From 5b44ba09470da75a2150fa9fdaf03f8c74f6e239 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 09:21:38 +0100 Subject: [PATCH 01/13] :sparkles: fix guardduty, issue #7813 --- unittests/scans/awssecurityhub/guardduty.json | 429 ++++++++++++++++++ 1 file changed, 429 insertions(+) create mode 100644 unittests/scans/awssecurityhub/guardduty.json diff --git a/unittests/scans/awssecurityhub/guardduty.json b/unittests/scans/awssecurityhub/guardduty.json new file mode 100644 index 00000000000..df7bbb4f9d1 --- /dev/null +++ b/unittests/scans/awssecurityhub/guardduty.json @@ -0,0 +1,429 @@ +{ + "Findings": [ + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/123456789789", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty", + "ProductName": "GuardDuty", + "CompanyName": "Amazon", + "Region": "us-east-1", + "GeneratorId": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789", + "AwsAccountId": "123456789012", + "Types": [ + "TTPs/Defense Evasion/DefenseEvasion:EC2-UnusualDNSResolver" + ], + "FirstObservedAt": "2024-01-17T11:19:23.000Z", + "LastObservedAt": "2200-01-17T11:21:23.000Z", + "CreatedAt": "2024-01-17T11:33:20.845Z", + "UpdatedAt": "2024-01-17T11:33:21.196Z", + "Severity": { + "Product": 5, + "Label": "MEDIUM", + "Normalized": 50 + }, + "Title": "EC2 instance i-1234567890 is communicating with an Unusual DNS Resolver 1.1.1.1.", + "Description": "EC2 instance i-1234567890 is communicating with an Unusual DNS Resolver 1.1.1.1.", + "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=123456789789", + "ProductFields": { + "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "DNS", + "aws/guardduty/service/archived": "false", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "Rostelecom", + "aws/guardduty/service/additionalInfo/value": "{\"inBytes\":\"318\",\"outBytes\":\"88\",\"unusual\":\"Rostelecom\"}", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "42.1123123", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "1.1.1.1", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "3458.123", + "aws/guardduty/service/action/networkConnectionAction/blocked": "false", + "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "53", + "aws/guardduty/service/additionalInfo/inBytes": "318", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "Russia", + "aws/guardduty/service/serviceName": "guardduty", + "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "127.0.0.1", + "aws/guardduty/service/detectorId": "123456789", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "Rostelecom", + "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "OUTBOUND", + "aws/guardduty/service/eventFirstSeen": "2024-01-17T11:19:23.000Z", + "aws/guardduty/service/eventLastSeen": "2024-01-17T11:21:23.000Z", + "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "Unknown", + "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION", + "aws/guardduty/service/additionalInfo/unusual": "Rostelecom", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Yeysk", + "aws/guardduty/service/resourceRole": "ACTOR", + "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "53814", + "aws/guardduty/service/action/networkConnectionAction/protocol": "UDP", + "aws/guardduty/service/additionalInfo/outBytes": "88", + "aws/guardduty/service/count": "108", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "25490", + "aws/guardduty/service/additionalInfo/type": "default", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "Rostelecom", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/123456789789", + "aws/securityhub/ProductName": "GuardDuty", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEc2Instance", + "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890", + "Partition": "aws", + "Region": "us-east-1", + "Tags": { + "ManagedBy": "Terraform", + "map-migrated": "d-server-asdfasdf", + "Name": "asdf-namenamename", + "domain": "asdf" + }, + "Details": { + "AwsEc2Instance": { + "Type": "t2.small", + "ImageId": "ami-asdfasdf", + "IpV4Addresses": [ + "1.2.2.2", + "127.0.0.1" + ], + "IamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/asdf-iamrole-asdf-new", + "VpcId": "vpc-12354467879", + "SubnetId": "subnet-123123123", + "LaunchedAt": "2023-10-23T09:09:47.000Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM" + }, + "Types": [ + "TTPs/Defense Evasion/DefenseEvasion:EC2-UnusualDNSResolver" + ] + }, + "Sample": false + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/12312312312312312", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty", + "ProductName": "GuardDuty", + "CompanyName": "Amazon", + "Region": "us-east-1", + "GeneratorId": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789", + "AwsAccountId": "123456789012", + "Types": [ + "TTPs/Discovery/Recon:EC2-Portscan" + ], + "FirstObservedAt": "2024-01-17T11:22:23.000Z", + "LastObservedAt": "2200-01-17T11:25:23.000Z", + "CreatedAt": "2024-01-17T11:33:20.699Z", + "UpdatedAt": "2024-01-17T11:33:20.699Z", + "Severity": { + "Product": 5, + "Label": "MEDIUM", + "Normalized": 50 + }, + "Title": "Outbound portscan from EC2 instance i-1234567890.", + "Description": "EC2 instance i-1234567890 is performing outbound port scans against remote host 1.2.3.4.", + "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=12312312312312312", + "ProductFields": { + "aws/guardduty/service/additionalInfo/portsScannedSample.18_": "8443", + "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown", + "aws/guardduty/service/archived": "false", + "aws/guardduty/service/additionalInfo/portsScannedSample.16_": "3389", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "AMAZON-02", + "aws/guardduty/service/additionalInfo/value": "{\"portsScannedSample\":[88,25,646,106,8888,993,995,5060,5000,873,37,389,110,587,179,514,3389,1433,8443,1900]}", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "10.188", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "1.2.3.4", + "aws/guardduty/service/additionalInfo/portsScannedSample.2_": "646", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "123.43", + "aws/guardduty/service/additionalInfo/portsScannedSample.0_": "88", + "aws/guardduty/service/action/networkConnectionAction/blocked": "false", + "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "995", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "USA", + "aws/guardduty/service/serviceName": "guardduty", + "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "127.0.0.1", + "aws/guardduty/service/detectorId": "123456789", + "aws/guardduty/service/additionalInfo/portsScannedSample.10_": "37", + "aws/guardduty/service/additionalInfo/portsScannedSample.8_": "5000", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "Amazon.com", + "aws/guardduty/service/additionalInfo/portsScannedSample.6_": "995", + "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "OUTBOUND", + "aws/guardduty/service/eventFirstSeen": "2024-01-17T11:22:23.000Z", + "aws/guardduty/service/additionalInfo/portsScannedSample.14_": "179", + "aws/guardduty/service/eventLastSeen": "2024-01-17T11:25:23.000Z", + "aws/guardduty/service/additionalInfo/portsScannedSample.4_": "8888", + "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "Unknown", + "aws/guardduty/service/additionalInfo/portsScannedSample.12_": "110", + "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION", + "aws/guardduty/service/additionalInfo/portsScannedSample.17_": "1433", + "aws/guardduty/service/additionalInfo/portsScannedSample.15_": "514", + "aws/guardduty/service/additionalInfo/portsScannedSample.19_": "1900", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "America", + "aws/guardduty/service/resourceRole": "ACTOR", + "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "38090", + "aws/guardduty/service/action/networkConnectionAction/protocol": "TCP", + "aws/guardduty/service/count": "4", + "aws/guardduty/service/additionalInfo/portsScannedSample.3_": "106", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "16509", + "aws/guardduty/service/additionalInfo/type": "default", + "aws/guardduty/service/additionalInfo/portsScannedSample.1_": "25", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "Amazon.com", + "aws/guardduty/service/additionalInfo/portsScannedSample.9_": "873", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/12312312312312312", + "aws/securityhub/ProductName": "GuardDuty", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEc2Instance", + "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890", + "Partition": "aws", + "Region": "us-east-1", + "Tags": { + "ManagedBy": "Terraform", + "map-migrated": "d-server-asdfasdf", + "Name": "asdf-namenamename", + "domain": "asdf" + }, + "Details": { + "AwsEc2Instance": { + "Type": "t2.small", + "ImageId": "ami-asdfasdf", + "IpV4Addresses": [ + "1.2.2.2", + "127.0.0.1" + ], + "IamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/asdf-iamrole-asdf-new", + "VpcId": "vpc-12354467879", + "SubnetId": "subnet-123123123", + "LaunchedAt": "2023-10-23T09:09:47.000Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM" + }, + "Types": [ + "TTPs/Discovery/Recon:EC2-Portscan" + ] + }, + "Sample": false + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/4897489798789", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty", + "ProductName": "GuardDuty", + "CompanyName": "Amazon", + "Region": "us-east-1", + "GeneratorId": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789", + "AwsAccountId": "123456789012", + "Types": [ + "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" + ], + "FirstObservedAt": "2023-11-06T15:28:58.000Z", + "LastObservedAt": "2200-01-12T07:30:38.000Z", + "CreatedAt": "2023-11-06T15:42:44.710Z", + "UpdatedAt": "2024-01-12T07:45:57.163Z", + "Severity": { + "Product": 2, + "Label": "LOW", + "Normalized": 40 + }, + "Title": "1.2.9.9 is performing SSH brute force attacks against i-1234567890.", + "Description": "1.2.9.9 is performing SSH brute force attacks against i-1234567890. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", + "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=4897489798789", + "ProductFields": { + "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown", + "aws/guardduty/service/archived": "false", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "C1V", + "aws/guardduty/service/additionalInfo/value": "", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "11231.61269", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "1.22.9.9", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "11232.22", + "aws/guardduty/service/action/networkConnectionAction/blocked": "false", + "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "37726", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "Italy", + "aws/guardduty/service/serviceName": "guardduty", + "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "127.0.0.1", + "aws/guardduty/service/detectorId": "123456789", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "C1V", + "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND", + "aws/guardduty/service/eventFirstSeen": "2023-11-06T15:28:58.000Z", + "aws/guardduty/service/eventLastSeen": "2099-01-12T07:30:38.000Z", + "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH", + "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Pomezia", + "aws/guardduty/service/resourceRole": "TARGET", + "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22", + "aws/guardduty/service/action/networkConnectionAction/protocol": "TCP", + "aws/guardduty/service/count": "7", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "212271", + "aws/guardduty/service/additionalInfo/type": "default", + "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "C1V", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/4897489798789", + "aws/securityhub/ProductName": "GuardDuty", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEc2Instance", + "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890", + "Partition": "aws", + "Region": "us-east-1", + "Tags": { + "ManagedBy": "Terraform", + "map-migrated": "d-server-asdfasdf", + "Name": "asdf-namenamename", + "domain": "asdf" + }, + "Details": { + "AwsEc2Instance": { + "Type": "t2.small", + "ImageId": "ami-asdfasdf", + "IpV4Addresses": [ + "1.2.2.2", + "127.0.0.1" + ], + "IamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/asdf-iamrole-asdf-new", + "VpcId": "vpc-12354467879", + "SubnetId": "subnet-123123123", + "LaunchedAt": "2023-10-23T09:09:47.000Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW" + }, + "Types": [ + "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" + ] + }, + "Sample": false + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/2123123123123", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty", + "ProductName": "GuardDuty", + "CompanyName": "Amazon", + "Region": "us-east-1", + "GeneratorId": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789", + "AwsAccountId": "123456789012", + "Types": [ + "TTPs/Discovery/IAMUser-AnomalousBehavior" + ], + "FirstObservedAt": "2023-12-12T12:51:24.000Z", + "LastObservedAt": "2200-12-12T12:56:22.000Z", + "CreatedAt": "2023-12-12T13:17:27.087Z", + "UpdatedAt": "2023-12-12T13:17:27.087Z", + "Severity": { + "Product": 2, + "Label": "LOW", + "Normalized": 40 + }, + "Title": "User AssumedRole : 123123123 is anomalously invoking APIs commonly used in Discovery tactics.", + "Description": "APIs commonly used in Discovery tactics were invoked by user AssumedRole : 123123123, under anomalous circumstances. Such activity is not typically seen from this user.", + "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=2123123123123", + "ProductFields": { + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledAPIsUserIdentityProfiling": "", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg": "Russia.o.", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org": "SBB", + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledUserTypesAccountProfiling": "", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledUserAgentsUserIdentityProfiling": "OTHER , browser , AWS Internal", + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledUserNamesAccountProfiling": "AWSServiceRoleForRDS , AWSServiceRoleForAmazonGuardDuty , asdf-sec_audit_role_assumed_by_sectools", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName": "Russia", + "aws/guardduty/service/serviceName": "guardduty", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledUserNamesAccountProfiling": "123123123 , AWSServiceRoleForSecurityHub , AWSServiceRoleForAccessAnalyzer , nv-rl-awsconfig-all-tflz , OrganizationAccountAccessRole , asdf-iamrole-asdf-new", + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledASNsUserIdentityProfiling": "asnNumber: 6805 asn", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon": "20.4637", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledUserAgentsAccountProfiling": "AWS Service , aws-sdk-go , aws-sdk-go-v2 , AWS Internal , aws-cli , Botocore , OTHER , browser", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledASNsAccountProfiling": "asnNumber: 31042 asnOrg: Russia ", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn": "31042", + "aws/guardduty/service/action/actionType": "AWS_API_CALL", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledAPIsAccountProfiling": "ListTopics , ListRoles , DescribeAddresses , BatchGetResourceConfig , ListGrants , SelectResourceConfig , DescribeConfigurationRecorderStatus , DescribeByoipCidrs , DescribeVpcs , GetKeyPolicy , DescribeTrails , GetBucketLocation , ListSecrets , GetAccountPublicAccessBlock , ListKeys , GetRepositoryPolicy , GenerateCredentialReport , GetResourcePolicy , GetSecretValue", + "aws/guardduty/service/additionalInfo/userAgent/fullUserAgent": "AWS Internal", + "aws/guardduty/service/additionalInfo/unusualBehavior/unusualAPIsUserIdentityProfiling": "DescribeInstanceConnectEndpoints , ListAnomalies , ListLogAnomalyDetectors , GetConnectionStatus", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledUserTypesAccountProfiling": "ASSUMED_ROLE", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledAPIsAccountProfiling": "DescribeInstanceInformation", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledUserAgentsUserIdentityProfiling": "aws-internal/3", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4": "1.2.3.5", + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledASNsAccountProfiling": "ade", + "aws/guardduty/service/action/awsApiCallAction/affectedResources": "", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledAPIsUserIdentityProfiling": "DescribeInstanceInformation , DescribeAccountAttributes , DescribeSubnets , GetResourcePolicy , DescribeAlarms , DescribeSecret , DescribeSecurityGroups , ListRoles , DescribeKeyPairs , DescribeVolumes , DescribeAddresses , DescribeAvailabilityZones , DescribeVpcs , DescribeLoadBalancers , DescribeAutoScalingGroups", + "aws/guardduty/service/additionalInfo/unusualBehavior/unusualAPIsAccountProfiling": "DescribeInstanceConnectEndpoints , ListAnomalies , ListLogAnomalyDetectors , GetConnectionStatus", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledUserTypesAccountProfiling": "", + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledUserAgentsAccountProfiling": "", + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledUserAgentsUserIdentityProfiling": "", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat": "42123.46", + "aws/guardduty/service/additionalInfo/unusualBehavior/unusualASNsAccountProfiling": "", + "aws/guardduty/service/action/awsApiCallAction/serviceName": "ssm.amazonaws.com", + "aws/guardduty/service/detectorId": "123456789", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledASNsUserIdentityProfiling": "asnNumber: 1G", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledASNsAccountProfiling": "", + "aws/guardduty/service/additionalInfo/anomalies/anomalousAPIs": "ssm.amazonaws.com:[DescribeInstanceInformation:success , GetConnectionStatus:success] , ec2.amazonaws.com:[DescribeLaunchTemplates:success , DescribeKeyPairs:success , DescribeInstanceConnectEndpoints:success , DescribeAvailabilityZones:success] , logs.amazonaws.com:[ListAnomalies:success , ListLogAnomalyDetectors:success] , autoscaling.amazonaws.com:[DescribeAutoScalingGroups:success]", + "aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledAPIsAccountProfiling": "", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledUserAgentsAccountProfiling": "aws-internal/3", + "aws/guardduty/service/resourceRole": "TARGET", + "aws/guardduty/service/additionalInfo/unusualBehavior/unusualUserNamesAccountProfiling": "", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp": "SBB", + "aws/guardduty/service/additionalInfo/unusualBehavior/unusualUserAgentsAccountProfiling": "", + "aws/guardduty/service/action/awsApiCallAction/callerType": "Remote IP", + "aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName": "Belgrade", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledUserNamesAccountProfiling": "terraform-12312312312313 , oudWatchLogRole , AWSServiceRoleForElasticLoadBalancing , AWSServiceRoleForSSO", + "aws/guardduty/service/action/awsApiCallAction/api": "DescribeInstanceInformation", + "aws/guardduty/service/additionalInfo/unusualBehavior/unusualUserTypesAccountProfiling": "", + "aws/guardduty/service/additionalInfo/userAgent/userAgentCategory": "AWS Internal", + "aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledASNsUserIdentityProfiling": "", + "aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledAPIsUserIdentityProfiling": "DescribeRegions , GetSigninToken , ConsoleLogin , ListSecrets , ListAliases", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/2123123123123", + "aws/securityhub/ProductName": "GuardDuty", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsIamAccessKey", + "Id": "AWS::IAM::AccessKey:123123123", + "Partition": "aws", + "Region": "us-east-1", + "Details": { + "AwsIamAccessKey": { + "PrincipalId": "asdfasdfasdfasfd", + "PrincipalType": "AssumedRole", + "PrincipalName": "asdfasdfasdf" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW" + }, + "Types": [ + "TTPs/Discovery/IAMUser-AnomalousBehavior" + ] + }, + "Sample": false + } + ] +} From bc38bf5be3fc35a28260bd3f234ff974d4a997ff Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 09:32:32 +0100 Subject: [PATCH 02/13] advance unittests --- unittests/tools/test_awssecurityhub_parser.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/unittests/tools/test_awssecurityhub_parser.py b/unittests/tools/test_awssecurityhub_parser.py index 6dd78605fd5..ff02d1cfbbf 100644 --- a/unittests/tools/test_awssecurityhub_parser.py +++ b/unittests/tools/test_awssecurityhub_parser.py @@ -101,3 +101,15 @@ def test_inspector_ecr(self): self.assertEqual("CVE-2023-2650 - openssl - Image: repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.title) self.assertIn("repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.impact) self.assertIn("Repository: repo-os", finding.impact) + + def test_guardduty(self): + with open(get_unit_tests_path() + sample_path("guardduty.json")) as test_file: + parser = AwsSecurityHubParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(4, len(findings)) + finding = findings[0] + self.assertEqual("Medium", finding.severity) + self.assertTrue(finding.active) + finding = findings[3] + self.assertEqual("Low", finding.severity) + self.assertTrue(finding.active) From 5ba0dd4678da229406d30baf6d6f7d5ff0daef7a Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 14:18:23 +0100 Subject: [PATCH 03/13] add mitigation --- dojo/tools/awssecurityhub/parser.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/dojo/tools/awssecurityhub/parser.py b/dojo/tools/awssecurityhub/parser.py index 252c4c5a237..19a2eacc8d9 100644 --- a/dojo/tools/awssecurityhub/parser.py +++ b/dojo/tools/awssecurityhub/parser.py @@ -81,11 +81,18 @@ def get_item(finding: dict, test): mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") else: mitigated = datetime.utcnow() - + elif aws_scanner_type == "GuardDuty": + mitigations = finding.get("FindingProviderFields", {}).get("Types") + for mitigate in mitigations: + mitigation += mitigate + "\n" + active = True #TODO + is_Mitigated = False #TODO + mitigated = None #TODO + mitigation += "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" + description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" else: mitigation = finding.get("Remediation", {}).get("Recommendation", {}).get("Text", "") description = "This is a Security Hub Finding \n" + finding.get("Description", "") - if finding.get("Compliance", {}).get("Status", "PASSED") == "PASSED": is_Mitigated = True active = False From 82790464f53aa003a394da1b1e3b098b082dbf1b Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 14:41:17 +0100 Subject: [PATCH 04/13] provide more information --- dojo/tools/awssecurityhub/parser.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/dojo/tools/awssecurityhub/parser.py b/dojo/tools/awssecurityhub/parser.py index 19a2eacc8d9..d247ed84502 100644 --- a/dojo/tools/awssecurityhub/parser.py +++ b/dojo/tools/awssecurityhub/parser.py @@ -85,11 +85,24 @@ def get_item(finding: dict, test): mitigations = finding.get("FindingProviderFields", {}).get("Types") for mitigate in mitigations: mitigation += mitigate + "\n" - active = True #TODO - is_Mitigated = False #TODO - mitigated = None #TODO mitigation += "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" + active = True + if finding.get("RecordState") == "ACTIVE": + is_Mitigated = False + else: + is_Mitigated = True + if finding.get("LastObservedAt", None): + try: + mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + except Exception: + mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + else: + mitigated = datetime.utcnow() description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" + description += f"SourceURL: {finding.get('SourceUrl', '')}\n" + description += f"AwsAccountId: {finding.get('AwsAccountId', '')}\n" + description += f"Region: {finding.get('Region', '')}\n" + description += f"Id: {finding.get('Id', '')}\n" else: mitigation = finding.get("Remediation", {}).get("Recommendation", {}).get("Text", "") description = "This is a Security Hub Finding \n" + finding.get("Description", "") From d06cdc9a31e476a7c8a822258505b3b3306d864c Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 14:45:01 +0100 Subject: [PATCH 05/13] uniqueidfromtool not in description --- dojo/tools/awssecurityhub/parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dojo/tools/awssecurityhub/parser.py b/dojo/tools/awssecurityhub/parser.py index d247ed84502..eeda64bbf35 100644 --- a/dojo/tools/awssecurityhub/parser.py +++ b/dojo/tools/awssecurityhub/parser.py @@ -102,7 +102,6 @@ def get_item(finding: dict, test): description += f"SourceURL: {finding.get('SourceUrl', '')}\n" description += f"AwsAccountId: {finding.get('AwsAccountId', '')}\n" description += f"Region: {finding.get('Region', '')}\n" - description += f"Id: {finding.get('Id', '')}\n" else: mitigation = finding.get("Remediation", {}).get("Recommendation", {}).get("Text", "") description = "This is a Security Hub Finding \n" + finding.get("Description", "") From 8a1665266e7e9d0668257ad2867f3c15b992f661 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 14:46:29 +0100 Subject: [PATCH 06/13] flake8 --- dojo/tools/awssecurityhub/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/awssecurityhub/parser.py b/dojo/tools/awssecurityhub/parser.py index eeda64bbf35..9d356859b66 100644 --- a/dojo/tools/awssecurityhub/parser.py +++ b/dojo/tools/awssecurityhub/parser.py @@ -85,7 +85,7 @@ def get_item(finding: dict, test): mitigations = finding.get("FindingProviderFields", {}).get("Types") for mitigate in mitigations: mitigation += mitigate + "\n" - mitigation += "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" + mitigation += "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" active = True if finding.get("RecordState") == "ACTIVE": is_Mitigated = False From 3fe22256e985eb66bfd6f6d10ecd25d676fbae48 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 14:53:49 +0100 Subject: [PATCH 07/13] update docs --- .../parsers/file/awssecurityhub.md | 81 ++----------------- 1 file changed, 5 insertions(+), 76 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/awssecurityhub.md b/docs/content/en/integrations/parsers/file/awssecurityhub.md index 3e101cdd22b..4c925d36d1c 100644 --- a/docs/content/en/integrations/parsers/file/awssecurityhub.md +++ b/docs/content/en/integrations/parsers/file/awssecurityhub.md @@ -3,86 +3,15 @@ title: "AWS Security Hub" toc_hide: true --- ### File Types -DefectDojo parser accepts a .json file. +This DefectDojo parser accepts JSON files from AWS Security Hub. The JSON reports can be created from the [AWS Security Hub CLI](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-findings.html) using the following command: `aws securityhub get-findings`. -JSON reports can be created from the [AWS Security Hub CLI](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-findings.html) using the following command: `aws securityhub get-findings`. +AWS Security Hub integrates with multiple AWS Tools. Thus, you can retrieve findings from various AWS sources through AWS Security Hub. This parser is able to handle the following findings retrieved over AWS Security Hub: +- AWS Security Hub Compliance Checks +- AWS Inspector +- AWS GuardDuty ### Acceptable JSON Format Parser expects a .json file, with an array of Findings contained within a single JSON object. All properties are strings and are required by the parser. -~~~ -{ - "findings": [ - { - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1", - "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", - "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/IAM.5", - "AwsAccountId": "012345678912", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" - ], - "FirstObservedAt": "2020-06-08T14:33:07.560Z", - "LastObservedAt": "2020-06-14T21:02:53.940Z", - "CreatedAt": "2020-06-08T14:33:07.560Z", - "UpdatedAt": "2020-06-14T21:02:53.454Z", - "Severity": { - "Product": 0, - "Label": "INFORMATIONAL", - "Normalized": 0, - "Original": "INFORMATIONAL" - }, - "Title": "IAM.5 MFA should be enabled for all IAM users that have console password", - "Description": "This AWS control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.", - "Remediation": { - "Recommendation": { - "Text": "For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation" - } - }, - "ProductFields": { - "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", - "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0", - "ControlId": "IAM.5", - "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation", - "RelatedAWSResources:0/name": "securityhub-mfa-enabled-for-iam-console-access-9ae73a2f", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "StandardsControlArn": "arn:aws:securityhub:us-east-1:012345678912:control/aws-foundational-security-best-practices/v/1.0.0/IAM.5", - "aws/securityhub/SeverityLabel": "INFORMATIONAL", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "aws/securityhub/annotation": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.", - "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1" - }, - "Resources": [ - { - "Type": "AwsAccount", - "Id": "AWS::::Account:012345678912", - "Partition": "aws", - "Region": "us-east-1" - } - ], - "Compliance": { - "Status": "PASSED", - "StatusReasons": [ - { - "ReasonCode": "CONFIG_EVALUATIONS_EMPTY", - "Description": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted." - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE" - }, - ... - ] -} - - -~~~ - ### Sample Scan Data Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/awssecurityhub). \ No newline at end of file From 0d955d79162b4502b8510c69082838a266c6097d Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 15:01:43 +0100 Subject: [PATCH 08/13] update docs --- .../en/integrations/parsers/file/awssecurityhub.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/awssecurityhub.md b/docs/content/en/integrations/parsers/file/awssecurityhub.md index 4c925d36d1c..b88222d29fd 100644 --- a/docs/content/en/integrations/parsers/file/awssecurityhub.md +++ b/docs/content/en/integrations/parsers/file/awssecurityhub.md @@ -7,11 +7,12 @@ This DefectDojo parser accepts JSON files from AWS Security Hub. The JSON report AWS Security Hub integrates with multiple AWS Tools. Thus, you can retrieve findings from various AWS sources through AWS Security Hub. This parser is able to handle the following findings retrieved over AWS Security Hub: - AWS Security Hub Compliance Checks -- AWS Inspector -- AWS GuardDuty +- AWS Security Hub Inspector +- AWS Security Hub GuardDuty -### Acceptable JSON Format -Parser expects a .json file, with an array of Findings contained within a single JSON object. All properties are strings and are required by the parser. +### Example Commands to retrieve JSON output +- AWS Security Hub Compliance Checks: `aws securityhub get-findings --filters ComplianceStatus="[{Comparison=EQUALS,Value=FAILED}]" | jq "." > output.json` +- AWS Security Hub GuardDuty: `aws securityhub get-findings --filters ProductName="[{Value=GuardDuty,Comparison=EQUALS}]" | jq "." > output.json` ### Sample Scan Data Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/awssecurityhub). \ No newline at end of file From ab0a2c91cbbd12a8916cb763843f3cd6dedb59d0 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 15:05:14 +0100 Subject: [PATCH 09/13] update docs --- docs/content/en/integrations/parsers/file/awssecurityhub.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/awssecurityhub.md b/docs/content/en/integrations/parsers/file/awssecurityhub.md index b88222d29fd..3cdb4a867a7 100644 --- a/docs/content/en/integrations/parsers/file/awssecurityhub.md +++ b/docs/content/en/integrations/parsers/file/awssecurityhub.md @@ -11,8 +11,8 @@ AWS Security Hub integrates with multiple AWS Tools. Thus, you can retrieve find - AWS Security Hub GuardDuty ### Example Commands to retrieve JSON output -- AWS Security Hub Compliance Checks: `aws securityhub get-findings --filters ComplianceStatus="[{Comparison=EQUALS,Value=FAILED}]" | jq "." > output.json` -- AWS Security Hub GuardDuty: `aws securityhub get-findings --filters ProductName="[{Value=GuardDuty,Comparison=EQUALS}]" | jq "." > output.json` +- AWS Security Hub Compliance Checks:
`aws securityhub get-findings --filters ComplianceStatus="[{Comparison=EQUALS,Value=FAILED}]" | jq "." > output.json` +- AWS Security Hub GuardDuty:
`aws securityhub get-findings --filters ProductName="[{Value=GuardDuty,Comparison=EQUALS}]" | jq "." > output.json` ### Sample Scan Data Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/awssecurityhub). \ No newline at end of file From 5e69db5766feb597b49cc935e35820d4ea554a8f Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Mon, 12 Feb 2024 17:13:35 +0100 Subject: [PATCH 10/13] update according to review --- unittests/tools/test_awssecurityhub_parser.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/unittests/tools/test_awssecurityhub_parser.py b/unittests/tools/test_awssecurityhub_parser.py index ff02d1cfbbf..efda9c464ea 100644 --- a/unittests/tools/test_awssecurityhub_parser.py +++ b/unittests/tools/test_awssecurityhub_parser.py @@ -113,3 +113,5 @@ def test_guardduty(self): finding = findings[3] self.assertEqual("Low", finding.severity) self.assertTrue(finding.active) + self.assertEqual("User AssumedRole : 123123123 is anomalously invoking APIs commonly used in Discovery tactics. - Resource: 123123123", finding.title) + self.assertEqual("TTPs/Discovery/IAMUser-AnomalousBehavior\nhttps://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html", finding.mitigation) From 0ee0096bc742314550c2ae1d5c52608630794bb2 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Wed, 14 Feb 2024 13:15:32 +0100 Subject: [PATCH 11/13] adapt docs --- docs/content/en/integrations/parsers/file/awssecurityhub.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/awssecurityhub.md b/docs/content/en/integrations/parsers/file/awssecurityhub.md index 3cdb4a867a7..22cdfc201dc 100644 --- a/docs/content/en/integrations/parsers/file/awssecurityhub.md +++ b/docs/content/en/integrations/parsers/file/awssecurityhub.md @@ -7,12 +7,13 @@ This DefectDojo parser accepts JSON files from AWS Security Hub. The JSON report AWS Security Hub integrates with multiple AWS Tools. Thus, you can retrieve findings from various AWS sources through AWS Security Hub. This parser is able to handle the following findings retrieved over AWS Security Hub: - AWS Security Hub Compliance Checks -- AWS Security Hub Inspector - AWS Security Hub GuardDuty +- AWS Security Hub Inspector ### Example Commands to retrieve JSON output - AWS Security Hub Compliance Checks:
`aws securityhub get-findings --filters ComplianceStatus="[{Comparison=EQUALS,Value=FAILED}]" | jq "." > output.json` - AWS Security Hub GuardDuty:
`aws securityhub get-findings --filters ProductName="[{Value=GuardDuty,Comparison=EQUALS}]" | jq "." > output.json` +- AWS Security Hub Inspector:
`aws securityhub get-findings --filters ProductName="[{Value=Inspector,Comparison=EQUALS}]" | jq "." > output.json` ### Sample Scan Data Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/awssecurityhub). \ No newline at end of file From eddf475ed04859f4a2cbc07298d45a734f5f72bb Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Fri, 16 Feb 2024 20:31:56 +0100 Subject: [PATCH 12/13] :bug: fix according to comment --- dojo/tools/awssecurityhub/parser.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/dojo/tools/awssecurityhub/parser.py b/dojo/tools/awssecurityhub/parser.py index 9d356859b66..fc0b988058c 100644 --- a/dojo/tools/awssecurityhub/parser.py +++ b/dojo/tools/awssecurityhub/parser.py @@ -89,15 +89,16 @@ def get_item(finding: dict, test): active = True if finding.get("RecordState") == "ACTIVE": is_Mitigated = False + mitigated = None else: is_Mitigated = True - if finding.get("LastObservedAt", None): - try: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") - except Exception: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") - else: - mitigated = datetime.utcnow() + if finding.get("LastObservedAt", None): + try: + mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + except Exception: + mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + else: + mitigated = datetime.utcnow() description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" description += f"SourceURL: {finding.get('SourceUrl', '')}\n" description += f"AwsAccountId: {finding.get('AwsAccountId', '')}\n" From 0bef2200facfa1cd4de9b4929aaedbb25d888a9f Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Wed, 21 Feb 2024 09:38:37 +0100 Subject: [PATCH 13/13] :bug: fix wrong merge conflict resolal --- unittests/tools/test_awssecurityhub_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_awssecurityhub_parser.py b/unittests/tools/test_awssecurityhub_parser.py index b6f03ab81f5..93c0ab8a46b 100644 --- a/unittests/tools/test_awssecurityhub_parser.py +++ b/unittests/tools/test_awssecurityhub_parser.py @@ -101,6 +101,7 @@ def test_inspector_ecr(self): self.assertEqual("CVE-2023-2650 - openssl - Image: repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.title) self.assertIn("repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.impact) self.assertIn("Repository: repo-os", finding.impact) + self.assertEqual(0.0014, finding.epss_score) def test_guardduty(self): with open(get_unit_tests_path() + sample_path("guardduty.json")) as test_file: @@ -115,4 +116,3 @@ def test_guardduty(self): self.assertTrue(finding.active) self.assertEqual("User AssumedRole : 123123123 is anomalously invoking APIs commonly used in Discovery tactics. - Resource: 123123123", finding.title) self.assertEqual("TTPs/Discovery/IAMUser-AnomalousBehavior\nhttps://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html", finding.mitigation) - self.assertEqual(0.0014, finding.epss_score)