Self Service Ingestion
Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Gem Inventory Logs | ✅ | gem_security_inventory | NDJSON | API | |||
Gem Threats (Alerts) | ✅ | gem_security_threats | NDJSON | API |
Overview
Gem Security is a cybersecurity company that provides advanced threat detection and response solutions, specifically focusing on securing cloud environments and APIs. The platform uses AI-driven analytics to identify vulnerabilities, misconfigurations, and malicious activity in real-time. Gem Security offers continuous monitoring to protect cloud-based applications and services, helping organizations secure their infrastructure and data from evolving threats. It provides security teams with detailed insights and automated remediation capabilities, allowing for faster incident response and reducing the risk of data breaches or attacks.
Supported data types
Gem Inventory Logs
Table name: gem_security_inventory
Gem Security's platform includes an advanced feature for cloud inventory logging, which provides comprehensive, real-time visibility into cloud assets. It automatically collects telemetry from multiple cloud services (like AWS, GCP, and Azure) and security tools, identifying gaps in visibility and ranking them by severity. This helps organizations detect potential risks efficiently by logging activity and offering actionable insights for incident response​.
Gem Threats (Alerts)
Table name: gem_security_threats
Gem Security's platform generates alerts by automatically identifying and ranking security visibility gaps across cloud environments. It uses pre-configured detection rules to flag malicious activities and creates timelines that outline the order of events during an attack.
Send data to Hunters
Hunters support the ingestion of Gem Security logs using API.
To connect Gem Security logs:
Retrieve the following information items from Gem Security:
Client ID
Client Secret
URL
Complete the process on the Hunters platform, following this guide.
Expected format
Logs are expected in JSON format.
Gem Inventory Logs
{
"id": 444679251,
"account_id": 3645,
"region": "okta/global",
"resource_id": "0asdg89we7sg",
"resource_type": "okta/Okta Group",
"created_at": "2019-10-31T14:50:13Z",
"identifiers": [
{
"name": "name",
"value": "GROUP-TEST"
},
{
"name": "id",
"value": "0asdg89we7sg"
}
],
"external_url": "https://booking.okta.com/api/v1/apps/fas0f978a0se9f",
"tags": {},
"triage_entity": {
"id": "0asdg89we7sg",
"type": "okta_group",
"metadata": {
"name": "GROUP-TEST"
},
"resource_id": "0asdg89we7sg",
"name": null,
"is_main_entity": false,
"is_secondary_entity": false,
"activity_by_provider": null,
"cloud_provider": "okta"
},
"deleted": false
}
Gem Threats (Alerts)
{
"id": "f1ef4b2a-2ad8-4ebc-b642-d9e77b61021a",
"alert_id": "acb38776-9949-4839-9e3b-38914e011e91",
"main_alert_id": "acb38776-9949-4839-9e3b-38914e011e91",
"organization_id": "org_asdasdasdasd",
"datetime": "2024-08-01T16:08:14.333000Z",
"title": "GuardDuty | Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed",
"text": "The user system:serviceaccount:test-user:b-test-user-test-user has launched a Workload (Container Name: pod, Workload Name: pod-6d9cc4f588-22nqd, Workload ID: 3008cba0-cc97-4e35-a758-fb758ad81af8) in an unusual way in namespace knative-serving and cluster cluster-cluster-cluster.",
"entities": [
{
"id": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"type": "eks_cluster",
"metadata": {
"name": "asd-asd-asd-central2-ASD",
"region": "eu-central-1",
"account_id": "123123123123",
"context_from_event": null,
"arn": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"arn_id": "asd-asd-asd-central2-ASD"
},
"resource_id": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"name": null,
"is_main_entity": false,
"is_secondary_entity": true,
"activity_by_provider": null,
"cloud_provider": "aws"
},
{
"id": "pod-6d9cc4f588-22nqd",
"type": "eks_pod",
"metadata": {
"name": "pod-6d9cc4f588-22nqd",
"cluster_name": "asd-asd-asd-central2-ASD",
"workload_type": "pods",
"workload_namespace": "knative-serving"
},
"resource_id": null,
"name": null,
"is_main_entity": false,
"is_secondary_entity": true,
"activity_by_provider": null,
"cloud_provider": "aws"
},
{
"id": "system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD",
"type": "eks_service_account",
"metadata": {
"name": "system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD",
"cluster_name": "asd-asd-asd-central2-ASD",
"user_name": "system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:kubefed",
"system:authenticated"
]
},
"resource_id": null,
"name": null,
"is_main_entity": true,
"is_secondary_entity": false,
"activity_by_provider": null,
"cloud_provider": "aws"
},
{
"id": "system:serviceaccount:test-user:b-test-user-test-user",
"type": "eks_service_account",
"metadata": {
"name": "system:serviceaccount:test-user:b-test-user-test-user",
"cluster_name": "asd-asd-asd-central2-ASD",
"user_name": "system:serviceaccount:test-user:b-test-user-test-user",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:test-user",
"system:authenticated"
]
},
"resource_id": null,
"name": null,
"is_main_entity": true,
"is_secondary_entity": false,
"activity_by_provider": null,
"cloud_provider": "aws"
}
],
"account_details": [
{
"id": 2071,
"display_name": "AWS-test-ASD",
"organization_name": "hunters",
"identifier": "123123123123",
"hierarchy_path": [
{
"id": "r-test",
"name": "Root"
},
{
"id": "ou-test-6tuxvsq6",
"name": "legacy"
}
],
"account_status": "accessible",
"account_id": "123123123123",
"cloudtrails": [],
"aws_organization_id": "o-123123123",
"ou_path_list": [
{
"id": "r-test",
"name": "Root"
},
{
"id": "ou-test-6tuxvsq6",
"name": "legacy"
}
],
"supports_forensics_acquisition": false,
"cloud_provider": "aws"
}
],
"severity": 2,
"alert_severity": 2,
"status": "open",
"mitre_techniques": [],
"ttp_id": "Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed",
"type": "threat",
"alert_source": "GuardDuty",
"alert_source_id": "asdadq2erq23rgag",
"alert_source_url": "https://console.aws.amazon.com/guardduty/home?region=eu-central-1#/findings?macros=current&fId=asdadq2erq23rgag",
"category": null,
"is_visible": true,
"alerts": [
{
"id": "f1ef4b2a-2ad8-4ebc-b642-d9e77b61021a",
"alert_id": "6a49f68d-80c6-4871-ad66-945c5a4d2477",
"main_alert_id": "acb38776-9949-4839-9e3b-38914e011e91",
"organization_id": "org_asdasdasdasd",
"datetime": "2024-08-02T07:29:30.633000Z",
"title": "GuardDuty | PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated",
"text": "The user system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD has created or modified a RoleBinding or ClusterRoleBinding to role podsecuritypolicy-privileged-clusterrole in an unusual way in cluster asd-asd-asd-central2-ASD.",
"entities": [
{
"id": "system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD",
"type": "eks_service_account",
"metadata": {
"name": "system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD",
"cluster_name": "asd-asd-asd-central2-ASD",
"user_name": "system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:kubefed",
"system:authenticated"
]
},
"resource_id": null,
"name": null,
"is_main_entity": true,
"is_secondary_entity": false,
"activity_by_provider": null,
"cloud_provider": "aws"
},
{
"id": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"type": "eks_cluster",
"metadata": {
"name": "asd-asd-asd-central2-ASD",
"region": "eu-central-1",
"account_id": "123123123123",
"context_from_event": null,
"arn": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"arn_id": "asd-asd-asd-central2-ASD"
},
"resource_id": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"name": null,
"is_main_entity": false,
"is_secondary_entity": true,
"activity_by_provider": null,
"cloud_provider": "aws"
}
],
"account_details": [
{
"id": 2071,
"display_name": "AWS-test-ASD",
"organization_name": "hunters",
"identifier": "123123123123",
"hierarchy_path": [
{
"id": "r-test",
"name": "Root"
},
{
"id": "ou-test-6tuxvsq6",
"name": "legacy"
}
],
"account_status": "accessible",
"account_id": "123123123123",
"cloudtrails": [],
"aws_organization_id": "o-123123123",
"ou_path_list": [
{
"id": "r-test",
"name": "Root"
},
{
"id": "ou-test-6tuxvsq6",
"name": "legacy"
}
],
"supports_forensics_acquisition": false,
"cloud_provider": "aws"
}
],
"severity": 2,
"alert_severity": 2,
"status": "open",
"mitre_techniques": [],
"ttp_id": "PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated",
"type": "alert",
"alert_source": "GuardDuty",
"alert_source_id": "48c8890365cab74f9481919f73db4f4f",
"alert_source_url": "https://console.aws.amazon.com/guardduty/home?region=eu-central-1#/findings?macros=current&fId=48c8890365cab74f9481919f73db4f4f",
"category": null,
"plain_text_description": "The user system:serviceaccount:kubefed:asd-asd-asd-asd-asd-asd-fed-bk-eu-west6-ASD has created or modified a RoleBinding or ClusterRoleBinding to role podsecuritypolicy-privileged-clusterrole in an unusual way in cluster asd-asd-asd-central2-ASD."
},
{
"id": "f1ef4b2a-2ad8-4ebc-b642-d9e77b61021a",
"alert_id": "acb38776-9949-4839-9e3b-38914e011e91",
"main_alert_id": "acb38776-9949-4839-9e3b-38914e011e91",
"organization_id": "org_asdasdasdasd",
"datetime": "2024-08-01T16:08:14.333000Z",
"title": "GuardDuty | Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed",
"text": "The user system:serviceaccount:test-user:b-test-user-test-user has launched a Workload (Container Name: pod, Workload Name: pod-6d9cc4f588-22nqd, Workload ID: 3008cba0-cc97-4e35-a758-fb758ad81af8) in an unusual way in namespace knative-serving and cluster asd-asd-asd-central2-ASD.",
"entities": [
{
"id": "system:serviceaccount:test-user:b-test-user-test-user",
"type": "eks_service_account",
"metadata": {
"name": "system:serviceaccount:test-user:b-test-user-test-user",
"cluster_name": "asd-asd-asd-central2-ASD",
"user_name": "system:serviceaccount:test-user:b-test-user-test-user",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:test-user",
"system:authenticated"
]
},
"resource_id": null,
"name": null,
"is_main_entity": true,
"is_secondary_entity": false,
"activity_by_provider": null,
"cloud_provider": "aws"
},
{
"id": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"type": "eks_cluster",
"metadata": {
"name": "asd-asd-asd-central2-ASD",
"region": "eu-central-1",
"account_id": "123123123123",
"context_from_event": null,
"arn": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"arn_id": "asd-asd-asd-central2-ASD"
},
"resource_id": "arn:aws:eks:eu-central-1:123123123123:cluster/asd-asd-asd-central2-ASD",
"name": null,
"is_main_entity": false,
"is_secondary_entity": true,
"activity_by_provider": null,
"cloud_provider": "aws"
},
{
"id": "pod-6d9cc4f588-22nqd",
"type": "eks_pod",
"metadata": {
"name": "pod-6d9cc4f588-22nqd",
"cluster_name": "asd-asd-asd-central2-ASD",
"workload_type": "pods",
"workload_namespace": "knative-serving"
},
"resource_id": null,
"name": null,
"is_main_entity": false,
"is_secondary_entity": true,
"activity_by_provider": null,
"cloud_provider": "aws"
}
],
"account_details": [
{
"id": 2071,
"display_name": "AWS-test-ASD",
"organization_name": "hunters",
"identifier": "123123123123",
"hierarchy_path": [
{
"id": "r-test",
"name": "Root"
},
{
"id": "ou-test-6tuxvsq6",
"name": "legacy"
}
],
"account_status": "accessible",
"account_id": "123123123123",
"cloudtrails": [],
"aws_organization_id": "o-123123123",
"ou_path_list": [
{
"id": "r-test",
"name": "Root"
},
{
"id": "ou-test-6tuxvsq6",
"name": "legacy"
}
],
"supports_forensics_acquisition": false,
"cloud_provider": "aws"
}
],
"severity": 2,
"alert_severity": 2,
"status": "open",
"mitre_techniques": [],
"ttp_id": "Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed",
"type": "alert",
"alert_source": "GuardDuty",
"alert_source_id": "asdadq2erq23rgag",
"alert_source_url": "https://console.aws.amazon.com/guardduty/home?region=eu-central-1#/findings?macros=current&fId=asdadq2erq23rgag",
"category": null,
"plain_text_description": "The user system:serviceaccount:test-user:b-test-user-test-user has launched a Workload (Container Name: pod, Workload Name: pod-6d9cc4f588-22nqd, Workload ID: 3008cba0-cc97-4e35-a758-fb758ad81af8) in an unusual way in namespace knative-serving and cluster asd-asd-asd-central2-ASD."
}
],
"assignees": [],
"status_change_time": null,
"plain_text_description": "The user system:serviceaccount:test-user:b-test-user-test-user has launched a Workload (Container Name: pod, Workload Name: pod-6d9cc4f588-22nqd, Workload ID: 3008cba0-cc97-4e35-a758-fb758ad81af8) in an unusual way in namespace knative-serving and cluster asd-asd-asd-central2-ASD."
}