2024-04-11T05:47:16.625Z",
        "aws_guardduty_region": "us-east-1",
        "aws_guardduty_resource_type": "AccessKey",
        "aws_guardduty_severity": "2"
      },
      "severity_code": "Low"
    },
    "region": "us-east-1",
    "timestamp": "2024-04-11 14:08:54"
  },
  "inputs": {
    "aws_gd_detector_id": "48bbf98612290af2215c7a02b7ccbc82",
    "aws_gd_finding_id": "xxxxyyyyzzzz",
    "aws_gd_region": "us-east-1",
    "incident_id": 2114
  },
  "metrics": {
    "execution_time_ms": 1530,
    "host": "IBM-dummy-MacBookPro.local",
    "package": "fn-aws-guardduty",
    "package_version": "1.1.0",
    "timestamp": "2024-04-11 14:08:54",
    "version": "1.0"
  },
  "raw": "{\"timestamp\": \"2024-04-11 14:08:54\", \"finding\": {\"AccountId\": \"xxxxyyyyzzzz\", \"Arn\": \"arn:aws:guardduty:us-east-1:xxxxyyyyzzzz:detector/48bbf98612290af2215c7a02b7ccbc82/finding/xxxxyyyyzzzz\", \"CreatedAt\": \"2024-04-11T05:47:16.625Z\", \"Description\": \"APIs commonly used in Discovery tactics were invoked by user IAMUser : dummy under unusual circumstances. Such activity is not typically seen from this user.\", \"Id\": \"xxxxyyyyzzzz\", \"Partition\": \"aws\", \"Region\": \"us-east-1\", \"Resource\": {\"AccessKeyDetails\": {\"AccessKeyId\": \"xxxxyyyy\", \"PrincipalId\": \"xxxxyyyy\", \"UserName\": \"dummy\", \"UserType\": \"IAMUser\"}, \"ResourceType\": \"AccessKey\"}, \"SchemaVersion\": \"2.0\", \"Service\": {\"Action\": {\"ActionType\": \"AWS_API_CALL\", \"AwsApiCallAction\": {\"Api\": \"ListFindings\", \"CallerType\": \"Remote IP\", \"RemoteIpDetails\": {\"City\": {\"CityName\": \"Singapore\"}, \"Country\": {\"CountryName\": \"Singapore\"}, \"GeoLocation\": {\"Lat\": 1.2868, \"Lon\": 103.8503}, \"IpAddressV4\": \"129.41.56.2\", \"Organization\": {\"Asn\": \"17390\", \"AsnOrg\": \"CIO-ORGANIZATION\", \"Isp\": \"IBM Corporation\", \"Org\": \"IBM Corporation\"}}, \"ServiceName\": \"guardduty.amazonaws.com\", \"AffectedResources\": {}}}, \"Archived\": false, \"Count\": 1, \"DetectorId\": \"48bbf98612290af2215c7a02b7ccbc82\", \"EventFirstSeen\": \"2024-04-11T05:26:01.000Z\", \"EventLastSeen\": \"2024-04-11T05:32:48.000Z\", \"ResourceRole\": \"TARGET\", \"ServiceName\": \"guardduty\", \"AdditionalInfo\": {\"Value\": \"{\\\"userAgent\\\":{\\\"fullUserAgent\\\":\\\"Boto3/1.34.82 md/Botocore#1.34.82 ua/2.0 os/macos#23.4.0 md/arch#x86_64 lang/python#3.9.16 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.82\\\",\\\"userAgentCategory\\\":\\\"Botocore\\\"},\\\"anomalies\\\":{\\\"anomalousAPIs\\\":\\\"guardduty.amazonaws.com:[ListFindings:success , ListDetectors:success , GetFindings:success , ArchiveFindings:success] , ec2.amazonaws.com:[DescribeRegions:success]\\\"},\\\"profiledBehavior\\\":{\\\"rareProfiledAPIsAccountProfiling\\\":\\\"\\\",\\\"infrequentProfiledAPIsAccountProfiling\\\":\\\"\\\",\\\"frequentProfiledAPIsAccountProfiling\\\":\\\"ListFindings , DescribeVolumes , GetResources , BatchGetResourceConfig , ListHostedZones , SelectResourceConfig , DescribeConfigurationRecorderStatus , ListResourceRecordSets , DescribeTrails , DescribeRegions , GetBucketLocation , DescribeDBInstances , GetAccountPublicAccessBlock , GetBucketLifecycle , GenerateCredentialReport , DescribeMetricFilters , DescribeInstances , DescribeDBClusters , GetTrailStatus , ListBuckets\\\",\\\"rareProfiledAPIsUserIdentityProfiling\\\":\\\"ListFindings , TerminateInstances , EnableAlarmActions , CreateImage , ListMembers , GetBucketPolicy , DeleteAlarms , ModifyVolume , DescribeRegions , StartInstances , CreateSnapshot , GetFindings\\\",\\\"infrequentProfiledAPIsUserIdentityProfiling\\\":\\\"DescribeInstances , AllocateAddress , ListDetectors , PutBucketPolicy , RebootInstances , CreateTags\\\",\\\"frequentProfiledAPIsUserIdentityProfiling\\\":\\\"CreateBucket , ListBuckets\\\",\\\"rareProfiledUserTypesAccountProfiling\\\":\\\"\\\",\\\"infrequentProfiledUserTypesAccountProfiling\\\":\\\"\\\",\\\"frequentProfiledUserTypesAccountProfiling\\\":\\\"IAM_USER , ASSUMED_ROLE , ROOT\\\",\\\"rareProfiledUserNamesAccountProfiling\\\":\\\"aws:ec2-instance\\\",\\\"infrequentProfiledUserNamesAccountProfiling\\\":\\\"\\\",\\\"frequentProfiledUserNamesAccountProfiling\\\":\\\"dummy , AWSServiceRoleForSecurityHub , AWSServiceRoleForTrustedAdvisor , CloudabilityRole , AWSServiceRoleForAccessAnalyzer , AWSServiceRoleForConfig , gtrotman , mscherfling , Root , aws-controltower-ForwardSnsNotificationRole , AWSServiceRoleForAmazonGuardDuty\\\",\\\"rareProfiledASNsAccountProfiling\\\":\\\"asnNumber: 12271 asnOrg: TWC-12271-NYC asnNumber: 23908 asnOrg: IIAC asnNumber: 6167 asnOrg: CELLCO-PART asnNumber: 701 asnOrg: UUNET asnNumber: 209 asnOrg: CENTURYLINK-US-LEGACY-QWEST\\\",\\\"infrequentProfiledASNsAccountProfiling\\\":\\\"asnNumber: 4766 asnOrg: Korea Telecom\\\",\\\"frequentProfiledASNsAccountProfiling\\\":\\\"asnNumber: 17390 asnOrg: CIO-ORGANIZATION asnNumber: 16509 asnOrg: AMAZON-02 asnNumber: 36351 asnOrg: SOFTLAYER asnNumber: 2386 asnOrg: INS-AS asnNumber: 3462 asnOrg: Data Communication Business Group asnNumber: 15502 asnOrg: Vodafone Ireland Limited asnNumber: 14618 asnOrg: AMAZON-AES asnNumber: 7018 asnOrg: ATT-INTERNET4\\\",\\\"rareProfiledASNsUserIdentityProfiling\\\":\\\"\\\",\\\"infrequentProfiledASNsUserIdentityProfiling\\\":\\\"\\\",\\\"frequentProfiledASNsUserIdentityProfiling\\\":\\\"asnNumber: 2386 asnOrg: INS-AS\\\",\\\"rareProfiledUserAgentsAccountProfiling\\\":\\\"aws-sdk-go\\\",\\\"infrequentProfiledUserAgentsAccountProfiling\\\":\\\"aws-internal/account-settings\\\",\\\"frequentProfiledUserAgentsAccountProfiling\\\":\\\"AWS Service , aws-sdk-java , Botocore , AWS Internal , browser , aws-internal/3 , OTHER\\\",\\\"rareProfiledUserAgentsUserIdentityProfiling\\\":\\\"\\\",\\\"infrequentProfiledUserAgentsUserIdentityProfiling\\\":\\\"\\\",\\\"frequentProfiledUserAgentsUserIdentityProfiling\\\":\\\"Botocore\\\"},\\\"unusualBehavior\\\":{\\\"unusualAPIsAccountProfiling\\\":\\\"ArchiveFindings\\\",\\\"unusualUserTypesAccountProfiling\\\":\\\"\\\",\\\"unusualUserNamesAccountProfiling\\\":\\\"\\\",\\\"unusualASNsAccountProfiling\\\":\\\"\\\",\\\"unusualUserAgentsAccountProfiling\\\":\\\"\\\",\\\"unusualAPIsUserIdentityProfiling\\\":\\\"ArchiveFindings\\\",\\\"unusualASNsUserIdentityProfiling\\\":\\\"asnNumber: 17390 asnOrg: CIO-ORGANIZATION\\\",\\\"unusualUserAgentsUserIdentityProfiling\\\":\\\"\\\",\\\"isUnusualUserIdentity\\\":\\\"false\\\"}}\", \"Type\": \"default\"}}, \"Severity\": 2, \"Title\": \"The user IAMUser : dummy is anomalously invoking APIs commonly used in Discovery tactics.\", \"Type\": \"Discovery:IAMUser/AnomalousBehavior\", \"UpdatedAt\": \"2024-04-11T05:47:16.625Z\"}, \"region\": \"us-east-1\", \"payload\": {\"name\": \"AWS GuardDuty: The user IAMUser : dummy is anomalously invoking APIs commonly used in Discovery tactics.\", \"description\": {\"format\": \"text\", \"content\": \"APIs commonly used in Discovery tactics were invoked by user IAMUser : dummy under unusual circumstances. Such activity is not typically seen from this user.\"}, \"discovered_date\": \"2024-04-11T05:47:16.625Z\", \"severity_code\": \"Low\", \"properties\": {\"aws_guardduty_finding_id\": \"xxxxyyyyzzzz\", \"aws_guardduty_finding_arn\": \"arn:aws:guardduty:us-east-1:xxxxyyyyzzzz:detector/48bbf98612290af2215c7a02b7ccbc82/finding/xxxxyyyyzzzz\", \"aws_guardduty_finding_type\": \"Discovery:IAMUser/AnomalousBehavior\", \"aws_guardduty_finding_updated_at\": \"2024-04-11T05:47:16.625Z\", \"aws_guardduty_region\": \"us-east-1\", \"aws_guardduty_severity\": \"2\", \"aws_guardduty_resource_type\": \"AccessKey\", \"aws_guardduty_detector_id\": \"48bbf98612290af2215c7a02b7ccbc82\", \"aws_guardduty_count\": \"1\", \"aws_guardduty_archived\": \"False\"}, \"artifacts\": [], \"comments\": []}, \"data_tables\": {\"gd_finding_overview\": [{\"cells\": {\"severity\": {\"value\": \"2\"}, \"query_execution_date\": {\"value\": \"2024-04-11 14:08:54\"}, \"region\": {\"value\": \"us-east-1\"}, \"count\": {\"value\": \"1\"}, \"account_id\": {\"value\": \"xxxxyyyyzzzz\"}, \"created_at\": {\"value\": \"2024-04-11T05:47:16.625Z\"}, \"updated_at\": {\"value\": \"2024-04-11T05:47:16.625Z\"}}}], \"gd_action_details\": [{\"cells\": {\"action_type\": {\"value\": \"AWS_API_CALL\"}, \"query_execution_date\": {\"value\": \"2024-04-11 14:08:54\"}, \"action_api\": {\"value\": \"ListFindings\"}, \"event_first_seen\": {\"value\": \"2024-04-11T05:26:01.000Z\"}, \"event_last_seen\": {\"value\": \"2024-04-11T05:32:48.000Z\"}, \"actor_caller_type\": {\"value\": \"Remote IP\"}, \"city_name\": {\"value\": \"Singapore\"}, \"country_name\": {\"value\": \"Singapore\"}, \"asn\": {\"value\": \"17390\"}, \"asn_org\": {\"value\": \"CIO-ORGANIZATION\"}, \"isp\": {\"value\": \"IBM Corporation\"}, \"org\": {\"value\": \"IBM Corporation\"}, \"service_name\": {\"value\": \"guardduty.amazonaws.com\"}, \"remote_ip\": {\"value\": \"129.41.56.2\"}}}], \"gd_resource_affected\": [{\"cells\": {\"resource_type\": {\"value\": \"AccessKey\"}, \"query_execution_date\": {\"value\": \"2024-04-11 14:08:54\"}, \"resource_role\": {\"value\": \"TARGET\"}}}], \"gd_s3_bucket_details\": [], \"gd_instance_details\": [], \"gd_access_key_details\": [{\"cells\": {\"access_key_id\": {\"value\": \"xxxxyyyy\"}, \"query_execution_date\": {\"value\": \"2024-04-11 14:08:54\"}, \"principal_id\": {\"value\": \"xxxxyyyy\"}, \"user_type\": {\"value\": \"IAMUser\"}, \"user_name\": {\"value\": \"dummy\"}}}]}}",
  "reason": null,
  "success": true,
  "version": "1.0"
}

Example Function Input Script:

inputs.aws_gd_region = incident.properties.aws_guardduty_region
inputs.aws_gd_detector_id = incident.properties.aws_guardduty_detector_id
inputs.aws_gd_finding_id = incident.properties.aws_guardduty_finding_id
inputs.incident_id = incident.id

Example Function Post Process Script:

##  wf_aws_guardduty_refresh_finding ##
# Example result:
"""
Result: { 'version': '1.0',
          'success': True,
          'reason': None,
          'content': {'payload': {'name': 'AWS GuardDuty: API GeneratedFindingAPIName was invoked from an IP address on a custom threat list.',
                                  'description': {'format': 'text', 'content': 'An API was used to access a bucket from an IP address on a custom threat list.'},
                                  'discovered_date': '2020-11-25T13:46:37.960Z',
                                  'severity_code': 'Low',
                                  'properties': {'aws_guardduty_finding_id': '60baffd3f9042e38640f2300d5c5a631',
                                                'aws_guardduty_finding_arn': 'arn:aws:guardduty:us-west-2:xxxxyyyyzzzz:detector/f2baedb0ac74f8f42fc929e15f56da6a/finding/60baffd3f9042e38640f2300d5c5a631',
                                                'aws_guardduty_finding_type': 'UnauthorizedAccess:S3/MaliciousIPCaller.Custom',
                                                'aws_guardduty_finding_updated_at': '2020-11-26T15:18:12.620Z', 'aws_guardduty_region': 'us-west-2',
                                                'aws_guardduty_resource_type': 'S3Bucket', 'aws_guardduty_count': 4,
                                                'aws_guardduty_detector_id': 'f2baedb0ac74f8f42fc929e15f56da6a'},
                                  'artifacts': [],
                                  'comments': [{'text': {'format': 'text', 'content': "AWS GuardDuty finding Payload:\n<FINDING_PAYLOAD_AS_STRING>"}}]

                                },
                      "data_tables": {"gd_action_details": [{"cells": {"action_type": {"value": "AWS_API_CALL"},
                                                            "action_api": {"value": "GeneratedFindingAPIName"},
                                                            "event_first_seen": {"value": "2020-11-25T13:46:37.960Z"},
                                                            "event_last_seen": {"value": "2020-11-26T15:18:12.620Z"},
                                                            "actor_caller_type": {"value": "Remote IP"}, "city_name": {"value": "GeneratedFindingCityName"}, "country_name": {"value": "GeneratedFindingCountryName"}, "asn": {"value": "-1"}, "asn_org": {"value": "GeneratedFindingASNOrg"}, "isp": {"value": "GeneratedFindingISP"}, "org": {"value": "GeneratedFindingORG"}, "action_service_name": {"value": "GeneratedFindingAPIServiceName"}, "remote_ip": {"value": "198.51.100.0"}}}],
                                    "gd_resource_affected": [{"cells": {"resource_type": {"value": "S3Bucket"}, "instance_id": {"value": "i-99999999"}, "instance_type": {"value": "m3.xlarge"}, "instance_state": {"value": "running"}, "resource_role": {"value": "TARGET"}, "instance_private_ip": {"value": "10.0.0.1"}, "instance_private_dns": {"value": "GeneratedFindingPrivateName"}, "instance_public_ip": {"value": "198.51.100.0"}, "instance_public_dns": {"value": "GeneratedFindingPublicDNSName"}, "s3bucket_name": {"value": "bucketName"}, "s3bucket_owner": {"value": "CanonicalId of Owner"}}}]

                      }}',
            'inputs': {'incident_id': 2168, 'aws_gd_finding_id': '60baffd3f9042e38640f2300d5c5a631',
                      'aws_gd_region': 'us-west-2', 'aws_gd_detector_id': 'f2baedb0ac74f8f42fc929e15f56da6a'},
            'metrics': {'version': '1.0', 'package': 'fn-aws-guardduty', 'package_version': '1.0.0',
                        'host': 'Johnp-MacBook-Pro-2.galway.ie.ibm.com', 'execution_time_ms': 10739,
                        'timestamp': '2021-01-18 16:51:10'}
}
"""
#  Globals
# List of fields in datatable for wf_aws_guardduty_refresh_finding script
DATA_TABLES = ["gd_action_details", "gd_resource_affected"]
FN_NAME = "func_aws_guardduty_refresh_finding"
WF_NAME = "Example: AWS GuardDuty: Refresh Finding"
# Resilient artifact names to api names.
ARTIFACT_API_TO_TYPE = {
    "aws_iam_access_key_id": "AWS IAM Access Key ID",
    "aws_iam_user_name": "AWS IAM User Name",
    "aws_s3_bucket_name": "AWS S3 Bucket Name",
    "IP Address": "IP Address",
    "DNS Name": "DNS Name",
    "Port": "Port"
}

CONTENT = playbook.functions.results.output
QUERY_EXECUTION_DATE = playbook.functions.results.output["metrics"]["timestamp"]
if CONTENT:
    FINDING = CONTENT.finding
    PAYLOAD = CONTENT.payload
    ARTIFACTS = CONTENT.artifacts
    DATA_TABLES = CONTENT.data_tables

# Processing

def main():
    note_text = ''
    if CONTENT:
        note_text = "AWS GuardDuty Integration: Workflow <b>{0}</b>: Finding data returned for Resilient function " \
                    "<b>{2}</b>".format(WF_NAME, len(CONTENT), FN_NAME)

        update_fields()
        update_datatables()
        if ARTIFACTS:
            add_artifacts()
    else:
        note_text = "AWS GuardDuty Integration: Workflow <b>{0}</b>: No finding data returned for Resilient function " \
                    "<b>{2}</b>".format(WF_NAME, len(CONTENT), FN_NAME)

    incident.addNote(helper.createRichText(note_text))

def update_fields():
    incident.severity_code = PAYLOAD["severity_code"]
    incident.properties.aws_guardduty_finding_updated_at = PAYLOAD["properties"]["aws_guardduty_finding_updated_at"]
    incident.properties.aws_guardduty_count = str(PAYLOAD["properties"]["aws_guardduty_count"])
    incident.properties.aws_guardduty_archived = str(PAYLOAD["properties"]["aws_guardduty_archived"])
    incident.properties.aws_guardduty_severity = str(PAYLOAD["properties"]["aws_guardduty_severity"])

def update_datatables():
    for data_table in DATA_TABLES:
        for row in DATA_TABLES[data_table]:
            newrow = incident.addRow(data_table)
            newrow.query_execution_date = QUERY_EXECUTION_DATE
            data_table_fields = row["cells"]
            for f, v_info in data_table_fields.items():
                newrow[f] = v_info.value


def add_artifacts():
    for artifact in ARTIFACTS:
        artifact_type = ARTIFACT_API_TO_TYPE[artifact["type"]["name"]]
        artifact_value = artifact["value"]
        description = artifact["description"]["content"]
        incident.addArtifact(artifact_type, artifact_value, description)


if __name__ == "__main__":
    main()


Playbooks

Playbook Name Description Activation Type Object Status Condition
Example: AWS GuardDuty: Archive Finding (PB) A SOAR playbook to archive an AWS GuardDuty finding when the corresponding incident is closed. Automatic incident enabled incident.plan_status changed_to Closed AND incident.properties.aws_guardduty_archived not_equals True AND incident.properties.aws_guardduty_detector_id has_a_value AND incident.properties.aws_guardduty_finding_id has_a_value AND incident.properties.aws_guardduty_region has_a_value
Example: AWS GuardDuty: Refresh Finding Details (PB) A SOAR playbook to refresh or update AWS GuardDuty finding details in an incident. Manual incident enabled incident.properties.aws_guardduty_detector_id has_a_value AND incident.properties.aws_guardduty_finding_id has_a_value AND incident.properties.aws_guardduty_region has_a_value
Example: AWS GuardDuty: Update Finding Details (PB) None Automatic incident enabled incident.properties.aws_guardduty_detector_id has_a_value AND incident.properties.aws_guardduty_finding_id has_a_value AND incident.properties.aws_guardduty_finding_updated_at has_a_value AND incident.properties.aws_guardduty_region has_a_value AND incident.properties.aws_guardduty_trigger_refresh changed AND incident.properties.aws_guardduty_trigger_refresh equals True

Custom Layouts

  • Import the Data Tables and Custom Fields like the screenshot below:

    screenshot: custom_layouts

Data Table - GuardDuty Action/Actor Details

screenshot: dt-guardduty-actionactor-details

API Name:

gd_action_details

Columns:

Column Name API Access Name Type Tooltip
Action api action_api text -
Action type action_type text -
Actor caller type actor_caller_type text -
Asn asn text -
City name city_name text -
Connection direction connection_direction text -
Country country_name text -
DNS domain name dns_domain_name text -
DNS request blocked dns_blocked text -
Event first Seen event_first_seen text -
Event Last Seen event_last_seen text -
Finding asn org asn_org text -
Finding isp isp text -
Finding org org text -
Local IP address local_ip text -
Local port local_port text -
Protocol protocol text -
Query Execution date query_execution_date text -
Remote IP address remote_ip text -
Remote port remote_port text -
Service name service_name text -

Data Table - GuardDuty Finding Overview

screenshot: dt-guardduty-finding-overview

API Name:

gd_finding_overview

Columns:

Column Name API Access Name Type Tooltip
Account ID account_id text -
Count count text -
Created at created_at text -
Query Execution date query_execution_date text -
Region region text -
Resource ID resource_id text -
Severity severity text -
Updated at updated_at text -

Data Table - GuardDuty Resource - Access Key Details

screenshot: dt-guardduty-resource---access-key-details

API Name:

gd_access_key_details

Columns:

Column Name API Access Name Type Tooltip
Access key ID access_key_id text -
Principal ID principal_id text -
Query Execution date query_execution_date text -
User name user_name text -
User type user_type text -

Data Table - GuardDuty Resource - Instance Details

screenshot: dt-guardduty-instance-details

API Name:

gd_instance_details

Columns:

Column Name API Access Name Type Tooltip
ID instance_id text -
Private dns name private_dns_name text -
Private ip address private_ip text -
Public dns name public_dns_name text -
Public ip address public_ip text -
Query execution date query_execution_date text -
State instance_state text -
Type type text -

Data Table - GuardDuty Resource - S3 Bucket Details

screenshot: dt-guardduty-s3-bucket-details

API Name:

gd_s3_bucket_details

Columns:

Column Name API Access Name Type Tooltip
Bucket Arn bucket_arn text -
Bucket name bucket_name text -
Bucket owner bucket_owner text -
Bucket Type bucket_type text -
Effective Permission effective_permissions text -
Encryption type encryption_type text -
Kms master key ARN kms_master_key_arn text -
Query execution date query_execution_date text -

Data Table - GuardDuty Resource Affected

screenshot: dt-guardduty-resource-affected

API Name:

gd_resource_affected

Columns:

Column Name API Access Name Type Tooltip
Instance ID instance_id text -
Instance type instance_type text -
Query execution date query_execution_date text -
Resource role resource_role text -
Resource type resource_type text -

Custom Fields

Label API Access Name Type Prefix Placeholder Tooltip
AWS GuardDuty Archived aws_guardduty_archived text properties - A true or false value that indicates whether this is GuardDuty finding has been archived.
AWS GuardDuty Count aws_guardduty_count text properties - The number of times GuardDuty has aggregated an activity matching this pattern to this finding ID.
AWS GuardDuty Detector Id aws_guardduty_detector_id text properties - The detector ID where the GuardDuty finding was detected.
AWS GuardDuty Finding Arn aws_guardduty_finding_arn text properties - Arn of the GuardDuty finding.
AWS GuardDuty Finding Id aws_guardduty_finding_id text properties - A unique Finding ID for this GuardDuty finding type and set of parameters. New occurrences of activity matching this pattern will be aggregated to the same ID.
AWS GuardDuty Finding Type aws_guardduty_finding_type text properties - The type of activity that triggered the GuardDuty finding.
AWS GuardDuty Resource Updated At aws_guardduty_finding_updated_at text properties - The last time this finding was updated with new activity matching the pattern that prompted GuardDuty to generate this finding.
AWS GuardDuty Region aws_guardduty_region text properties - The AWS Region in which the GuardDuty finding was generated.
AWS GuardDuty Resource Type aws_guardduty_resource_type text properties - The type of the affected resource of the GuardDuty finding. This value is either AccessKey, S3 bucket or Instance.
AWS GuardDuty Severity aws_guardduty_severity text properties - The severity of the affected resource of the GuardDuty finding.
AWS GuardDuty Trigger Refresh aws_guardduty_trigger_refresh boolean properties False Used by integration to trigger an refresh of GuardDuty incidents.

Custom Artifact Types

Display Name API Access Name Description
AWS IAM Access Key ID aws_iam_access_key_id Amazon Web Services (AWS) IAM access key id.
AWS IAM User Name aws_iam_user_name Amazon Web Services (AWS) IAM user name.
AWS S3 Bucket Name aws_s3_bucket_name Amazon Web Services (AWS) S3 bucket name.

Troubleshooting & Support

Refer to the documentation listed in the Requirements section for troubleshooting information.

For Support

This is an IBM supported app. Please search ibm.com/mysupport for assistance.