Self Service Ingestion
Connect this data source on your own, using the Hunters platform.
Overview
Table name: aws_guard_duty
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Send data to Hunters
To connect AWS Guard Duty logs:
Follow this guide under the Exporting findings to a bucket with the Console section, and ship the logs to a destination bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"schemaVersion": "2.0",
"accountId": "111122223333",
"region": "us-west-2",
"partition": "aws",
"id": "FINDING_ID_000001",
"arn": "arn:aws:guardduty:us-west-2:111122223333:detector/DETECTOR_ID_ABC123/finding/FINDING_UUID_00000000000000000000000000000000",
"type": "Discovery:IAMUser/AnomalousBehavior",
"resource": {
"resourceType": "AccessKey",
"accessKeyDetails": {
"accessKeyId": "AKIAEXAMPLE00000001",
"principalId": "AIDAEXAMPLEPRINCIPAL1",
"userType": "IAMUser",
"userName": "iam_user_01"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "DETECTOR_ID_ABC123",
"action": {
"actionType": "AWS_API_CALL",
"awsApiCallAction": {
"api": "ListBuckets",
"serviceName": "s3.amazonaws.com",
"callerType": "Remote IP",
"remoteIpDetails": {
"ipAddressV4": "203.0.113.10",
"organization": {
"asn": "65000",
"asnOrg": "Example ASN Org",
"isp": "Example ISP",
"org": "Example Org"
},
"country": {
"countryName": "Exampleland"
},
"city": {
"cityName": "Example City"
},
"geoLocation": {
"lat": 0.0,
"lon": 0.0
}
},
"affectedResources": {}
}
},
"resourceRole": "TARGET",
"additionalInfo": {
"userAgent": {
"fullUserAgent": "[Boto3/X.Y.Z Python/3.X.X OS/X.X.X Botocore/X.Y.Z Resource]",
"userAgentCategory": "Botocore"
},
"anomalies": {
"anomalousAPIs": "s3.amazonaws.com:[ListBuckets:success , GetBucketLifecycle:success]"
},
"profiledBehavior": {
"rareProfiledAPIsAccountProfiling": "ListBuckets",
"infrequentProfiledAPIsAccountProfiling": "",
"frequentProfiledAPIsAccountProfiling": "GetIPSet , DescribeImages , ListTopics , ListRoles , GetBucketWebsite , DescribeReservedInstances , GetLifecyclePolicy , GetAccountSummary , DescribeScalingPolicies , DescribeAccountAttributes , DescribeSubnets , DescribeVolumes , DescribeAddresses , DescribeFileSystemPolicy , DescribeCustomerGateways , GetTopicAttributes , ListGroups , GetBucketTagging , DescribeLaunchConfigurations",
"rareProfiledAPIsUserIdentityProfiling": "DescribeNatGateways , DescribeRouteTables , ListWebACLs",
"infrequentProfiledAPIsUserIdentityProfiling": "",
"frequentProfiledAPIsUserIdentityProfiling": "",
"rareProfiledUserTypesAccountProfiling": "",
"infrequentProfiledUserTypesAccountProfiling": "",
"frequentProfiledUserTypesAccountProfiling": "IAM_USER , ASSUMED_ROLE , AWS_SERVICE , ROLE",
"rareProfiledUserNamesAccountProfiling": "",
"infrequentProfiledUserNamesAccountProfiling": "iam_user_01",
"frequentProfiledUserNamesAccountProfiling": "iam_role_01 , iam_role_02 , iam_role_03 , iam_role_04 , iam_role_05 , iam_role_06 , iam_role_07 , iam_role_08 , iam_role_09 , iam_role_10 , iam_role_11 , iam_role_12 , iam_role_13 , iam_role_14 , iam_role_15 , iam_role_16 , iam_role_17 , iam_role_18 , iam_role_19 , iam_role_20 , iam_role_21",
"rareProfiledASNsAccountProfiling": "asnNumber: 65101 asnOrg: Example ASN Org A asnNumber: 65102 asnOrg: Example ASN Org B asnNumber: 65103 asnOrg: Example ASN Org C asnNumber: 65104 asnOrg: Example ASN Org D",
"infrequentProfiledASNsAccountProfiling": "asnNumber: 65201 asnOrg: Example ASN Org E asnNumber: 65202 asnOrg: Example ASN Org F",
"frequentProfiledASNsAccountProfiling": "asnNumber: 65301 asnOrg: Example ASN Org G asnNumber: 65302 asnOrg: Example ASN Org H asnNumber: 65303 asnOrg: Example ASN Org I asnNumber: 65304 asnOrg: Example ASN Org J asnNumber: 65305 asnOrg: Example ASN Org K asnNumber: 65306 asnOrg: Example ASN Org L asnNumber: 65307 asnOrg: Example ASN Org M asnNumber: 65308 asnOrg: Example ASN Org N asnNumber: 65309 asnOrg: Example ASN Org O asnNumber: 65310 asnOrg: Example ASN Org P",
"rareProfiledASNsUserIdentityProfiling": "asnNumber: 65401 asnOrg: Example ASN Org Q",
"infrequentProfiledASNsUserIdentityProfiling": "asnNumber: 65402 asnOrg: Example ASN Org R",
"frequentProfiledASNsUserIdentityProfiling": "",
"rareProfiledUserAgentsAccountProfiling": "",
"infrequentProfiledUserAgentsAccountProfiling": "",
"frequentProfiledUserAgentsAccountProfiling": "aws-sdk-cloudformation , aws-sdk-cloudtrail , AWS Service , OTHER , aws-sdk-lambda , aws-sdk-emr , aws-sdk-configservice , aws-sdk-ec2 , Botocore , aws-sdk-efs , aws-internal/3 , aws-sdk-go , aws-sdk-elasticloadbalancingv2 , aws-sdk-elasticache , aws-sdk-kinesis , aws-sdk-java , aws-sdk-autoscaling , aws-sdk-dynamodb , aws-sdk-ruby2 , aws-sdk-nodejs",
"rareProfiledUserAgentsUserIdentityProfiling": "",
"infrequentProfiledUserAgentsUserIdentityProfiling": "Botocore",
"frequentProfiledUserAgentsUserIdentityProfiling": ""
},
"unusualBehavior": {
"unusualAPIsAccountProfiling": "",
"unusualAPIsUserIdentityProfiling": "ListBuckets , GetBucketLifecycle",
"unusualUserTypesAccountProfiling": "",
"unusualUserNamesAccountProfiling": "",
"unusualASNsAccountProfiling": "asnNumber: 65000 asnOrg: Example ASN Org",
"unusualASNsUserIdentityProfiling": "asnNumber: 65000 asnOrg: Example ASN Org",
"unusualUserAgentsAccountProfiling": "",
"unusualUserAgentsUserIdentityProfiling": "",
"isUnusualUserIdentity": "false"
}
},
"eventFirstSeen": "2022-02-09T17:41:36.000Z",
"eventLastSeen": "2022-02-09T17:45:31.000Z",
"archived": false,
"count": 1
},
"severity": 2,
"createdAt": "2022-02-09T17:57:25.628Z",
"updatedAt": "2022-02-09T17:57:25.628Z",
"title": "User IAMUser : iam_user_01 is anomalously invoking APIs commonly used in Discovery tactics.",
"description": "APIs commonly used in Discovery tactics were invoked by user IAMUser : iam_user_01, under anomalous circumstances. Such activity is not typically seen from this user."
}