diff --git a/stix_shifter/scripts/stix_shifter.py b/stix_shifter/scripts/stix_shifter.py
index d8b749adb..fa836ac51 100644
--- a/stix_shifter/scripts/stix_shifter.py
+++ b/stix_shifter/scripts/stix_shifter.py
@@ -339,7 +339,8 @@ def is_async():
options['validate_pattern'] = True
result = translation.translate(args.module, 'results', args.data_source, results, translation_options)
log.info('STIX Results (written to stdout):\n')
- print(json.dumps(result, indent=4, sort_keys=False))
+ # added default=str to json.dumps inorder to handle serialization failure of datetime.datetime object
+ print(json.dumps(result, indent=4, sort_keys=False, default=str))
exit(0)
elif args.command == TRANSLATE:
@@ -374,8 +375,8 @@ def is_async():
result[m] = translation.translate(m, stix_translation.CONFIGS, None, None)
elif args.command == TRANSMIT:
result = transmit(args) # stix_transmission
-
- print(json.dumps(result, indent=4, sort_keys=False))
+ # added default=str to json.dumps inorder to handle serialization failure of datetime.datetime object
+ print(json.dumps(result, indent=4, sort_keys=False, default=str))
exit(0)
diff --git a/stix_shifter_modules/aws_guardduty/README.md b/stix_shifter_modules/aws_guardduty/README.md
new file mode 100644
index 000000000..be9cd1976
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/README.md
@@ -0,0 +1,671 @@
+# AWS GuardDuty
+
+## Supported STIX Mappings
+
+See the [table of mappings](aws_guardduty_supported_stix.md) for the STIX objects and operators supported by this connector.
+
+**Table of Contents**
+- [AWS GuardDuty API Endpoints](#AWSGuardDuty-api-endpoints)
+- [Format of calling Stix shifter from Command Line](#format-for-calling-stix-shifter-from-the-command-line)
+- [AWS Authentication Types](#aws-authentication-types)
+- [AWS GuardDuty data search methods](#aws-guardduty-data-search-methods)
+- [Pattern expression with STIX attributes - Single Observation](#single-observation)
+- [Pattern expression with STIX and CUSTOM attributes - Multiple Observation](#multiple-observation)
+- [STIX Execute Query](#stix-execute-query)
+- [Observations](#observations)
+- [Limitations](#limitations)
+- [References](#references)
+
+### AWSGuardDuty API Endpoints
+
+ | Connector Method | AWS Guardduty API Endpoint | Method |
+ |-------------------------------------------------------------------------------------------------------------------------------------------|------| ------|
+ | Ping Endpoint | List detector: /detector | GET|
+ | Results Endpoint | 1. List Detector: /detector
2. List Findings: /detector/detectorId/findings
3. Get Findings: /detector/detectorId/findings/get | GET , POST |
+
+### Format for calling stix-shifter from the command line
+```
+python main.py `` `` `` ``
+
+```
+### AWS Authentication Types
+
+##### This connector supports two types of datasource authentication:
+
+ 1. Using user's security credentials (Access and Secret keys)
+ ##### Sample Input:
+ ```
+ transmit
+ "aws_guardduty"
+ "{\"region\": \"\"}"
+ "{\"auth\":{\"aws_access_key_id\": \"xxxx\", \"aws_secret_access_key\": \"yyyy\"}}"
+ results offset length
+ ```
+
+ 2. Using user's security credentials (Access and Secret keys) and IAM role (ARN value of the IAM role)
+ ##### Sample Input:
+ ```
+ transmit
+ "aws_guardduty"
+ "{\"region\": \"\"}"
+ "{\"auth\":{\"aws_access_key_id\": \"xxxx\", \"aws_secret_access_key\":
+ \"yyyy\",\"aws_iam_role\":\"zzzz\"}}"
+ results offset length
+ ```
+### AWS GuardDuty Data search Methods
+ 1. Input without detector id
+ #### Sample Input:
+ ```
+ transmit
+ "aws_guardduty"
+ "{\"region\": \"\"}"
+ "{\"auth\":{\"aws_access_key_id\": \"xxxx\", \"aws_secret_access_key\": \"yyyy\"}}"
+ results offset length
+ ```
+
+ 2. Input with one or more Detector ids separated by comma as delimiter
+ #### Sample Input:
+ ```
+ transmit
+ "aws_guardduty"
+ "{\"region\": \"\",\"detector_ids\":\"123,456\"}"
+ "{\"auth\":{\"aws_access_key_id\": \"xxxx\", \"aws_secret_access_key\": \"yyyy\"}}"
+ results offset length
+
+
+### Pattern expression with STIX and CUSTOM attributes
+
+#### Single Observation
+
+#### STIX Translate query
+```shell
+translate aws_guardduty query "{}" "[network-traffic:src_port != 1234 AND autonomous-system:number < 50] START t'2023-01-15T00:00:00.000Z' STOP t'2023-06-30T00:00:00.000Z'"
+```
+#### STIX Translate query - Output
+```json
+{
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn": {
+ "LessThan": 50
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1673740800000,
+ "LessThanOrEqual": 1688083200000
+ },
+ "service.action.networkConnectionAction.localPortDetails.port": {
+ "NotEquals": [
+ "1234"
+ ]
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn": {
+ "LessThan": 50
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1673740800000,
+ "LessThanOrEqual": 1688083200000
+ },
+ "service.action.networkConnectionAction.localPortDetails.port": {
+ "NotEquals": [
+ "1234"
+ ]
+ }
+ }
+ }
+ }
+ ]
+}
+```
+#### STIX Transmit results - Query
+```shell
+transmit
+aws_guardduty
+"{\"region\":\"xxxx\"}"
+"{\"auth\":{\"aws_access_key_id\": \"abc\",\"aws_secret_access_key\":\"xyz\",\"aws_iam_role\":\"123zxy\"}}"
+results
+"{ \"queries\": [ { \"FindingCriteria\": { \"Criterion\": { \"service.action.networkConnectionAction.remoteIpDetails.organization.asn\": { \"LessThan\": 50 }, \"updatedAt\": { \"GreaterThanOrEqual\": 1673740800000, \"LessThanOrEqual\": 1688083200000 }, \"service.action.networkConnectionAction.localPortDetails.port\": { \"NotEquals\": [ \"1234\" ] } } } }, { \"FindingCriteria\": { \"Criterion\": { \"service.action.awsApiCallAction.remoteIpDetails.organization.asn\": { \"LessThan\": 50 }, \"updatedAt\": { \"GreaterThanOrEqual\": 1673740800000, \"LessThanOrEqual\": 1688083200000 }, \"service.action.networkConnectionAction.localPortDetails.port\": { \"NotEquals\": [ \"1234\" ] } } } } ] }"
+0
+1
+
+```
+#### STIX Transmit results - Output
+```json
+{
+ "success": true,
+ "data": [{
+ "AccountId": "912345678901",
+ "Arn": "arn:aws:guardduty:us-east-1:912345678901:detector/abcdefghijklmn/finding/12345678910abcdef",
+ "CreatedAt": "2023-06-05T04:48:34.491Z",
+ "Description": "EC2 instance i-0b123456abcdefghi is communicating with an Unusual DNS Resolver 8.8.8.8.",
+ "Id": "12345678910abcdef",
+ "Partition": "aws",
+ "Region": "us-east-1",
+ "Resource": {
+ "InstanceDetails": {
+ "AvailabilityZone": "us-east-1c",
+ "ImageId": "ami-0b123456789abcde",
+ "InstanceId": "i-0b123456abcdefghi",
+ "InstanceState": "running",
+ "InstanceType": "t2.medium",
+ "OutpostArn": null,
+ "LaunchTime": "2023-06-05T03:50:36.000Z",
+ "NetworkInterfaces": [{
+ "Ipv6Addresses": [],
+ "NetworkInterfaceId": "eni-055726ef79287c018",
+ "PrivateDnsName": "ip-1-1-1-1.ec2.internal",
+ "PrivateIpAddress": "1.1.1.1",
+ "PrivateIpAddresses": [{
+ "PrivateDnsName": "ip-1-1-1-1.ec2.internal"
+ }],
+ "PublicDnsName": "ec2-2-2-2-2.compute-1.amazonaws.com",
+ "PublicIp": "2.2.2.2",
+ "SecurityGroups": [{
+ "GroupId": "sg-07a9c2h8f2f18e7a6",
+ "GroupName": "launch-wizard-31"
+ }],
+ "SubnetId": "subnet-58ch16f",
+ "VpcId": "vpc-10db926a"
+ }],
+ "Platform": "windows",
+ "ProductCodes": [],
+ "Tags": [{
+ "Key": "Name",
+ "Value": "local-machine"
+ }]
+ },
+ "ResourceType": "Instance"
+ },
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Action": {
+ "ActionType": "NETWORK_CONNECTION",
+ "NetworkConnectionAction": {
+ "Blocked": false,
+ "ConnectionDirection": "OUTBOUND",
+ "LocalPortDetails": {
+ "Port": 51923,
+ "PortName": "Unknown"
+ },
+ "Protocol": "UDP",
+ "LocalIpDetails": {
+ "IpAddressV4": "1.1.1.1"
+ },
+ "RemoteIpDetails": {
+ "City": {
+ "CityName": "Los Angeles"
+ },
+ "Country": {
+ "CountryName": "United States"
+ },
+ "GeoLocation": {
+ "Lat": 34.0544,
+ "Lon": -118.2441
+ },
+ "IpAddressV4": "8.8.8.8",
+ "Organization": {
+ "Asn": "15169",
+ "AsnOrg": "GOOGLE",
+ "Isp": "Google",
+ "Org": "Google"
+ }
+ },
+ "RemotePortDetails": {
+ "Port": 53,
+ "PortName": "DNS"
+ }
+ }
+ },
+ "Archived": false,
+ "Count": 1,
+ "DetectorId": "abcdefghijklmn",
+ "EventFirstSeen": "2023-06-05T04:46:40.000Z",
+ "EventLastSeen": "2023-06-05T04:47:36.000Z",
+ "ResourceRole": "ACTOR",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{\"inBytes\":\"152\",\"outBytes\":\"56\",\"unusual\":\"GOOGLE\"}",
+ "Type": "default"
+ }
+ },
+ "Severity": 5,
+ "Title": "EC2 instance i-0b123456abcdefghi is communicating with an Unusual DNS Resolver 8.8.8.8.",
+ "Type": "DefenseEvasion:EC2/UnusualDNSResolver",
+ "UpdatedAt": "2023-06-05T04:48:34.491Z",
+ "FindingType": "alert"
+ }],
+ "metadata": {
+ "result_count": 1,
+ "next_page_token": "abc",
+ "detector_ids": []
+ }
+}
+```
+#### STIX Translate results
+```json
+{
+ "type": "bundle",
+ "id": "bundle--46aa4c44-9ba5-4977-a00f-725759392a56",
+ "objects": [
+ {
+ "type": "identity",
+ "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+ "name": "aws_guardduty",
+ "identity_class": "events",
+ "created": "2023-07-05T10:22:50.336Z",
+ "modified": "2023-07-05T10:22:50.336Z"
+ },
+ {
+ "id": "observed-data--a4919982-48c2-4ee9-bcb9-f7376a62930e",
+ "type": "observed-data",
+ "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+ "created": "2023-06-05T10:26:40.410Z",
+ "modified": "2023-06-05T10:26:40.410Z",
+ "objects": {
+ "0": {
+ "type": "x-aws-resource",
+ "account_id": "912345678901",
+ "partition": "aws",
+ "region": "us-east-1",
+ "instance_ref": "2",
+ "resource_type": "Instance",
+ "resource_role": "ACTOR"
+ },
+ "1": {
+ "type": "x-ibm-finding",
+ "x_resource_ref": "0",
+ "x_arn": "arn:aws:guardduty:us-east-1:912345678901:detector/abcdefghijklmn/finding/12345678910abcdef",
+ "description": "EC2 instance i-0b123456abcdefghi is communicating with an Unusual DNS Resolver 8.8.8.8.",
+ "alert_id": "12345678910abcdef",
+ "x_schema_version": "2.0",
+ "x_service_ref": "8",
+ "x_archived": false,
+ "event_count": 1,
+ "x_detector_id": "abcdefghijklmn",
+ "severity": 5,
+ "x_title": "EC2 instance i-0b123456abcdefghi is communicating with an Unusual DNS Resolver 8.8.8.8.",
+ "name": "DefenseEvasion:EC2/UnusualDNSResolver",
+ "time_observed": "2023-06-05T04:48:34.491Z",
+ "finding_type": "alert"
+ },
+ "2": {
+ "type": "x-aws-instance",
+ "availability_zone": "us-east-1c",
+ "image_id": "ami-0b123456789abcde",
+ "instance_id": "i-0b123456abcdefghi",
+ "state": "running",
+ "instance_type": "t2.medium",
+ "launch_time": "2023-06-05T03:50:36.000Z",
+ "x_network_interface_refs": [
+ "3"
+ ],
+ "os_ref": "7",
+ "tags": [
+ {
+ "Key": "Name",
+ "Value": "local-machine"
+ }
+ ]
+ },
+ "3": {
+ "type": "x-aws-network-interface",
+ "interface_id": "eni-055726ef79287c018",
+ "private_domain_refs": [
+ "4"
+ ],
+ "public_domain_ref": "5",
+ "security_groups": [
+ {
+ "GroupId": "sg-07a9c2h8f2f18e7a6",
+ "GroupName": "launch-wizard-31"
+ }
+ ],
+ "subnet_id": "subnet-58ch16f",
+ "vpc_id": "vpc-10db926a"
+ },
+ "4": {
+ "type": "domain-name",
+ "value": "ip-1-1-1-1.ec2.internal"
+ },
+ "5": {
+ "type": "domain-name",
+ "value": "ec2-2-2-2-2.compute-1.amazonaws.com",
+ "resolves_to_refs": [
+ "6"
+ ]
+ },
+ "6": {
+ "type": "ipv4-addr",
+ "value": "2.2.2.2"
+ },
+ "7": {
+ "type": "software",
+ "name": "windows"
+ },
+ "8": {
+ "type": "x-aws-finding-service",
+ "action": {
+ "action_type": "NETWORK_CONNECTION",
+ "network_ref": "9"
+ },
+ "event_first_seen": "2023-06-05T04:46:40.000Z",
+ "event_last_seen": "2023-06-05T04:47:36.000Z",
+ "additional_info": {
+ "Value": "{\"inBytes\":\"152\",\"outBytes\":\"56\",\"unusual\":\"GOOGLE\"}",
+ "Type": "default"
+ }
+ },
+ "9": {
+ "type": "network-traffic",
+ "x_is_target_port_blocked": false,
+ "x_direction": "OUTBOUND",
+ "src_port": 51923,
+ "x_src_port_name": "Unknown",
+ "protocols": [
+ "udp"
+ ],
+ "src_ref": "10",
+ "dst_ref": "12",
+ "dst_port": 53,
+ "x_dst_port_name": "DNS"
+ },
+ "10": {
+ "type": "ipv4-addr",
+ "value": "1.1.1.1"
+ },
+ "11": {
+ "type": "x-oca-geo",
+ "city_name": "Los Angeles",
+ "country_name": "United States",
+ "location": {
+ "Lat": 34.0544,
+ "Lon": -118.2441
+ }
+ },
+ "12": {
+ "type": "ipv4-addr",
+ "x_geo_ref": "11",
+ "value": "8.8.8.8",
+ "belongs_to_refs": [
+ "13"
+ ]
+ },
+ "13": {
+ "type": "autonomous-system",
+ "number": 15169,
+ "name": "GOOGLE",
+ "x_isp": "Google",
+ "x_organisation": "Google"
+ }
+ },
+ "first_observed": "2023-06-05T04:48:34.491Z",
+ "last_observed": "2023-06-05T04:48:34.491Z",
+ "number_observed": 1
+ }
+ ],
+ "spec_version": "2.0"
+}
+```
+#### Multiple Observation
+```shell
+translate aws_guardduty query {} "([x-aws-finding-service:action.action_type = 'AWS_API_CALL' AND user-account:display_name = 'awsathenauser' OR x-aws-s3-bucket:bucket_type = 'Destination'] AND [network-traffic:protocols[*] = 'UDP']) START t'2022-01-01T16:43:26.000Z' STOP t'2023-06-20T16:43:26.003Z'"
+```
+#### STIX Multiple observation - Output
+```json
+{
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.s3BucketDetails.type": {
+ "Equals": [
+ "Destination"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1641055406000,
+ "LessThanOrEqual": 1687279406003
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.actionType": {
+ "Equals": [
+ "AWS_API_CALL"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1641055406000,
+ "LessThanOrEqual": 1687279406003
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.accessKeyDetails.userName": {
+ "Equals": [
+ "awsathenauser"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1641055406000,
+ "LessThanOrEqual": 1687279406003
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.kubernetesDetails.kubernetesUserDetails.username": {
+ "Equals": [
+ "awsathenauser"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1641055406000,
+ "LessThanOrEqual": 1687279406003
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.protocol": {
+ "Equals": [
+ "UDP"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1641055406000,
+ "LessThanOrEqual": 1687279406003
+ }
+ }
+ }
+ }
+ ]
+}
+```
+### STIX Execute query
+```shell
+execute
+aws_guardduty
+aws_guardduty
+"{\"type\":\"identity\",\"id\":\"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\"name\":\"aws_guardduty\",\"identity_class\":\"system\",\"created\":\"2023-07-05T13:22:50.336Z\",\"modified\":\"2023-07-05T13:22:50.336Z\"}"
+"{\"region\":\"us-east-1\"}"
+"{\"auth\":{\"aws_access_key_id\": \"ABC\",\"aws_secret_access_key\":\"xyz\"}}"
+"[ipv4-addr:value = '4.5.6.7' AND x-aws-s3-bucket:bucket_type = 'Destination'] START t'2022-01-01T16:43:26.000Z' STOP t'2023-06-20T16:43:26.003Z'"
+```
+
+#### STIX Execute query - Output
+```json
+{
+ "id": "observed-data--a618ce27-47e0-48b0-8b7c-b002c9c8bed6",
+ "type": "observed-data",
+ "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+ "created": "2023-07-17T09:26:05.008Z",
+ "modified": "2023-07-17T09:26:05.008Z",
+ "objects": {
+ "0": {
+ "type": "x-aws-resource",
+ "account_id": "912345678901",
+ "partition": "aws",
+ "region": "us-east-1",
+ "access_key_ref": "2",
+ "s3_bucket_refs": [
+ "3"
+ ],
+ "resource_type": "S3Bucket",
+ "resource_role": "TARGET"
+ },
+ "1": {
+ "type": "x-ibm-finding",
+ "x_resource_ref": "0",
+ "x_arn": "arn:aws:guardduty:us-east-1:912345678901:detector/aabbccdd/finding/xyz",
+ "description": "An API was used to access a bucket from an IP address on a custom threat list.",
+ "alert_id": "xyz",
+ "x_schema_version": "2.0",
+ "x_service_ref": "4",
+ "x_archived": false,
+ "event_count": 2,
+ "x_detector_id": "aabbccdd",
+ "severity": 8,
+ "x_title": "API DeleteObjects was invoked from an IP address on a custom threat list.",
+ "name": "UnauthorizedAccess:S3/MaliciousIPCaller.Custom",
+ "time_observed": "2023-06-08T08:22:11.192Z",
+ "finding_type": "alert"
+ },
+ "2": {
+ "type": "user-account",
+ "x_access_key_id": "AABBZZ",
+ "user_id": "ABCD",
+ "display_name": "user@login.com",
+ "x_user_type": "IAMUser"
+ },
+ "3": {
+ "type": "x-aws-s3-bucket",
+ "arn": "arn:aws:s3:::sampleguardtest",
+ "name": "sampleguardtest",
+ "bucket_type": "Destination",
+ "created_at": "2023-06-08T07:27:58.000Z",
+ "canonical_id_of_bucket_owner": "1234",
+ "server_side_encryption_type": "AES256",
+ "permissions": {
+ "bucket_level": {
+ "access_control_policies": {
+ "allows_public_read_access": false,
+ "allows_public_write_access": false
+ },
+ "bucket_policies": {
+ "allows_public_read_access": false,
+ "allows_public_write_access": false
+ },
+ "block_public_access_settings": {
+ "ignore_public_acls": true,
+ "restrict_public_buckets": true,
+ "block_public_acls": true,
+ "block_public_policy": true
+ }
+ },
+ "account_level": {
+ "ignore_public_acls": false,
+ "restrict_public_buckets": false,
+ "block_public_acls": false,
+ "block_public_policy": false
+ }
+ },
+ "bucket_permission": "NOT_PUBLIC"
+ },
+ "4": {
+ "type": "x-aws-finding-service",
+ "action": {
+ "action_type": "AWS_API_CALL",
+ "api_called": "DeleteObjects",
+ "caller_type": "Remote IP",
+ "remote_ref": "6",
+ "service_name": "s3.amazonaws.com",
+ "affected_resources": {}
+ },
+ "evidence_refs": [
+ "8"
+ ],
+ "event_first_seen": "2023-06-08T08:17:05.000Z",
+ "event_last_seen": "2023-06-08T08:17:05.000Z",
+ "additional_info": {
+ "Value": "{\"threatName\":\"Customer Threat Intel\",\"threatListName\":\"threat-list2\",\"authenticationMethod\":\"AuthHeader\"}",
+ "Type": "default"
+ }
+ },
+ "5": {
+ "type": "x-oca-geo",
+ "city_name": "Ashburn",
+ "country_name": "United States",
+ "location": {
+ "Lat": 39.0469,
+ "Lon": -77.4903
+ }
+ },
+ "6": {
+ "type": "ipv4-addr",
+ "x_geo_ref": "5",
+ "value": "4.5.6.7",
+ "belongs_to_refs": [
+ "7"
+ ]
+ },
+ "7": {
+ "type": "autonomous-system",
+ "number": 14618,
+ "name": "AMAZON-AES",
+ "x_isp": "Amazon.com",
+ "x_organisation": "Amazon.com"
+ },
+ "8": {
+ "type": "x-aws-evidence",
+ "threat_intelligence_list_name": "threat-list2",
+ "threat_names": [
+ "Customer Threat Intel"
+ ]
+ }
+ },
+ "first_observed": "2023-06-08T08:22:10.062Z",
+ "last_observed": "2023-06-08T08:22:11.192Z",
+ "number_observed": 1
+}
+```
+### Observations
+- Since AWS GuardDuty doesn't support OR operator, individual queries will be formed for each stix attribute when the pattern contains either
+ only OR operator or combination of AND, OR operator.
+- If AND operator is used between same stix attribute, exception will be thrown.
+- If AND operator is used between different stix attribute which contains same field mappings(Example: network-traffic:src_ref AND ipv4-addr),
+ exception will be thrown.
+- Exception will be thrown when more than 50 values are provided using IN operator in AWS GuardDuty connector.
+- Exception will be thrown when more than 50 attributes are present in a single stix translate query in AWS GuardDuty connector.
+- As of now, latest version AioBoto3 package is not returning LamdaDetails from AWS GuardDuty.But Boto3 package is returning Lambda details.
+ AioBoto3 may return in updated versions, once it is in compliance with latest Boto3 package.
+
+### Limitations
+- AWS GuardDuty Datasource doesn't support OR operator.
+- AWS GuardDuty Datasource does not support LIKE/MATCHES operators.
+- AWS GuardDuty Datasource can hold a minimum of one attribute and up to a maximum of 50 attributes in a single Finding Criteria.
+- AWS GuardDuty Datasource supports maximum of 50 values while using equals and not equals operator.
+
+### References
+- [Amazon GuardDuty User Guide](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html)
+- [Amazon GuardDuty API Reference](https://docs.aws.amazon.com/guardduty/latest/APIReference/Welcome.html)
+- [Amazon GuardDuty List Finding ](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListFindings.html)
+- [Amazon GuardDuty List Detectors ](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html)
+- [Amazon GuardDuty Get Findings](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_GetFindings.html)
diff --git a/stix_shifter_modules/aws_guardduty/__init__.py b/stix_shifter_modules/aws_guardduty/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/stix_shifter_modules/aws_guardduty/aws_guardduty_supported_stix.md b/stix_shifter_modules/aws_guardduty/aws_guardduty_supported_stix.md
new file mode 100644
index 000000000..f61d63a2d
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/aws_guardduty_supported_stix.md
@@ -0,0 +1,592 @@
+##### Updated on 07/11/23
+## AWS GuardDuty
+### Supported STIX Operators
+*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*
+
+| STIX Operator | Data Source Operator |
+|--|--|
+| AND (Comparison) | and |
+| OR (Comparison) | or |
+| > | GreaterThan |
+| >= | GreaterThanOrEqual |
+| < | LessThan |
+| <= | LessThanOrEqual |
+| = | Equals |
+| != | NotEquals |
+| IN | Equals |
+| OR (Observation) | or |
+| AND (Observation) | or |
+
+### Searchable STIX objects and properties
+| STIX Object and Property | Mapped Data Source Fields |
+|--|--|
+| **ipv4-addr**:value | resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress, resource.instanceDetails.networkInterfaces.publicIp, service.action.networkConnectionAction.remoteIpDetails.ipAddressV4, service.action.awsApiCallAction.remoteIpDetails.ipAddressV4, service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 |
+| **ipv4-addr**:x_geo_ref.country_name | service.action.networkConnectionAction.remoteIpDetails.country.countryName, service.action.awsApiCallAction.remoteIpDetails.country.countryName |
+| **ipv4-addr**:belongs_to_refs[*].number | service.action.networkConnectionAction.remoteIpDetails.organization.asn, service.action.awsApiCallAction.remoteIpDetails.organization.asn |
+| **ipv6-addr**:value| resource.instanceDetails.networkInterfaces.ipv6Addresses |
+| **autonomous-system**:number | service.action.networkConnectionAction.remoteIpDetails.organization.asn,service.action.awsApiCallAction.remoteIpDetails.organization.asn |
+| **autonomous-system**:name | service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg,service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg |
+| **x-oca-geo**:country_name | service.action.networkConnectionAction.remoteIpDetails.country.countryName, service.action.awsApiCallAction.remoteIpDetails.country.countryName |
+| **x-oca-geo**:city_name | service.action.awsApiCallAction.remoteIpDetails.city.cityName, service.action.networkConnectionAction.remoteIpDetails.city.cityName |
+| **network-traffic**:src_port | service.action.networkConnectionAction.localPortDetails.port |
+| **network-traffic**:dst_port | service.action.networkConnectionAction.remotePortDetails.port |
+| **network-traffic**:protocols[*] | service.action.networkConnectionAction.protocol |
+| **network-traffic**:src_ref.value | resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress |
+| **network-traffic**:dst_ref.value | service.action.networkConnectionAction.remoteIpDetails.ipAddressV4, service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 |
+| **network-traffic**:x_is_target_port_blocked | service.action.networkConnectionAction.blocked |
+| **network-traffic**:x_direction | service.action.networkConnectionAction.connectionDirection |
+| **network-traffic**:extensions.'http-request-ext'.request_value | service.action.kubernetesApiCallAction.requestUri |
+| **user-account**:user_id | resource.accessKeyDetails.principalId |
+| **user-account**:x_access_key_id | resource.accessKeyDetails.accessKeyId |
+| **user-account**:display_name | resource.accessKeyDetails.userName, resource.kubernetesDetails.kubernetesUserDetails.username |
+| **user-account**:x_user_type | resource.accessKeyDetails.userType |
+| **domain-name**:value | resource.instanceDetails.networkInterfaces.publicDnsName, service.action.dnsRequestAction.domain |
+| **process**:name | service.runtimeDetails.process.name |
+| **process**:binary_ref.hashes.'SHA-256' | service.runtimeDetails.process.executableSha256 |
+| **file**:hashes.'SHA-256' | service.runtimeDetails.process.executableSha256, service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
+| **file**:x_path | service.runtimeDetails.process.executablePath |
+| **file**:hashes.'SHA-1' | service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
+| **file**:hashes.MD5 | service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
+| **file**:x_unknown_hash | service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
+| **x-aws-resource**:instance_ref.image_id | resource.instanceDetails.imageId |
+| **x-aws-resource**:s3_bucket_refs[*].name | resource.s3BucketDetails.name |
+| **x-aws-resource**:rds_database_ref.instance_id | resource.rdsDbInstanceDetails.dbInstanceIdentifier |
+| **x-aws-resource**:rds_database_ref.cluster_id | resource.rdsDbInstanceDetails.dbClusterIdentifier |
+| **x-aws-resource**:access_key_ref.user_id | resource.accessKeyDetails.principalId |
+| **x-aws-resource**:lambda_details_ref.function_name | resource.lambdaDetails.functionName |
+| **x-aws-resource**:ecs_cluster_ref.name | resource.ecsClusterDetails.name |
+| **x-aws-resource**:eks_cluster_ref.name | resource.eksClusterDetails.name |
+| **x-aws-resource**:resource_type | resource.resourceType |
+| **x-aws-resource**:resource_role | service.resourceRole |
+| **x-aws-instance**:image_id | resource.instanceDetails.imageId |
+| **x-aws-instance**:profile_id | resource.instanceDetails.iamInstanceProfile.id |
+| **x-aws-instance**:instance | resource.instanceDetails.instanceId |
+| **x-aws-instance**:tag_key | resource.instanceDetails.tags.key |
+| **x-aws-instance**:tag_value | resource.instanceDetails.tags.value |
+| **x-aws-instance**:outpost_arn | resource.instanceDetails.outpostArn |
+| **x-aws-network-interface**:security_group_id | resource.instanceDetails.networkInterfaces.securityGroups.groupId |
+| **x-aws-network-interface**:security_group_name | resource.instanceDetails.networkInterfaces.securityGroups.groupName |
+| **x-aws-network-interface**:subnet_id | resource.instanceDetails.networkInterfaces.subnetId |
+| **x-aws-network-interface**:vpc_id | resource.instanceDetails.networkInterfaces.vpcId |
+| **x-aws-s3-bucket**:name | resource.s3BucketDetails.name |
+| **x-aws-s3-bucket**:bucket_permission | resource.s3BucketDetails.publicAccess.effectivePermission |
+| **x-aws-s3-bucket**:tag_key | resource.s3BucketDetails.tags.key |
+| **x-aws-s3-bucket**:tag_value | resource.s3BucketDetails.tags.value |
+| **x-aws-s3-bucket**:bucket_type | resource.s3BucketDetails.type |
+| **x-aws-rds-db-instance**:cluster_id | resource.rdsDbInstanceDetails.dbClusterIdentifier |
+| **x-aws-rds-db-instance**:engine | resource.rdsDbInstanceDetails.engine |
+| **x-aws-rds-db-instance**:instance_id | resource.rdsDbInstanceDetails.dbInstanceIdentifier |
+| **x-aws-rds-db-instance**:tag_key | resource.rdsDbInstanceDetails.tags.key |
+| **x-aws-rds-db-instance**:tag_value| resource.rdsDbInstanceDetails.tags.value |
+| **x-aws-rds-db-instance**:anomalous_login_user_ref.user_name| resource.rdsDbUserDetails.user |
+| **x-aws-rds-db-user**:user_name | resource.rdsDbUserDetails.user |
+| **x-aws-lambda**:function_arn | resource.lambdaDetails.functionArn |
+| **x-aws-lambda**:function_name | resource.lambdaDetails.functionName |
+| **x-aws-lambda**:tag_key | resource.lambdaDetails.tags.key |
+| **x-aws-lambda**:tag_value | resource.lambdaDetails.tags.value |
+| **x-aws-ecs-cluster**:name | resource.ecsClusterDetails.name |
+| **x-aws-ecs-cluster**:task.definition_arn | resource.ecsClusterDetails.taskDetails.definitionArn |
+| **x-aws-container**:image | resource.ecsClusterDetails.taskDetails.containers.image, resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image, resource.containerDetails.image |
+| **x-aws-container**:image_prefix | resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix |
+| **x-aws-kubernetes-workload**:workload_name | resource.kubernetesDetails.kubernetesWorkloadDetails.name |
+| **x-aws-kubernetes-workload**:workload_namespace | resource.kubernetesDetails.kubernetesWorkloadDetails.namespace |
+| **x-aws-eks-cluster**:name | resource.eksClusterDetails.name |
+| **x-aws-ebs-volume-malware-scan**:scan_id | service.ebsVolumeScanDetails.scanId |
+| **x-aws**:account_id | accountId |
+| **x-aws**:region | region |
+| **x-ibm-finding**:confidence | confidence |
+| **x-ibm-finding**:alert_id | id |
+| **x-ibm-finding**:x_archived | service.archived |
+| **x-ibm-finding**:severity | severity |
+| **x-ibm-finding**:name | type |
+| **x-ibm-finding**:x_resource_ref.resource_type | resource.resourceType |
+| **x-ibm-finding**:src_application_user_ref.display_name | resource.kubernetesDetails.kubernetesUserDetails.username |
+| **x-aws-finding-service**:action.action_type | service.action.actionType |
+| **x-aws-finding-service**:action.api_called | service.action.awsApiCallAction.api |
+| **x-aws-finding-service**:action.caller_account_id | service.action.awsApiCallAction.remoteAccountDetails.accountId |
+| **x-aws-finding-service**:action.caller_type | service.action.awsApiCallAction.callerType |
+| **x-aws-finding-service**:action.service_name | service.action.awsApiCallAction.serviceName |
+| **x-aws-finding-service**:action.remote_ref.value | service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 |
+| **x-aws-finding-service**:action.error_code | service.action.awsApiCallAction.errorCode |
+| **x-aws-finding-service**:action.is_caller_account_affiliated_to_aws | service.action.awsApiCallAction.remoteAccountDetails.affiliated |
+| **x-aws-finding-service**:additional_info | service.additionalInfo.threatListName |
+| **x-aws-threat**:threat_name | service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name |
+| **x-aws-threat**:severity | service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity |
+| **x-aws-evidence**:threat_intelligence_list_name | service.additionalInfo.threatListName |
+
+### Supported STIX Objects and Properties for Query Results
+| STIX Object | STIX Property | Data Source Field |
+|--|--|--|
+| ipv4-addr | value | Resource.InstanceDetails.NetworkInterfaces.PrivateIpAddresses.PrivateIpAddress |
+| ipv4-addr | value | Resource.InstanceDetails.NetworkInterfaces.PublicIp |
+| ipv4-addr | value | Service.NetworkConnectionAction.RemoteIpDetails.IpAddressV4 |
+| ipv4-addr | value | Service.Action.PortProbeAction.PortProbeDetails.LocalIpDetails.IpAddressV4 |
+| ipv4-addr | value | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.IpAddressV4 |
+| ipv4-addr | value | Service.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4 |
+| ipv4-addr | value | Service.Action.KubernetesApiCallAction.RemoteIpDetails.IpAddressV4 |
+| ipv4-addr | value | Service.Action.KubernetesApiCallAction.SourceIPs |
+| ipv4-addr | value | Service.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4 |
+| ipv4-addr | value | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.IpAddressV4 |
+| ipv4-addr | belongs_to_refs | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Organization.Asn |
+| ipv4-addr | belongs_to_refs | Service.Action.AwsApiCallAction.RemoteIpDetails.Organization.Asn|
+| ipv4-addr | belongs_to_refs | Service.Action.NetworkConnectionAction.RemoteIpDetails.Organization.Asn|
+| ipv4-addr | belongs_to_refs | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Organization.Asn |
+| ipv4-addr | belongs_to_refs | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Organization.Asn|
+| ipv4-addr | x_geo_ref | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Country.CountryName |
+| ipv4-addr | x_geo_ref | Service.Action.AwsApiCallAction.RemoteIpDetails.Country.CountryName |
+| ipv4-addr | x_geo_ref | Service.Action.NetworkConnectionAction.RemoteIpDetails.Country.CountryName |
+| ipv4-addr | x_geo_ref | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Country.CountryName |
+| ipv4-addr | x_geo_ref | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Country.CountryName |
+| ipv4-addr | x_geo_ref | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.City.CityName |
+| ipv4-addr | x_geo_ref | Service.Action.KubernetesApiCallAction.RemoteIpDetails.City.CityName |
+|
| | |
+| ipv6-addr | value | Resource.InstanceDetails.NetworkInterfaces.Ipv6Addresses |
+|
| | |
+| autonomous-system | number | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Organization.Asn |
+| autonomous-system | number | Service.Action.AwsApiCallAction.RemoteIpDetails.Organization.Asn|
+| autonomous-system | number | Service.Action.NetworkConnectionAction.RemoteIpDetails.Organization.Asn|
+| autonomous-system | number | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Organization.Asn |
+| autonomous-system | number | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Organization.Asn|
+| autonomous-system | name | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Organization.AsnOrg |
+| autonomous-system | name | Service.Action.AwsApiCallAction.RemoteIpDetails.Organization.AsnOrg |
+| autonomous-system | name | Service.Action.NetworkConnectionAction.RemoteIpDetails.Organization.AsnOrg |
+| autonomous-system | name | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Organization.AsnOrg |
+| autonomous-system | name | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Organization.AsnOrg |
+| autonomous-system | x_isp | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Organization.Isp |
+| autonomous-system | x_isp | Service.Action.AwsApiCallAction.RemoteIpDetails.Organization.Isp |
+| autonomous-system | x_isp | Service.Action.NetworkConnectionAction.RemoteIpDetails.Organization.Isp |
+| autonomous-system | x_isp | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Organization.Isp |
+| autonomous-system | x_isp | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Organization.Isp |
+| autonomous-system | x_organisation | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Organization.Org |
+| autonomous-system | x_organisation | Service.Action.AwsApiCallAction.RemoteIpDetails.Organization.Org |
+| autonomous-system | x_organisation | Service.Action.NetworkConnectionAction.RemoteIpDetails.Organization.Org |
+| autonomous-system | x_organisation | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Organization.Org |
+| autonomous-system | x_organisation | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Organization.Org |
+|
| | |
+| x-oca-geo| country_iso_code | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Country.CountryCode |
+| x-oca-geo| country_iso_code | Service.Action.AwsApiCallAction.RemoteIpDetails.Country.CountryCode |
+| x-oca-geo| country_iso_code | Service.Action.NetworkConnectionAction.RemoteIpDetails.Country.CountryCode |
+| x-oca-geo| country_iso_code | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Country.CountryCode |
+| x-oca-geo| country_iso_code | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Country.CountryCode |
+| x-oca-geo| country_name | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.Country.CountryName |
+| x-oca-geo| country_name | Service.Action.AwsApiCallAction.RemoteIpDetails.Country.CountryName |
+| x-oca-geo| country_name | Service.Action.NetworkConnectionAction.RemoteIpDetails.Country.CountryName |
+| x-oca-geo| country_name | Service.Action.KubernetesApiCallAction.RemoteIpDetails.Country.CountryName |
+| x-oca-geo| country_name | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.Country.CountryName |
+| x-oca-geo| city_name | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.City.CityName |
+| x-oca-geo| city_name | Service.Action.AwsApiCallAction.RemoteIpDetails.City.CityName |
+| x-oca-geo| city_name | Service.Action.NetworkConnectionAction.RemoteIpDetails.City.CityName |
+| x-oca-geo| city_name | Service.Action.KubernetesApiCallAction.RemoteIpDetails.City.CityName |
+| x-oca-geo| city_name | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.City.CityName |
+| x-oca-geo| location | Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.GeoLocation |
+| x-oca-geo| location | Service.Action.NetworkConnectionAction.RemoteIpDetails.GeoLocation |
+| x-oca-geo| location | Service.Action.KubernetesApiCallAction.RemoteIpDetails.GeoLocation |
+| x-oca-geo| location | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.GeoLocation |
+| x-oca-geo| location | Service.Action.AwsApiCallAction.RemoteIpDetails.GeoLocation |
+|
| | |
+| network-traffic | x_is_target_port_blocked | Service.Action.DnsRequestAction.Blocked |
+| network-traffic | x_is_target_port_blocked | Service.Action.NetworkConnectionAction.Blocked |
+| network-traffic | src_ref |Service.Action.DnsRequestAction.Domain |
+| network-traffic | src_ref |Service.Action.PortProbeAction.PortProbeDetails.LocalIpDetails.IpAddressV4 |
+| network-traffic | src_ref |Service.Action.NetworkConnectionAction.LocalIpDetails.IpAddressV4 |
+| network-traffic | src_ref |Service.Action.KubernetesApiCallAction.SourceIPs |
+| network-traffic | dst_ref |Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.IpAddressV4 |
+| network-traffic | dst_ref |Service.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4 |
+| network-traffic | dst_ref |Service.Action.KubernetesApiCallAction.RemoteIpDetails.IpAddressV4 |
+| network-traffic | protocols | Service.Action.DnsRequestAction.Protocol |
+| network-traffic | protocols | Service.Action.PortProbeAction.PortProbeDetails.LocalPortDetails.PortName |
+| network-traffic | protocols | Service.Action.NetworkConnectionAction.Protocol |
+| network-traffic | protocols | Service.Action.KubernetesApiCallAction.Protocol |
+| network-traffic | src_port | Service.Action.PortProbeAction.PortProbeDetails.LocalPortDetails.Port |
+| network-traffic | src_port | Service.Action.NetworkConnectionAction.LocalPortDetails.Port |
+| network-traffic | dst_port | Service.Action.NetworkConnectionAction.RemotePortDetails.Port |
+| network-traffic | x_direction | Service.Action.NetworkConnectionAction.ConnectionDirection |
+| network-traffic | x_dst_port_name | Service.Action.NetworkConnectionAction.RemotePortDetails.PortName |
+| network-traffic | x_src_port_name | Service.Action.NetworkConnectionAction.LocalPortDetails.PortName |
+| network-traffic | extensions.http-request-ext.x_parameters | Service.Action.KubernetesApiCallAction.Parameters |
+| network-traffic | extensions.http-request-ext.request_value | Service.Action.KubernetesApiCallAction.RequestUri |
+| network-traffic | extensions.http-request-ext.x_status_code | Service.Action.KubernetesApiCallAction.StatusCode |
+| network-traffic | extensions.http-request-ext.request_header.User-Agent | Service.Action.KubernetesApiCallAction.UserAgent |
+| network-traffic | extensions.http-request-ext.request_method | Service.Action.KubernetesApiCallAction.Verb |
+|
| | |
+| user-account | user_id | Resource.AccessKeyDetails.PrincipalId |
+| user-account | user_id | Resource.KubernetesDetails.KubernetesUserDetails.Uid |
+| user-account | user_id | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.UserId |
+| user-account | user_id | Service.RuntimeDetails.Context.ModifyingProcess.UserId |
+| user-account | user_id | Service.RuntimeDetails.Context.TargetProcess.Lineage.UserId |
+| user-account | user_id | Service.RuntimeDetails.Context.TargetProcess.UserId |
+| user-account | user_id | Service.RuntimeDetails.Context.Process.Lineage.UserId |
+| user-account | user_id | Service.RuntimeDetails.Context.Process.UserId|
+| user-account | display_name | Resource.AccessKeyDetails.UserName |
+| user-account | display_name | Resource.KubernetesDetails.KubernetesUserDetails.UserName |
+| user-account | display_name | Service.RuntimeDetails.Context.ModifyingProcess.User |
+| user-account | display_name | Service.RuntimeDetails.Context.TargetProcess.User |
+| user-account | display_name | Service.RuntimeDetails.Process.User |
+| user-account | x_user_type | Resource.AccessKeyDetails.UserType |
+| user-account | x_groups | Resource.KubernetesDetails.KubernetesUserDetails.Groups |
+| user-account | x_session_name | Resource.KubernetesDetails.KubernetesUserDetails.SessionName |
+| user-account | x_effective_user_id | Service.RuntimeDetails.Context.ModifyingProcess.Euid |
+| user-account | x_effective_user_id | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.Euid |
+| user-account | x_effective_user_id | Service.RuntimeDetails.Context.TargetProcess.Euid |
+| user-account | x_effective_user_id | Service.RuntimeDetails.Context.TargetProcess.Lineage.Euid |
+| user-account | x_effective_user_id | Service.RuntimeDetails.Process.Euid |
+| user-account | x_effective_user_id | Service.RuntimeDetails.Process.Lineage.Euid |
+| user-account | x_access_key_id | Resource.AccessKeyDetails.AccessKeyId |
+|
| | |
+| domain-name | value | Resource.InstanceDetails.NetworkInterfaces.PublicDnsName |
+| domain-name | value | Resource.InstanceDetails.NetworkInterfaces.PrivateIpAddresses.PrivateDnsName |
+| domain-name | value | Service.Action.DnsRequestAction.Domain |
+| domain-name | value |Service.Action.AwsApiCallAction.DomainDetails.Domain |
+| domain-name | resolves_to_refs | Resource.InstanceDetails.NetworkInterfaces.PrivateIpAddresses.PrivateIpAddress |
+| domain-name | resolves_to_refs | Resource.InstanceDetails.NetworkInterfaces.PublicIp |
+|
| | |
+| software | name | Resource.InstanceDetails.Platform |
+| software | name | Service.Action.AwsApiCallAction.UserAgent |
+|
| | |
+| process | name | Service.RuntimeDetails.Context.ModifyingProcess.Name |
+| process | name | Service.RuntimeDetails.Context.TargetProcess.Lineage.Name |
+| process | name | Service.RuntimeDetails.Context.TargetProcess.Name |
+| process | name | Service.RuntimeDetails.Process.Lineage.Name |
+| process | name | Service.RuntimeDetails.Process.Name |
+| process | name | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.Name |
+| process | binary_ref | Service.RuntimeDetails.Context.ModifyingProcess.ExecutableSha256 |
+| process | binary_ref | Service.RuntimeDetails.Context.TargetProcess.ExecutableSha256 |
+| process | binary_ref | Service.RuntimeDetails.Context.Process.ExecutableSha256 |
+| process | pid | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.NamespacePid |
+| process | pid | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.Pid |
+| process | pid | Service.RuntimeDetails.Context.ModifyingProcess.NamespacePid |
+| process | pid | Service.RuntimeDetails.Context.ModifyingProcess.Pid |
+| process | pid | Service.RuntimeDetails.Context.TargetProcess.Lineage.NamespacePid |
+| process | pid | Service.RuntimeDetails.Context.TargetProcess.Lineage.Pid |
+| process | pid | Service.RuntimeDetails.Context.TargetProcess.NamespacePid |
+| process | pid | Service.RuntimeDetails.Context.TargetProcess.Pid |
+| process | pid | Service.RuntimeDetails.Process.Lineage.NamespacePid |
+| process | pid | Service.RuntimeDetails.Process.Lineage.Pid |
+| process | pid | Service.RuntimeDetails.Process.NamespacePid |
+| process | pid | Service.RuntimeDetails.Process.Pid |
+| process | x_parent_unique_id | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.ParentUuid |
+| process | x_parent_unique_id | Service.RuntimeDetails.Context.ModifyingProcess.ParentUuid |
+| process | x_parent_unique_id | Service.RuntimeDetails.Context.TargetProcess.Lineage.ParentUuid |
+| process | x_parent_unique_id | Service.RuntimeDetails.Context.TargetProcess.ParentUuid |
+| process | x_parent_unique_id | Service.RuntimeDetails.Process.Lineage.ParentUuid |
+| process | x_parent_unique_id | Service.RuntimeDetails.Process.ParentUuid |
+| process | created | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.StartTime |
+| process | created | Service.RuntimeDetails.Context.ModifyingProcess.StartTime |
+| process | created | Service.RuntimeDetails.Context.TargetProcess.Lineage.StartTime |
+| process | created | Service.RuntimeDetails.Context.TargetProcess.StartTime |
+| process | created | Service.RuntimeDetails.Process.Lineage.StartTime |
+| process | created | Service.RuntimeDetails.Process.StartTime |
+| process | x_unique_id | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.Uuid |
+| process | x_unique_id | Service.RuntimeDetails.Context.ModifyingProcess.Uuid |
+| process | x_unique_id | Service.RuntimeDetails.Context.TargetProcess.Lineage.Uuid |
+| process | x_unique_id | Service.RuntimeDetails.Context.TargetProcess.Uuid |
+| process | x_unique_id | Service.RuntimeDetails.Process.Lineage.Uuid |
+| process | x_unique_id | Service.RuntimeDetails.Process.Uuid |
+| process | cwd | Service.RuntimeDetails.Context.ModifyingProcess.Pwd |
+| process | cwd | Service.RuntimeDetails.Context.TargetProcess.Pwd |
+| process | cwd | Service.RuntimeDetails.Process.Pwd |
+| process | x_absolute_path | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.ExecutablePath |
+| process | x_absolute_path | Service.RuntimeDetails.Context.TargetProcess.Lineage.ExecutablePath |
+| process | x_absolute_path | Service.RuntimeDetails.Process.Lineage.ExecutablePath |
+| process | child_refs | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.NamespacePid |
+| process | child_refs | Service.RuntimeDetails.Context.ModifyingProcess.NamespacePid |
+| process | child_refs | Service.RuntimeDetails.Context.TargetProcess.Lineage.NamespacePid |
+| process | child_refs | Service.RuntimeDetails.Context.TargetProcess.NamespacePid |
+| process | child_refs | Service.RuntimeDetails.Context.Process.Lineage.NamespacePid |
+| process | child_refs | Service.RuntimeDetails.Context.Process.NamespacePid |
+| process | creator_user_ref | Service.RuntimeDetails.Context.ModifyingProcess.Euid |
+| process | creator_user_ref | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.Euid |
+| process | creator_user_ref | Service.RuntimeDetails.Context.ModifyingProcess.Lineage.UserId |
+| process | creator_user_ref | Service.RuntimeDetails.Context.ModifyingProcess.UserId |
+| process | creator_user_ref | Service.RuntimeDetails.Context.TargetProcess.Euid |
+| process | creator_user_ref | Service.RuntimeDetails.Context.TargetProcess.Lineage.Euid |
+| process | creator_user_ref | Service.RuntimeDetails.Context.TargetProcess.Lineage.UserId |
+| process | creator_user_ref | Service.RuntimeDetails.Context.TargetProcess.UserId |
+| process | creator_user_ref | Service.RuntimeDetails.Context.Process.Lineage.Euid |
+| process | creator_user_ref | Service.RuntimeDetails.Context.Process.Lineage.UserId |
+| process | creator_user_ref | Service.RuntimeDetails.Context.Process.UserId |
+| process | creator_user_ref | Service.RuntimeDetails.Context.Process.Euid |
+|
|
+| file | name | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FileName |
+| file | name | Service.RuntimeDetails.Context.ModuleName |
+| file | hashes.SHA-256 | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FileSha256 |
+| file | hashes.SHA-256 | Service.RuntimeDetails.Context.ModifyingProcess.ExecutableSha256 |
+| file | hashes.SHA-256 | Service.RuntimeDetails.Context.ModuleSha256 |
+| file | hashes.SHA-256 | Service.RuntimeDetails.Context.TargetProcess.ExecutableSha256 |
+| file | hashes.SHA-256 | Service.RuntimeDetails.Process.ExecutableSha256 |
+| file | x_path |Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FilePath |
+| file | x_path |Service.RuntimeDetails.Context.ModifyingProcess.ExecutablePath |
+| file | x_path |Service.RuntimeDetails.Context.ModuleFilePath |
+| file | x_path | Service.RuntimeDetails.Context.TargetProcess.ExecutablePath|
+| file | x_path | Service.RuntimeDetails.Context.Process.ExecutablePath|
+| file | hashes.SHA-1 | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FileSha1 |
+| file | hashes.MD5 | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FileMd5 |
+| file | x_unknown_hash | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.UnknownHash |
+| file | x_volume_arn | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.VolumeArn |
+|
| | |
+| x-aws-resource | resource_type | Resource.ResourceType |
+| x-aws-resource | resource_role | Service.ResourceRole |
+| x-aws-resource | access_key_ref | Resource.AccessKeyDetails.PrincipalId |
+| x-aws-resource | standalone_container_ref | Resource.ContainerDetails.Id |
+| x-aws-resource | ecs_cluster_ref | Resource.EcsClusterDetails.Name |
+| x-aws-resource | eks_cluster_ref | Resource.EksClusterDetails.Name |
+| x-aws-resource | instance_ref | Resource.InstanceDetails.ImageId |
+| x-aws-resource | rds_database_ref | Resource.RdsDbInstanceDetails.DbClusterIdentifier |
+| x-aws-resource | rds_database_ref | Resource.RdsDbInstanceDetails.DbInstanceIdentifier |
+| x-aws-resource | lambda_details_ref | Resource.LambdaDetails.FunctionName |
+| x-aws-resource | account_id | AccountId |
+| x-aws-resource | partition | Partition |
+| x-aws-resource | region | Region |
+|
| | |
+| x-aws-instance | availability_zone | Resource.InstanceDetails.AvailabilityZone |
+| x-aws-instance | instance_arn | Resource.InstanceDetails.IamInstanceProfile.Arn |
+| x-aws-instance | profile_id | Resource.InstanceDetails.IamInstanceProfile.Id |
+| x-aws-instance | instance_id | Resource.InstanceDetails.InstanceId |
+| x-aws-instance | state | Resource.InstanceDetails.InstanceState |
+| x-aws-instance | instance_type | Resource.InstanceDetails.InstanceType |
+| x-aws-instance | launch_time | Resource.InstanceDetails.LaunchTime |
+| x-aws-instance | outpost_arn | Resource.InstanceDetails.OutpostArn |
+| x-aws-instance | product_codes | Resource.InstanceDetails.ProductCodes |
+| x-aws-instance | tags | Resource.InstanceDetails.Tags |
+| x-aws-instance | os_ref | Resource.InstanceDetails.Platform |
+| x-aws-instance | image_description | Resource.InstanceDetails.ImageDescription |
+| x-aws-instance | image_id | Resource.InstanceDetails.ImageId |
+|
| | |
+| x-aws-network-interface | interface_id | Resource.InstanceDetails.NetworkInterfaces.NetworkInterfaceId |
+| x-aws-network-interface | security_groups | Resource.InstanceDetails.NetworkInterfaces.SecurityGroups |
+| x-aws-network-interface | subnet_id | Resource.InstanceDetails.NetworkInterfaces.SubnetId |
+| x-aws-network-interface | vpc_id | Resource.InstanceDetails.NetworkInterfaces.VpcId |
+| x-aws-network-interface | ip_refs | Resource.InstanceDetails.NetworkInterfaces.Ipv6Addresses |
+| x-aws-network-interface | public_domain_ref | Resource.InstanceDetails.NetworkInterfaces.PublicDnsName |
+|
| | |
+| x-aws-s3-bucket | arn | Resource.S3BucketDetails.Arn |
+| x-aws-s3-bucket | created_at | Resource.S3BucketDetails.CreatedAt |
+| x-aws-s3-bucket | server_side_encryption_type | Resource.S3BucketDetails.DefaultServerSideEncryption.EncryptionType |
+| x-aws-s3-bucket | kms_encryption_key_arn | Resource.S3BucketDetails.DefaultServerSideEncryption.KmsMasterKeyArn |
+| x-aws-s3-bucket | name | Resource.S3BucketDetails.Name |
+| x-aws-s3-bucket | canonical_id_of_bucket_owner | Resource.S3BucketDetails.Owner.Id |
+| x-aws-s3-bucket | bucket_permission | Resource.S3BucketDetails.PublicAccess.EffectivePermission |
+| x-aws-s3-bucket | permissions.account_level.block_public_acls | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.AccountLevelPermissions.BlockPublicAccess.BlockPublicAcls |
+| x-aws-s3-bucket | permissions.account_level.block_public_policy | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.AccountLevelPermissions.BlockPublicAccess.BlockPublicPolicy |
+| x-aws-s3-bucket | permissions.account_level.ignore_public_acls | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.AccountLevelPermissions.BlockPublicAccess.IgnorePublicAcls |
+| x-aws-s3-bucket | permissions.account_level.restrict_public_buckets | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.AccountLevelPermissions.BlockPublicAccess.RestrictPublicBuckets |
+| x-aws-s3-bucket | permissions.bucket_level.access_control_policies.allows_public_read_access | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.AccessControlList.AllowsPublicReadAccess |
+| x-aws-s3-bucket | permissions.bucket_level.access_control_policies.allows_public_write_access |Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.AccessControlList.AllowsPublicWriteAccess |
+| x-aws-s3-bucket | permissions.bucket_level.block_public_access_settings.block_public_acls | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.BlockPublicAccess.BlockPublicAcls |
+| x-aws-s3-bucket | permissions.bucket_level.block_public_access_settings.block_public_policy | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.BlockPublicAccess.BlockPublicPolicy |
+| x-aws-s3-bucket | permissions.bucket_level.block_public_access_settings.ignore_public_acls | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.BlockPublicAccess.IgnorePublicAcls |
+| x-aws-s3-bucket | permissions.bucket_level.block_public_access_settings.restrict_public_buckets | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.BlockPublicAccess.RestrictPublicBuckets|
+| x-aws-s3-bucket | permissions.bucket_level.bucket_policies.allows_public_read_access |Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.BucketPolicy.AllowsPublicReadAccess |
+| x-aws-s3-bucket | permissions.bucket_level.bucket_policies.allows_public_write_access | Resource.S3BucketDetails.PublicAccess.PermissionConfiguration.BucketLevelPermissions.BucketPolicy.AllowsPublicWriteAccess |
+| x-aws-s3-bucket | tags | Resource.S3BucketDetails.Tag |
+| x-aws-s3-bucket | bucket_type | Resource.S3BucketDetails.Type |
+|
| | |
+| x-aws-rds-db-instance | cluster_id | Resource.RdsDbInstanceDetails.DbClusterIdentifier |
+| x-aws-rds-db-instance | instance_arn | Resource.RdsDbInstanceDetails.DbInstanceArn |
+| x-aws-rds-db-instance | instance_id | Resource.RdsDbInstanceDetails.DbInstanceIdentifier |
+| x-aws-rds-db-instance | engine | Resource.RdsDbInstanceDetails.Engine |
+| x-aws-rds-db-instance | engine_version | Resource.RdsDbInstanceDetails.EngineVersion |
+| x-aws-rds-db-instance | tags | Resource.RdsDbInstanceDetails.Tags |
+| x-aws-rds-db-instance | anomalous_login_user_ref | Resource.RdsDbUserDetails.Application |
+| x-aws-rds-db-instance | anomalous_login_user_ref | Resource.RdsDbUserDetails.AuthMethod |
+| x-aws-rds-db-instance | anomalous_login_user_ref | Resource.RdsDbInstanceDetails.Database |
+| x-aws-rds-db-instance | anomalous_login_user_ref | Resource.RdsDbInstanceDetails.Ssl |
+| x-aws-rds-db-instance | anomalous_login_user_ref | Resource.RdsDbInstanceDetails.User |
+|
| | |
+| x-aws-rds-db-user | application_name | Resource.RdsDbUserDetails.Application |
+| x-aws-rds-db-user | authentication_method | Resource.RdsDbUserDetails.AuthMethod |
+| x-aws-rds-db-user | database_name | Resource.RdsDbUserDetails.Database |
+| x-aws-rds-db-user | ssl | Resource.RdsDbUserDetails.Ssl |
+| x-aws-rds-db-user | user_name | Resource.RdsDbUserDetails.User |
+|
| | |
+| x-aws-lambda | description | Resource.LambdaDetails.Description |
+| x-aws-lambda | function_arn | Resource.LambdaDetails.FunctionArn |
+| x-aws-lambda | function_name | Resource.LambdaDetails.FunctionName |
+| x-aws-lambda | function_version | Resource.LambdaDetails.FunctionVersion |
+| x-aws-lambda | last_modified_at | Resource.LambdaDetails.LastModifiedAt |
+| x-aws-lambda | execution_role | Resource.LambdaDetails.Role |
+| x-aws-lambda | tags | Resource.LambdaDetails.Tags |
+| x-aws-lambda | revision_id | Resource.LambdaDetails.RevisionId |
+| x-aws-lambda | security_groups | Resource.LambdaDetails.VpcConfig.SecurityGroups |
+| x-aws-lambda | subnet_ids | Resource.LambdaDetails.VpcConfig.SubnetIds |
+| x-aws-lambda | amazon_vpc_id | Resource.LambdaDetails.VpcConfig.VpcId |
+|
| | |
+| x-aws-rds-login-attributes | login_application_name | Service.Action.RdsLoginAttemptAction.LoginAttributes.Application |
+| x-aws-rds-login-attributes | failed_login_attempts | Service.Action.RdsLoginAttemptAction.LoginAttributes.FailedLoginAttempts |
+| x-aws-rds-login-attributes | successful_login_attempts | Service.Action.RdsLoginAttemptAction.LoginAttributes.SuccessfulLoginAttempts |
+| x-aws-rds-login-attributes | login_attempted_user_name | Service.Action.RdsLoginAttemptAction.LoginAttributes.User |
+|
| | |
+| x-aws-ecs-cluster | active_services_count | Resource.EcsClusterDetails.ActiveServicesCount |
+| x-aws-ecs-cluster | cluster_arn | Resource.EcsClusterDetails.Arn |
+| x-aws-ecs-cluster | name | Resource.EcsClusterDetails.Name |
+| x-aws-ecs-cluster | container_instances_registered_count | Resource.EcsClusterDetails.RegisteredContainerInstancesCount |
+| x-aws-ecs-cluster | running_tasks_count | Resource.EcsClusterDetails.RunningTasksCount |
+| x-aws-ecs-cluster | status | Resource.EcsClusterDetails.Status |
+| x-aws-ecs-cluster | tags | Resource.EcsClusterDetails.Tags |
+| x-aws-ecs-cluster | task.arn | Resource.EcsClusterDetails.TaskDetails.TaskDetails.Arn |
+| x-aws-ecs-cluster | task.definition_arn | Resource.EcsClusterDetails.TaskDetails.DefinitionArn |
+| x-aws-ecs-cluster | task.group_name | Resource.EcsClusterDetails.TaskDetails.Group |
+| x-aws-ecs-cluster | task.started_at | Resource.EcsClusterDetails.TaskDetails.StartedAt |
+| x-aws-ecs-cluster | task.started_by | Resource.EcsClusterDetails.TaskDetails.StartedBy |
+| x-aws-ecs-cluster | task.tags | Resource.EcsClusterDetails.TaskDetails.Tags |
+| x-aws-ecs-cluster | task.created_at | Resource.EcsClusterDetails.TaskDetails.CreatedAt |
+| x-aws-ecs-cluster | task.version | Resource.EcsClusterDetails.TaskDetails.Version |
+| x-aws-ecs-cluster | task.volumes | Resource.EcsClusterDetails.TaskDetails.Volumes |
+|
| | |
+| x-aws-ebs-volume-scanned | device_name | Resource.EbsVolumeDetails.ScannedVolumeDetails.DeviceName |
+| x-aws-ebs-volume-scanned | encryption_type | Resource.EbsVolumeDetails.ScannedVolumeDetails.EncryptionType |
+| x-aws-ebs-volume-scanned | kms_key_arn | Resource.EbsVolumeDetails.ScannedVolumeDetails.KmsKeyArn |
+| x-aws-ebs-volume-scanned | snapshot_key_arn | Resource.EbsVolumeDetails.ScannedVolumeDetails.SnapshotArn |
+| x-aws-ebs-volume-scanned | volume_arn | Resource.EbsVolumeDetails.ScannedVolumeDetails.VolumeArn |
+| x-aws-ebs-volume-scanned | volume_size | Resource.EbsVolumeDetails.ScannedVolumeDetails.VolumeSizeInGB |
+| x-aws-ebs-volume-scanned | volume_type | Resource.EbsVolumeDetails.ScannedVolumeDetails.VolumeType |
+|
| | |
+| x-aws-ebs-volume-skipped | device_name | Resource.EbsVolumeDetails.SkippedVolumeDetails.DeviceName |
+| x-aws-ebs-volume-skipped | encryption_type | Resource.EbsVolumeDetails.SkippedVolumeDetails.EncryptionType |
+| x-aws-ebs-volume-skipped | kms_key_arn | Resource.EbsVolumeDetails.SkippedVolumeDetails.KmsKeyArn |
+| x-aws-ebs-volume-skipped | snapshot_key_arn | Resource.EbsVolumeDetails.SkippedVolumeDetails.SnapshotArn |
+| x-aws-ebs-volume-skipped | volume_arn | Resource.EbsVolumeDetails.SkippedVolumeDetails.VolumeArn |
+| x-aws-ebs-volume-skipped | volume_size | Resource.EbsVolumeDetails.SkippedVolumeDetails.VolumeSizeInGB |
+| x-aws-ebs-volume-skipped | volume_type | Resource.EbsVolumeDetails.SkippedVolumeDetails.VolumeType |
+|
| | |
+| x-aws-container | container_runtime | Resource.ContainerDetails.ContainerRuntime |
+| x-aws-container | container_runtime | Resource.EcsClusterDetails.TaskDetails.Containers.ContainerRuntime |
+| x-aws-container | container_runtime | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.ContainerRuntime |
+| x-aws-container | container_id | Resource.ContainerDetails.Id |
+| x-aws-container | container_id | Resource.EcsClusterDetails.TaskDetails.Containers.Id |
+| x-aws-container | container_id | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.Id |
+| x-aws-container | image | Resource.ContainerDetails.Image |
+| x-aws-container | image | Resource.EcsClusterDetails.TaskDetails.Containers.Image |
+| x-aws-container | image | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.Image |
+| x-aws-container | image_prefix | Resource.ContainerDetails.ImagePrefix |
+| x-aws-container | image_prefix | Resource.EcsClusterDetails.TaskDetails.Containers.ImagePrefix |
+| x-aws-container | image_prefix | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.ImagePrefix |
+| x-aws-container | name | Resource.ContainerDetails.Name |
+| x-aws-container | name | Resource.EcsClusterDetails.TaskDetails.Containers.Name |
+| x-aws-container | name | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.Name |
+| x-aws-container | is_container_privileged | Resource.ContainerDetails.SecurityContext.Privileged |
+| x-aws-container | is_container_privileged | Resource.EcsClusterDetails.TaskDetails.Containers.SecurityContext.Privileged |
+| x-aws-container | is_container_privileged | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.SecurityContext.Privileged |
+|
| | |
+| x-aws-container-volume-mount | path | Resource.ContainerDetails.VolumeMounts.MountPath |
+| x-aws-container-volume-mount | path | Resource.EcsClusterDetails.TaskDetails.Containers.VolumeMounts.MountPath |
+| x-aws-container-volume-mount | path | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.VolumeMounts.MountPath |
+| x-aws-container-volume-mount | name | Resource.ContainerDetails.VolumeMounts.Name |
+| x-aws-container-volume-mount | name | Resource.EcsClusterDetails.TaskDetails.Containers.VolumeMounts.Name |
+| x-aws-container-volume-mount | name | Resource.KubernetesDetails.KubernetesWorkloadDetails.Containers.VolumeMounts.Name |
+|
| | |
+| x-aws-kubernetes-workload | is_enabled_host_network_for_pods | Resource.KubernetesDetails.KubernetesWorkloadDetails.HostNetwork |
+| x-aws-kubernetes-workload | workload_name | Resource.KubernetesDetails.KubernetesWorkloadDetails.Name |
+| x-aws-kubernetes-workload | workload_namespace | Resource.KubernetesDetails.KubernetesWorkloadDetails.Namespace |
+| x-aws-kubernetes-workload | workload_type | Resource.KubernetesDetails.KubernetesWorkloadDetails.Type |
+| x-aws-kubernetes-workload | workload_id | Resource.KubernetesDetails.KubernetesWorkloadDetails.Uid |
+| x-aws-kubernetes-workload | volumes | Resource.KubernetesDetails.KubernetesWorkloadDetails.Volumes |
+|
| | |
+| x-aws-kubernetes | runtime_context_ref | Service.RuntimeDetails.Context.ModifiedAt |
+| x-aws-kubernetes | runtime_context_ref | Service.RuntimeDetails.Context.ModuleName |
+| x-aws-kubernetes | runtime_context_ref | Service.RuntimeDetails.Context.ScriptPath |
+| x-aws-kubernetes | runtime_observed_process_ref | Service.RuntimeDetails.Process.Name |
+| x-aws-kubernetes | runtime_observed_process_ref | Service.RuntimeDetails.Process.Pid |
+|
| | |
+| x-aws-eks-cluster | arn | Resource.EksClusterDetails.Arn |
+| x-aws-eks-cluster | created_at | Resource.EksClusterDetails.CreatedAt |
+| x-aws-eks-cluster | name | Resource.EksClusterDetails.Name |
+| x-aws-eks-cluster | status | Resource.EksClusterDetails.Status |
+| x-aws-eks-cluster | tags | Resource.EksClusterDetails.Tags |
+| x-aws-eks-cluster | vpc_id | Resource.EksClusterDetails.VpcId |
+| x-aws-eks-cluster | kubernetes_user_ref | Resource.KubernetesDetails.KubernetesUserDetails.Uid |
+| x-aws-eks-cluster | kubernetes_user_ref | Resource.KubernetesDetails.KubernetesUserDetails.Username |
+| x-aws-eks-cluster | kubernetes_workload_ref | Resource.kubernetesDetails.kubernetesWorkloadDetails.Name |
+| x-aws-eks-cluster | runtime_context_ref | Service.RuntimeDetails.Context.ModifyingProcess.Name |
+| x-aws-eks-cluster | runtime_context_ref | Service.RuntimeDetails.Context.TargetProcess.Name |
+|
| | |
+| x-aws-ebs-volume-malware-scan | scan_completed_at | Service.EbsVolumeScanDetails.ScanCompletedAt |
+| x-aws-ebs-volume-malware-scan | highest_severity_threat.total_infected_files | Service.EbsVolumeScanDetails.ScanDetections.HighestSeverityThreatDetails.Count |
+| x-aws-ebs-volume-malware-scan | highest_severity_threat.severity | Service.EbsVolumeScanDetails.ScanDetections.HighestSeverityThreatDetails.Severity |
+| x-aws-ebs-volume-malware-scan | highest_severity_threat.name | Service.EbsVolumeScanDetails.ScanDetections.HighestSeverityThreatDetails.ThreatName |
+| x-aws-ebs-volume-malware-scan | scanned_items.total_scanned_files | Service.EbsVolumeScanDetails.ScanDetections.ScannedItemCount.Files |
+| x-aws-ebs-volume-malware-scan | scanned_items.total_files_scanned_in_gb | Service.EbsVolumeScanDetails.ScanDetections.ScannedItemCount.TotalGb |
+| x-aws-ebs-volume-malware-scan | scanned_items.total_volumes_scanned | Service.EbsVolumeScanDetails.ScanDetections.ScannedItemCount.Volumes |
+| x-aws-ebs-volume-malware-scan | threat_detected_by_name.infected_files_count | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ItemCount |
+| x-aws-ebs-volume-malware-scan | threat_detected_by_name.is_finding_shortened | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.Shortened |
+| x-aws-ebs-volume-malware-scan | threat_detected_by_name.unique_threats_count_based_on_name | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.UniqueThreatNameCount |
+| x-aws-ebs-volume-malware-scan | total_infected_files | Service.EbsVolumeScanDetails.ScanDetections.ThreatsDetectedItemCount.Files |
+| x-aws-ebs-volume-malware-scan | scan_id | Service.EbsVolumeScanDetails.ScanId |
+| x-aws-ebs-volume-malware-scan | scan_started_time | Service.EbsVolumeScanDetails.ScanStartedAt |
+| x-aws-ebs-volume-malware-scan | scan_type | Service.EbsVolumeScanDetails.ScanType |
+| x-aws-ebs-volume-malware-scan | sources | Service.EbsVolumeScanDetails.Sources |
+| x-aws-ebs-volume-malware-scan | triggered_finding_id | Service.EbsVolumeScanDetails.TriggerFindingId |
+|
| | |
+| x-ibm-finding | finding_type | FindingType |
+| x-ibm-finding | x_arn | Arn |
+| x-ibm-finding | confidence | Confidence |
+| x-ibm-finding | description | Description |
+| x-ibm-finding | alert_id | Id |
+| x-ibm-finding | x_schema_version | SchemaVersion |
+| x-ibm-finding | severity | Severity |
+| x-ibm-finding | x_title | Title |
+| x-ibm-finding | name | Type |
+| x-ibm-finding | time_observed | UpdatedAt |
+| x-ibm-finding | x_archived | Service.Archived |
+| x-ibm-finding | event_count | Service.Count |
+| x-ibm-finding | x_detector_id | Service.DetectorId |
+| x-ibm-finding | x_feature_name | Service.FeatureName |
+| x-ibm-finding | x_finding_feedback | Service.UserFeedback |
+| x-ibm-finding | src_application_user_ref | Resource.KubernetesDetails.KubernetesUserDetails.Uid |
+| x-ibm-finding | src_application_user_ref | Resource.KubernetesDetails.KubernetesUserDetails.Username |
+| x-ibm-finding | x_resource_ref | Resource.ResourceType |
+| x-ibm-finding | x_resource_ref | AccountId |
+| x-ibm-finding | x_service_ref | Service.Action.ActionType |
+| x-ibm-finding | x_service_ref | Service.Action.AwsApiCallAction.Api |
+| x-ibm-finding | x_service_ref | Service.Action.RdsLoginAttemptAction.LoginAttributes.Application |
+| x-ibm-finding | x_service_ref | Service.Action.RdsLoginAttemptAction.RemoteIpDetails.IpAddressV4 |
+| x-ibm-finding | x_service_ref | Service.EventFirstSeen |
+|
| | |
+| x-aws-finding-service | action.action_type | Service.Action.ActionType |
+| x-aws-finding-service | action.is_port_probe_blocked | Service.Action.PortProbeAction.Blocked |
+| x-aws-finding-service | action.affected_resources | Service.Action.AwsApiCallAction.AffectedResources |
+| x-aws-finding-service | action.api_called | Service.Action.AwsApiCallAction.Api |
+| x-aws-finding-service | action.caller_type | Service.Action.AwsApiCallAction.CallerType |
+| x-aws-finding-service | action.error_code | Service.Action.AwsApiCallAction.ErrorCode |
+| x-aws-finding-service | action.service_name | Service.Action.AwsApiCallAction.ServiceName |
+| x-aws-finding-service | action.caller_account_id | Service.Action.AwsApiCallAction.RemoteAccountDetails.AccountId |
+| x-aws-finding-service | action.is_caller_account_affiliated_to_aws | Service.Action.AwsApiCallAction.RemoteAccountDetails.Affiliated |
+| x-aws-finding-service | additional_info | Service.AdditionalInfo |
+| x-aws-finding-service | event_first_seen | Service.EventFirstSeen |
+| x-aws-finding-service | event_last_seen | Service.EventLastSeen |
+| x-aws-finding-service | evidence_refs | Service.Evidence.ThreatIntelligenceDetails.GroupEvidenceReferences |
+| x-aws-finding-service | action.network_ref | Service.Action.DnsRequestAction.Protocol |
+| x-aws-finding-service | action.domain_ref | Service.Action.AwsApiCallAction.DomainDetails.Domain |
+| x-aws-finding-service | action.software_ref | Service.Action.AwsApiCallAction.UserAgent |
+| x-aws-finding-service | action.remote_ref |Service.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4 |
+| x-aws-finding-service | action.remote_ref |Service.Action.RdsLoginAttemptAction.RemoteIpDetails.IpAddressV4 |
+| x-aws-finding-service | action.network_ref | Service.Action.NetworkConnectionAction.Protocol |
+| x-aws-finding-service | action.network_ref | Service.Action.KubernetesApiCallAction.Protocol |
+| x-aws-finding-service | ebs_volume_malware_scan_ref | Service.EbsVolumeScanDetails.ScanId |
+|
| | |
+| x-aws-runtime-context | address_family | Service.RuntimeDetails.Context.AddressFamily |
+| x-aws-runtime-context | mounted_file_system_type | Service.RuntimeDetails.Context.FileSystemType |
+| x-aws-runtime-context | flags | Service.RuntimeDetails.Context.Flags |
+| x-aws-runtime-context | iana_protocol_number | Service.RuntimeDetails.Context.IanaProtocolNumber |
+| x-aws-runtime-context | environmental_variables.LD_PRELOAD | Service.RuntimeDetails.Context.LdPreloadValue |
+| x-aws-runtime-context | new_library_path | Service.RuntimeDetails.Context.LibraryPath |
+| x-aws-runtime-context | memory_regions | Service.RuntimeDetails.Context.MemoryRegions |
+| x-aws-runtime-context | process_modified_time | Service.RuntimeDetails.Context.ModifiedAt |
+| x-aws-runtime-context | modifying_process_ref | Service.RuntimeDetails.Context.ModifyingProcess.Name |
+| x-aws-runtime-context | module_ref | Service.RuntimeDetails.Context.ModuleFilePath |
+| x-aws-runtime-context | module_ref | Service.RuntimeDetails.Context.ModuleName |
+| x-aws-runtime-context | host_path | Service.RuntimeDetails.Context.MountSource |
+| x-aws-runtime-context | container_path | Service.RuntimeDetails.Context.MountTarget |
+| x-aws-runtime-context | release_agent_path | Service.RuntimeDetails.Context.ReleaseAgentPath |
+| x-aws-runtime-context | runc_implementation_path | Service.RuntimeDetails.Context.RuncBinaryPath |
+| x-aws-runtime-context | script_path | Service.RuntimeDetails.Context.ScriptPath |
+| x-aws-runtime-context | shell_history_file_path | Service.RuntimeDetails.Context.ShellHistoryFilePath |
+| x-aws-runtime-context | socket_path | Service.RuntimeDetails.Context.SocketPath |
+|
| | |
+| x-aws-threat | total_files_infected | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.ItemCount |
+| x-aws-threat | threat_name | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.Name |
+| x-aws-threat | severity | Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.Severity |
+|
| | |
+| x-aws-evidence | threat_intelligence_list_name | Service.Evidence.ThreatIntelligenceDetails.ThreatListName |
+| x-aws-evidence | threat_names | Service.Evidence.ThreatIntelligenceDetails.ThreatNames |
+|
| | |
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/configuration/config.json b/stix_shifter_modules/aws_guardduty/configuration/config.json
new file mode 100644
index 000000000..af8480259
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/configuration/config.json
@@ -0,0 +1,34 @@
+{
+ "connection": {
+ "type": {
+ "displayName": "AWS GuardDuty",
+ "group": "aws"
+ },
+ "region": {
+ "type": "text"
+ },
+ "help": {
+ "type": "link",
+ "default": "data-sources.html"
+ },
+ "detector_ids": {
+ "type": "text",
+ "optional": true
+ }
+ },
+ "configuration": {
+ "auth": {
+ "type" : "fields",
+ "aws_access_key_id": {
+ "type": "password"
+ },
+ "aws_iam_role": {
+ "type": "password",
+ "optional": true
+ },
+ "aws_secret_access_key": {
+ "type": "password"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/configuration/lang_en.json b/stix_shifter_modules/aws_guardduty/configuration/lang_en.json
new file mode 100644
index 000000000..0616d98bc
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/configuration/lang_en.json
@@ -0,0 +1,32 @@
+{
+ "connection": {
+ "region": {
+ "label": "AWS GuardDuty Region Name",
+ "description": "Specify the region name of the GuardDuty data source"
+ },
+ "help": {
+ "label": "Need additional help?",
+ "description": "More details on the data source setting can be found in the specified link"
+ },
+ "detector_ids": {
+ "label": "Detector Ids",
+ "description": "Specify one or more detectors ids of the GuardDuty separated by comma. Example: DetectorId1,DetectorId2"
+ }
+ },
+ "configuration": {
+ "auth": {
+ "aws_access_key_id": {
+ "label": "AWS access key ID",
+ "description": "AWS Access Key ID is required for both AWS key-based and role-based authentication"
+ },
+ "aws_iam_role": {
+ "label": "AWS IAM role",
+ "description": "AWS IAM Role is required for only AWS role-based authentication"
+ },
+ "aws_secret_access_key": {
+ "label": "AWS secret access key",
+ "description": "AWS Secret Access Key ID is required for both AWS key-based and role-based authentication"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/entry_point.py b/stix_shifter_modules/aws_guardduty/entry_point.py
new file mode 100644
index 000000000..607486410
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/entry_point.py
@@ -0,0 +1,11 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+
+
+class EntryPoint(BaseEntryPoint):
+
+ def __init__(self, connection={}, configuration={}, options={}):
+ super().__init__(connection, configuration, options)
+ self.set_async(False)
+ if connection:
+ self.setup_transmission_basic(connection, configuration)
+ self.setup_translation_simple(dialect_default='default')
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/__init__.py b/stix_shifter_modules/aws_guardduty/stix_translation/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/json/config_map.json b/stix_shifter_modules/aws_guardduty/stix_translation/json/config_map.json
new file mode 100644
index 000000000..0af3ffac4
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/json/config_map.json
@@ -0,0 +1,53 @@
+{
+ "int_supported_fields": [
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn",
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn",
+ "service.action.networkConnectionAction.localPortDetails.port",
+ "service.action.networkConnectionAction.remotePortDetails.port",
+ "confidence",
+ "severity"
+ ],
+ "enum_supported_fields": [
+ "service.action.actionType",
+ "resource.resourceType",
+ "service.action.networkConnectionAction.connectionDirection",
+ "service.action.networkConnectionAction.protocol",
+ "service.resourceRole",
+ "resource.s3BucketDetails.publicAccess.effectivePermission",
+ "resource.s3BucketDetails.type",
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity"
+ ],
+ "boolean_supported_fields": [
+ "service.action.networkConnectionAction.blocked",
+ "service.archived",
+ "service.action.awsApiCallAction.RemoteAccountDetails.affiliated"
+ ],
+ "enum_supported_values": {
+ "service.action.actionType": [
+ "NETWORK_CONNECTION", "PORT_PROBE", "DNS_REQUEST", "AWS_API_CALL", "RDS_LOGIN_ATTEMPT",
+ "KUBERNETES_API_CALL"
+ ],
+ "resource.resourceType": [
+ "Instance", "AccessKey", "S3Bucket", "EKSCluster", "ECSCluster",
+ "Container", "RDSDBInstance", "Lambda"
+ ],
+ "service.action.networkConnectionAction.connectionDirection": [
+ "INBOUND","OUTBOUND"
+ ],
+ "service.action.networkConnectionAction.protocol": [
+ "GRE","ICMP","TCP","UDP"
+ ],
+ "service.resourceRole": [
+ "ACTOR", "TARGET"
+ ],
+ "resource.s3BucketDetails.publicAccess.effectivePermission": [
+ "PUBLIC", "NOT_PUBLIC"
+ ],
+ "resource.s3BucketDetails.type": [
+ "Destination", "Source"
+ ],
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity": [
+ "HIGH", "MEDIUM"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/json/from_stix_map.json b/stix_shifter_modules/aws_guardduty/stix_translation/json/from_stix_map.json
new file mode 100644
index 000000000..d1e561f77
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/json/from_stix_map.json
@@ -0,0 +1,397 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": [
+ "resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress",
+ "resource.instanceDetails.networkInterfaces.publicIp",
+ "service.action.networkConnectionAction.remoteIpDetails.ipAddressV4",
+ "service.action.awsApiCallAction.remoteIpDetails.ipAddressV4",
+ "service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4"
+ ],
+ "x_geo_ref.country_name": [
+ "service.action.networkConnectionAction.remoteIpDetails.country.countryName",
+ "service.action.awsApiCallAction.remoteIpDetails.country.countryName"
+ ],
+ "belongs_to_refs[*].number": [
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn",
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn"
+ ]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": [
+ "resource.instanceDetails.networkInterfaces.ipv6Addresses"
+ ]
+ }
+ },
+ "autonomous-system": {
+ "fields": {
+ "number": [
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn",
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn"
+ ],
+ "name": [
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg",
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg"
+ ]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "src_port": [
+ "service.action.networkConnectionAction.localPortDetails.port"
+ ],
+ "dst_port": [
+ "service.action.networkConnectionAction.remotePortDetails.port"
+ ],
+ "protocols[*]": [
+ "service.action.networkConnectionAction.protocol"
+ ],
+ "src_ref.value": [
+ "resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress"
+ ],
+ "dst_ref.value": [
+ "service.action.networkConnectionAction.remoteIpDetails.ipAddressV4",
+ "service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4"
+ ],
+ "x_is_target_port_blocked": [
+ "service.action.networkConnectionAction.blocked"
+ ],
+ "x_direction": [
+ "service.action.networkConnectionAction.connectionDirection"
+ ],
+ "extensions.'http-request-ext'.request_value": [
+ "service.action.kubernetesApiCallAction.requestUri"
+ ]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "user_id": [
+ "resource.accessKeyDetails.principalId"
+ ],
+ "x_access_key_id": [
+ "resource.accessKeyDetails.accessKeyId"
+ ],
+ "display_name": [
+ "resource.accessKeyDetails.userName",
+ "resource.kubernetesDetails.kubernetesUserDetails.username"
+ ],
+ "x_user_type": [
+ "resource.accessKeyDetails.userType"
+ ]
+ }
+ },
+ "domain-name": {
+ "fields": {
+ "value": [
+ "resource.instanceDetails.networkInterfaces.publicDnsName",
+ "service.action.dnsRequestAction.domain"
+ ]
+ }
+ },
+ "process": {
+ "fields": {
+ "name": [
+ "service.runtimeDetails.process.name"
+ ],
+ "binary_ref.hashes.'SHA-256'": [
+ "service.runtimeDetails.process.executableSha256"
+ ]
+ }
+ },
+ "file": {
+ "fields": {
+ "hashes.'SHA-256'": [
+ "service.runtimeDetails.process.executableSha256",
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ],
+ "x_path": [
+ "service.runtimeDetails.process.executablePath"
+ ],
+ "hashes.'SHA-1'": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ],
+ "hashes.MD5": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ],
+ "x_unknown_hash": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ]
+ }
+ },
+ "x-oca-geo": {
+ "fields": {
+ "country_name": [
+ "service.action.networkConnectionAction.remoteIpDetails.country.countryName",
+ "service.action.awsApiCallAction.remoteIpDetails.country.countryName"
+ ],
+ "city_name": [
+ "service.action.awsApiCallAction.remoteIpDetails.city.cityName",
+ "service.action.networkConnectionAction.remoteIpDetails.city.cityName"
+ ]
+ }
+ },
+ "x-aws-resource": {
+ "fields": {
+ "account_id": [
+ "accountId"
+ ],
+ "region": [
+ "region"
+ ],
+ "instance_ref.image_id": [
+ "resource.instanceDetails.imageId"
+ ],
+ "s3_bucket_refs[*].name": [
+ "resource.s3BucketDetails.name"
+ ],
+ "rds_database_ref.instance_id": [
+ "resource.rdsDbInstanceDetails.dbInstanceIdentifier"
+ ],
+ "rds_database_ref.cluster_id": [
+ "resource.rdsDbInstanceDetails.dbClusterIdentifier"
+ ],
+ "access_key_ref.user_id": [
+ "resource.accessKeyDetails.principalId"
+ ],
+ "lambda_details_ref.function_name": [
+ "resource.lambdaDetails.functionName"
+ ],
+ "ecs_cluster_ref.name": [
+ "resource.ecsClusterDetails.name"
+ ],
+ "eks_cluster_ref.name": [
+ "resource.eksClusterDetails.name"
+ ],
+ "resource_type": [
+ "resource.resourceType"
+ ],
+ "resource_role": [
+ "service.resourceRole"
+ ]
+ }
+ },
+ "x-aws-instance": {
+ "fields": {
+ "image_id": [
+ "resource.instanceDetails.imageId"
+ ],
+ "profile_id": [
+ "resource.instanceDetails.iamInstanceProfile.id"
+ ],
+ "instance": [
+ "resource.instanceDetails.instanceId"
+ ],
+ "tag_key": [
+ "resource.instanceDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.instanceDetails.tags.value"
+ ],
+ "outpost_arn": [
+ "resource.instanceDetails.outpostArn"
+ ]
+ }
+ },
+ "x-aws-network-interface": {
+ "fields": {
+ "security_group_id": [
+ "resource.instanceDetails.networkInterfaces.securityGroups.groupId"
+ ],
+ "security_group_name": [
+ "resource.instanceDetails.networkInterfaces.securityGroups.groupName"
+ ],
+ "subnet_id": [
+ "resource.instanceDetails.networkInterfaces.subnetId"
+ ],
+ "vpc_id": [
+ "resource.instanceDetails.networkInterfaces.vpcId"
+ ]
+ }
+ },
+ "x-aws-s3-bucket": {
+ "fields": {
+ "name": [
+ "resource.s3BucketDetails.name"
+ ],
+ "bucket_permission": [
+ "resource.s3BucketDetails.publicAccess.effectivePermission"
+ ],
+ "tag_key": [
+ "resource.s3BucketDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.s3BucketDetails.tags.value"
+ ],
+ "bucket_type": [
+ "resource.s3BucketDetails.type"
+ ]
+ }
+ },
+ "x-aws-rds-db-instance": {
+ "fields": {
+ "cluster_id": [
+ "resource.rdsDbInstanceDetails.dbClusterIdentifier"
+ ],
+ "engine": [
+ "resource.rdsDbInstanceDetails.engine"
+ ],
+ "instance_id": [
+ "resource.rdsDbInstanceDetails.dbInstanceIdentifier"
+ ],
+ "tag_key": [
+ "resource.rdsDbInstanceDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.rdsDbInstanceDetails.tags.value"
+ ],
+ "anomalous_login_user_ref.user_name": [
+ "resource.rdsDbUserDetails.user"
+ ]
+ }
+ },
+ "x-aws-rds-db-user": {
+ "fields": {
+ "user_name": [
+ "resource.rdsDbUserDetails.user"
+ ]
+ }
+ },
+ "x-aws-lambda": {
+ "fields": {
+ "function_arn": [
+ "resource.lambdaDetails.functionArn"
+ ],
+ "function_name": [
+ "resource.lambdaDetails.functionName"
+ ],
+ "tag_key": [
+ "resource.lambdaDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.lambdaDetails.tags.value"
+ ]
+ }
+ },
+ "x-aws-ecs-cluster": {
+ "fields": {
+ "name": [
+ "resource.ecsClusterDetails.name"
+ ],
+ "task.definition_arn": [
+ "resource.ecsClusterDetails.taskDetails.definitionArn"
+ ]
+ }
+ },
+ "x-aws-container": {
+ "fields": {
+ "image": [
+ "resource.ecsClusterDetails.taskDetails.containers.image",
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image",
+ "resource.containerDetails.image"
+ ],
+ "image_prefix": [
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix"
+ ]
+ }
+ },
+ "x-aws-kubernetes-workload": {
+ "fields": {
+ "workload_name": [
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.name"
+ ],
+ "workload_namespace": [
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.namespace"
+ ]
+ }
+ },
+ "x-aws-eks-cluster": {
+ "fields": {
+ "name": [
+ "resource.eksClusterDetails.name"
+ ]
+ }
+ },
+ "x-aws-ebs-volume-malware-scan": {
+ "fields": {
+ "scan_id": [
+ "service.ebsVolumeScanDetails.scanId"
+ ]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "confidence": [
+ "confidence"
+ ],
+ "alert_id": [
+ "id"
+ ],
+ "x_archived": [
+ "service.archived"
+ ],
+ "severity": [
+ "severity"
+ ],
+ "name": [
+ "type"
+ ],
+ "x_resource_ref.resource_type": [
+ "resource.resourceType"
+ ],
+ "src_application_user_ref.display_name": [
+ "resource.kubernetesDetails.kubernetesUserDetails.username"
+ ]
+ }
+ },
+ "x-aws-finding-service": {
+ "fields": {
+ "action.action_type": [
+ "service.action.actionType"
+ ],
+ "action.api_called": [
+ "service.action.awsApiCallAction.api"
+ ],
+ "action.caller_account_id": [
+ "service.action.awsApiCallAction.remoteAccountDetails.accountId"
+ ],
+ "action.caller_type": [
+ "service.action.awsApiCallAction.callerType"
+ ],
+ "action.service_name": [
+ "service.action.awsApiCallAction.serviceName"
+ ],
+ "action.remote_ref.value": [
+ "service.action.awsApiCallAction.remoteIpDetails.ipAddressV4"
+ ],
+ "action.error_code": [
+ "service.action.awsApiCallAction.errorCode"
+ ],
+ "action.is_caller_account_affiliated_to_aws": [
+ "service.action.awsApiCallAction.RemoteAccountDetails.affiliated"
+ ],
+ "additional_info": [
+ "service.additionalInfo.threatListName"
+ ]
+ }
+ },
+ "x-aws-threat": {
+ "fields": {
+ "threat_name": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name"
+ ],
+ "severity": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity"
+ ]
+ }
+ },
+ "x-aws-evidence": {
+ "fields": {
+ "threat_intelligence_list_name": [
+ "service.additionalInfo.threatListName"
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/json/operators.json b/stix_shifter_modules/aws_guardduty/stix_translation/json/operators.json
new file mode 100644
index 000000000..849c04d60
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/json/operators.json
@@ -0,0 +1,13 @@
+{
+ "ComparisonExpressionOperators.And": "and",
+ "ComparisonExpressionOperators.Or": "or",
+ "ComparisonComparators.GreaterThan": "GreaterThan",
+ "ComparisonComparators.GreaterThanOrEqual": "GreaterThanOrEqual",
+ "ComparisonComparators.LessThan": "LessThan",
+ "ComparisonComparators.LessThanOrEqual": "LessThanOrEqual",
+ "ComparisonComparators.Equal": "Equals",
+ "ComparisonComparators.NotEqual": "NotEquals",
+ "ComparisonComparators.In": "Equals",
+ "ObservationOperators.Or": "or",
+ "ObservationOperators.And": "or"
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/json/stix_2_1/from_stix_map.json b/stix_shifter_modules/aws_guardduty/stix_translation/json/stix_2_1/from_stix_map.json
new file mode 100644
index 000000000..d5fbe990f
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/json/stix_2_1/from_stix_map.json
@@ -0,0 +1,394 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": [
+ "resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress",
+ "resource.instanceDetails.networkInterfaces.publicIp",
+ "service.action.networkConnectionAction.remoteIpDetails.ipAddressV4",
+ "service.action.awsApiCallAction.remoteIpDetails.ipAddressV4",
+ "service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4"
+ ],
+ "x_geo_ref.country_name": [
+ "service.action.networkConnectionAction.remoteIpDetails.country.countryName",
+ "service.action.awsApiCallAction.remoteIpDetails.country.countryName"
+ ],
+ "belongs_to_refs[*].number": [
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn",
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn"
+ ]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": [
+ "resource.instanceDetails.networkInterfaces.ipv6Addresses"
+ ]
+ }
+ },
+ "autonomous-system": {
+ "fields": {
+ "number": [
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn",
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn"
+ ],
+ "name": [
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg",
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg"
+ ]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "src_port": [
+ "service.action.networkConnectionAction.localPortDetails.port"
+ ],
+ "dst_port": [
+ "service.action.networkConnectionAction.remotePortDetails.port"
+ ],
+ "protocols[*]": [
+ "service.action.networkConnectionAction.protocol"
+ ],
+ "src_ref.value": [
+ "resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress"
+ ],
+ "dst_ref.value": [
+ "service.action.networkConnectionAction.remoteIpDetails.ipAddressV4",
+ "service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4"
+ ],
+ "x_is_target_port_blocked": [
+ "service.action.networkConnectionAction.blocked"
+ ],
+ "x_direction": [
+ "service.action.networkConnectionAction.connectionDirection"
+ ],
+ "extensions.'http-request-ext'.request_value": [
+ "service.action.kubernetesApiCallAction.requestUri"
+ ]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "user_id": [
+ "resource.accessKeyDetails.principalId"
+ ],
+ "x_access_key_id": [
+ "resource.accessKeyDetails.accessKeyId"
+ ],
+ "display_name": [
+ "resource.accessKeyDetails.userName",
+ "resource.kubernetesDetails.kubernetesUserDetails.username"
+ ],
+ "x_user_type": [
+ "resource.accessKeyDetails.userType"
+ ]
+ }
+ },
+ "domain-name": {
+ "fields": {
+ "value": [
+ "resource.instanceDetails.networkInterfaces.publicDnsName",
+ "service.action.dnsRequestAction.domain"
+ ]
+ }
+ },
+ "process": {
+ "fields": {
+ "binary_ref.hashes.'SHA-256'": [
+ "service.runtimeDetails.process.executableSha256"
+ ]
+ }
+ },
+ "file": {
+ "fields": {
+ "hashes.'SHA-256'": [
+ "service.runtimeDetails.process.executableSha256",
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ],
+ "x_path": [
+ "service.runtimeDetails.process.executablePath"
+ ],
+ "hashes.'SHA-1'": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ],
+ "hashes.MD5": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ],
+ "x_unknown_hash": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash"
+ ]
+ }
+ },
+ "x-oca-geo": {
+ "fields": {
+ "country_name": [
+ "service.action.networkConnectionAction.remoteIpDetails.country.countryName",
+ "service.action.awsApiCallAction.remoteIpDetails.country.countryName"
+ ],
+ "city_name": [
+ "service.action.awsApiCallAction.remoteIpDetails.city.cityName",
+ "service.action.networkConnectionAction.remoteIpDetails.city.cityName"
+ ]
+ }
+ },
+ "x-aws-resource": {
+ "fields": {
+ "account_id": [
+ "accountId"
+ ],
+ "region": [
+ "region"
+ ],
+ "instance_ref.image_id": [
+ "resource.instanceDetails.imageId"
+ ],
+ "s3_bucket_refs[*].name": [
+ "resource.s3BucketDetails.name"
+ ],
+ "rds_database_ref.instance_id": [
+ "resource.rdsDbInstanceDetails.dbInstanceIdentifier"
+ ],
+ "rds_database_ref.cluster_id": [
+ "resource.rdsDbInstanceDetails.dbClusterIdentifier"
+ ],
+ "access_key_ref.user_id": [
+ "resource.accessKeyDetails.principalId"
+ ],
+ "lambda_details_ref.function_name": [
+ "resource.lambdaDetails.functionName"
+ ],
+ "ecs_cluster_ref.name": [
+ "resource.ecsClusterDetails.name"
+ ],
+ "eks_cluster_ref.name": [
+ "resource.eksClusterDetails.name"
+ ],
+ "resource_type": [
+ "resource.resourceType"
+ ],
+ "resource_role": [
+ "service.resourceRole"
+ ]
+ }
+ },
+ "x-aws-instance": {
+ "fields": {
+ "image_id": [
+ "resource.instanceDetails.imageId"
+ ],
+ "profile_id": [
+ "resource.instanceDetails.iamInstanceProfile.id"
+ ],
+ "instance": [
+ "resource.instanceDetails.instanceId"
+ ],
+ "tag_key": [
+ "resource.instanceDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.instanceDetails.tags.value"
+ ],
+ "outpost_arn": [
+ "resource.instanceDetails.outpostArn"
+ ]
+ }
+ },
+ "x-aws-network-interface": {
+ "fields": {
+ "security_group_id": [
+ "resource.instanceDetails.networkInterfaces.securityGroups.groupId"
+ ],
+ "security_group_name": [
+ "resource.instanceDetails.networkInterfaces.securityGroups.groupName"
+ ],
+ "subnet_id": [
+ "resource.instanceDetails.networkInterfaces.subnetId"
+ ],
+ "vpc_id": [
+ "resource.instanceDetails.networkInterfaces.vpcId"
+ ]
+ }
+ },
+ "x-aws-s3-bucket": {
+ "fields": {
+ "name": [
+ "resource.s3BucketDetails.name"
+ ],
+ "bucket_permission": [
+ "resource.s3BucketDetails.publicAccess.effectivePermission"
+ ],
+ "tag_key": [
+ "resource.s3BucketDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.s3BucketDetails.tags.value"
+ ],
+ "bucket_type": [
+ "resource.s3BucketDetails.type"
+ ]
+ }
+ },
+ "x-aws-rds-db-instance": {
+ "fields": {
+ "cluster_id": [
+ "resource.rdsDbInstanceDetails.dbClusterIdentifier"
+ ],
+ "engine": [
+ "resource.rdsDbInstanceDetails.engine"
+ ],
+ "instance_id": [
+ "resource.rdsDbInstanceDetails.dbInstanceIdentifier"
+ ],
+ "tag_key": [
+ "resource.rdsDbInstanceDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.rdsDbInstanceDetails.tags.value"
+ ],
+ "anomalous_login_user_ref.user_name": [
+ "resource.rdsDbUserDetails.user"
+ ]
+ }
+ },
+ "x-aws-rds-db-user": {
+ "fields": {
+ "user_name": [
+ "resource.rdsDbUserDetails.user"
+ ]
+ }
+ },
+ "x-aws-lambda": {
+ "fields": {
+ "function_arn": [
+ "resource.lambdaDetails.functionArn"
+ ],
+ "function_name": [
+ "resource.lambdaDetails.functionName"
+ ],
+ "tag_key": [
+ "resource.lambdaDetails.tags.key"
+ ],
+ "tag_value": [
+ "resource.lambdaDetails.tags.value"
+ ]
+ }
+ },
+ "x-aws-ecs-cluster": {
+ "fields": {
+ "name": [
+ "resource.ecsClusterDetails.name"
+ ],
+ "task.definition_arn": [
+ "resource.ecsClusterDetails.taskDetails.definitionArn"
+ ]
+ }
+ },
+ "x-aws-container": {
+ "fields": {
+ "image": [
+ "resource.ecsClusterDetails.taskDetails.containers.image",
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image",
+ "resource.containerDetails.image"
+ ],
+ "image_prefix": [
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix"
+ ]
+ }
+ },
+ "x-aws-kubernetes-workload": {
+ "fields": {
+ "workload_name": [
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.name"
+ ],
+ "workload_namespace": [
+ "resource.kubernetesDetails.kubernetesWorkloadDetails.namespace"
+ ]
+ }
+ },
+ "x-aws-eks-cluster": {
+ "fields": {
+ "name": [
+ "resource.eksClusterDetails.name"
+ ]
+ }
+ },
+ "x-aws-ebs-volume-malware-scan": {
+ "fields": {
+ "scan_id": [
+ "service.ebsVolumeScanDetails.scanId"
+ ]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "confidence": [
+ "confidence"
+ ],
+ "alert_id": [
+ "id"
+ ],
+ "x_archived": [
+ "service.archived"
+ ],
+ "x_severity": [
+ "severity"
+ ],
+ "name": [
+ "type"
+ ],
+ "x_resource_ref.resource_type": [
+ "resource.resourceType"
+ ],
+ "src_application_user_ref.display_name": [
+ "resource.kubernetesDetails.kubernetesUserDetails.username"
+ ]
+ }
+ },
+ "x-aws-finding-service": {
+ "fields": {
+ "x_action.action_type": [
+ "service.action.actionType"
+ ],
+ "x_action.api_called": [
+ "service.action.awsApiCallAction.api"
+ ],
+ "x_action.caller_account_id": [
+ "service.action.awsApiCallAction.remoteAccountDetails.accountId"
+ ],
+ "x_action.caller_type": [
+ "service.action.awsApiCallAction.callerType"
+ ],
+ "x_action.service_name": [
+ "service.action.awsApiCallAction.serviceName"
+ ],
+ "x_action.remote_ref.value": [
+ "service.action.awsApiCallAction.remoteIpDetails.ipAddressV4"
+ ],
+ "x_action.error_code": [
+ "service.action.awsApiCallAction.errorCode"
+ ],
+ "x_action.is_caller_account_affiliated_to_aws": [
+ "service.action.awsApiCallAction.RemoteAccountDetails.affiliated"
+ ],
+ "additional_info": [
+ "service.additionalInfo.threatListName"
+ ]
+ }
+ },
+ "x-aws-threat": {
+ "fields": {
+ "threat_name": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name"
+ ],
+ "x_severity": [
+ "service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity"
+ ]
+ }
+ },
+ "x-aws-evidence": {
+ "fields": {
+ "threat_intelligence_list_name": [
+ "service.additionalInfo.threatListName"
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/aws_guardduty/stix_translation/json/stix_2_1/to_stix_map.json
new file mode 100644
index 000000000..1c81314d8
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/json/stix_2_1/to_stix_map.json
@@ -0,0 +1,2421 @@
+{
+ "FindingType": {
+ "key": "x-ibm-finding.finding_type",
+ "object": "finding"
+ },
+ "AccountId": [
+ {
+ "key": "x-aws-resource.account_id",
+ "object": "resource"
+ },
+ {
+ "key": "x-ibm-finding.x_resource_ref",
+ "object": "finding",
+ "references": "resource"
+ }
+ ],
+ "Arn": {
+ "key": "x-ibm-finding.x_arn",
+ "object": "finding"
+ },
+ "Confidence": {
+ "key": "x-ibm-finding.confidence",
+ "object": "finding"
+ },
+ "CreatedAt": {
+ "key": "first_observed"
+ },
+ "Description": {
+ "key": "x-ibm-finding.description",
+ "object": "finding"
+ },
+ "Id": {
+ "key": "x-ibm-finding.alert_id",
+ "object": "finding"
+ },
+ "Partition": {
+ "key": "x-aws-resource.partition",
+ "object": "resource"
+ },
+ "Region": {
+ "key": "x-aws-resource.region",
+ "object": "resource"
+ },
+ "SchemaVersion": {
+ "key": "x-ibm-finding.x_schema_version",
+ "object": "finding"
+ },
+ "Severity": {
+ "key": "x-ibm-finding.x_severity",
+ "object": "finding"
+ },
+ "Title": {
+ "key": "x-ibm-finding.x_title",
+ "object": "finding"
+ },
+ "Type": {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ "UpdatedAt": [
+ {
+ "key": "x-ibm-finding.time_observed",
+ "object": "finding"
+ },
+ {
+ "key": "last_observed"
+ }
+ ],
+ "Resource": {
+ "ResourceType": [
+ {
+ "key": "x-aws-resource.resource_type",
+ "object": "resource"
+ },
+ {
+ "key": "x-ibm-finding.x_resource_ref",
+ "object": "finding",
+ "references": "resource"
+ }
+ ],
+ "AccessKeyDetails": {
+ "AccessKeyId": {
+ "key": "user-account.x_access_key_id",
+ "object": "access_user"
+ },
+ "PrincipalId": [
+ {
+ "key": "user-account.user_id",
+ "object": "access_user"
+ },
+ {
+ "key": "x-aws-resource.access_key_ref",
+ "object": "resource",
+ "references": "access_user"
+ }
+ ],
+ "UserName": {
+ "key": "user-account.display_name",
+ "object": "access_user"
+ },
+ "UserType": {
+ "key": "user-account.x_user_type",
+ "object": "access_user"
+ }
+ },
+ "EbsVolumeDetails": {
+ "ScannedVolumeDetails": {
+ "DeviceName": {
+ "key": "x-aws-ebs-volume-scanned.device_name",
+ "object": "ebsvolume_scanned"
+ },
+ "EncryptionType": {
+ "key": "x-aws-ebs-volume-scanned.encryption_type",
+ "object": "ebsvolume_scanned"
+ },
+ "KmsKeyArn": {
+ "key": "x-aws-ebs-volume-scanned.kms_key_arn",
+ "object": "ebsvolume_scanned"
+ },
+ "SnapshotArn": {
+ "key": "x-aws-ebs-volume-scanned.snapshot_key_arn",
+ "object": "ebsvolume_scanned"
+ },
+ "VolumeArn": {
+ "key": "x-aws-ebs-volume-scanned.volume_arn",
+ "object": "ebsvolume_scanned"
+ },
+ "VolumeSizeInGB": {
+ "key": "x-aws-ebs-volume-scanned.volume_size",
+ "object": "ebsvolume_scanned"
+ },
+ "VolumeType": {
+ "key": "x-aws-ebs-volume-scanned.volume_type",
+ "object": "ebsvolume_scanned"
+ },
+ "GroupEbsVolumeScannedReferences": {
+ "key": "x-aws-resource.ebs_volume.scanned_refs",
+ "object": "resource",
+ "references": [
+ "ebsvolume_scanned"
+ ],
+ "group_ref": true
+ }
+ },
+ "SkippedVolumeDetails": {
+ "DeviceName": {
+ "key": "x-aws-ebs-volume-skipped.device_name",
+ "object": "ebsvolume_skipped"
+ },
+ "EncryptionType": {
+ "key": "x-aws-ebs-volume-skipped.encryption_type",
+ "object": "ebsvolume_skipped"
+ },
+ "KmsKeyArn": {
+ "key": "x-aws-ebs-volume-skipped.kms_key_arn",
+ "object": "ebsvolume_skipped"
+ },
+ "SnapshotArn": {
+ "key": "x-aws-ebs-volume-skipped.snapshot_key_arn",
+ "object": "ebsvolume_skipped"
+ },
+ "VolumeArn": {
+ "key": "x-aws-ebs-volume-skipped.volume_arn",
+ "object": "ebsvolume_skipped"
+ },
+ "VolumeSizeInGB": {
+ "key": "x-aws-ebs-volume-skipped.volume_size",
+ "object": "ebsvolume_skipped"
+ },
+ "VolumeType": {
+ "key": "x-aws-ebs-volume-skipped.volume_type",
+ "object": "ebsvolume_skipped"
+ },
+ "GroupEbsVolumeSkippedReferences": {
+ "key": "x-aws-resource.ebs_volume.skipped_refs",
+ "object": "resource",
+ "references": [
+ "ebsvolume_skipped"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "ContainerDetails": {
+ "ContainerRuntime": {
+ "key": "x-aws-container.container_runtime",
+ "object": "container"
+ },
+ "Id": [
+ {
+ "key": "x-aws-container.container_id",
+ "object": "container"
+ },
+ {
+ "key": "x-aws-resource.standalone_container_ref",
+ "object": "resource",
+ "references": "container"
+ }
+ ],
+ "Image": {
+ "key": "x-aws-container.image",
+ "object": "container"
+ },
+ "ImagePrefix": {
+ "key": "x-aws-container.image_prefix",
+ "object": "container"
+ },
+ "Name": {
+ "key": "x-aws-container.name",
+ "object": "container"
+ },
+ "SecurityContext": {
+ "Privileged": {
+ "key": "x-aws-container.is_container_privileged",
+ "object": "container"
+ }
+ },
+ "VolumeMounts": {
+ "MountPath": {
+ "key": "x-aws-container-volume-mount.path",
+ "object": "container_volume_mount"
+ },
+ "Name": {
+ "key": "x-aws-container-volume-mount.name",
+ "object": "container_volume_mount"
+ },
+ "GroupContainerVolumeMountReferences": {
+ "key": "x-aws-container.volume_mount_refs",
+ "object": "container",
+ "references": [
+ "container_volume_mount"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "EcsClusterDetails": {
+ "ActiveServicesCount": {
+ "key": "x-aws-ecs-cluster.active_services_count",
+ "object": "ecs_cluster"
+ },
+ "Arn": {
+ "key": "x-aws-ecs-cluster.cluster_arn",
+ "object": "ecs_cluster"
+ },
+ "Name": [
+ {
+ "key": "x-aws-ecs-cluster.name",
+ "object": "ecs_cluster"
+ },
+ {
+ "key": "x-aws-resource.ecs_cluster_ref",
+ "object": "resource",
+ "references": "ecs_cluster"
+ }
+ ],
+ "RegisteredContainerInstancesCount": {
+ "key": "x-aws-ecs-cluster.container_instances_registered_count",
+ "object": "ecs_cluster"
+ },
+ "RunningTasksCount": {
+ "key": "x-aws-ecs-cluster.running_tasks_count",
+ "object": "ecs_cluster"
+ },
+ "Status": {
+ "key": "x-aws-ecs-cluster.status",
+ "object": "ecs_cluster"
+ },
+ "Tags": {
+ "key": "x-aws-ecs-cluster.tags",
+ "object": "ecs_cluster"
+ },
+ "TaskDetails": {
+ "Arn": {
+ "key": "x-aws-ecs-cluster.task.arn",
+ "object": "ecs_cluster"
+ },
+ "Containers": {
+ "containerRuntime": {
+ "key": "x-aws-container.container_runtime",
+ "object": "ecs_cluster_container"
+ },
+ "Id": {
+ "key": "x-aws-container.container_id",
+ "object": "ecs_cluster_container"
+ },
+ "Image": {
+ "key": "x-aws-container.image",
+ "object": "ecs_cluster_container"
+ },
+ "ImagePrefix": {
+ "key": "x-aws-container.image_prefix",
+ "object": "ecs_cluster_container"
+ },
+ "Name": {
+ "key": "x-aws-container.name",
+ "object": "ecs_cluster_container"
+ },
+ "SecurityContext": {
+ "Privileged": {
+ "key": "x-aws-container.is_container_privileged",
+ "object": "ecs_cluster_container"
+ }
+ },
+ "VolumeMounts": {
+ "MountPath": {
+ "key": "x-aws-container-volume-mount.path",
+ "object": "ecs_cluster_container_volume_mount"
+ },
+ "Name": {
+ "key": "x-aws-container-volume-mount.name",
+ "object": "ecs_cluster_container_volume_mount"
+ },
+ "GroupContainerVolumeMountReferences": {
+ "key": "x-aws-container.volume_mount_refs",
+ "object": "ecs_cluster_container",
+ "references": [
+ "ecs_cluster_container_volume_mount"
+ ],
+ "group_ref": true
+ }
+ },
+ "GroupClusterContainerReferences": {
+ "key": "x-aws-ecs-cluster.task.container_refs",
+ "object": "ecs_cluster",
+ "references": [
+ "ecs_cluster_container"
+ ],
+ "group_ref": true
+ }
+ },
+ "DefinitionArn": {
+ "key": "x-aws-ecs-cluster.task.definition_arn",
+ "object": "ecs_cluster"
+ },
+ "Group": {
+ "key": "x-aws-ecs-cluster.task.group_name",
+ "object": "ecs_cluster"
+ },
+ "StartedAt": {
+ "key": "x-aws-ecs-cluster.task.started_at",
+ "object": "ecs_cluster",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "StartedBy": {
+ "key": "x-aws-ecs-cluster.task.started_by",
+ "object": "ecs_cluster"
+ },
+ "Tags": {
+ "key": "x-aws-ecs-cluster.task.tags",
+ "object": "ecs_cluster"
+ },
+ "CreatedAt": {
+ "key": "x-aws-ecs-cluster.task.created_at",
+ "object": "ecs_cluster",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "Version": {
+ "key": "x-aws-ecs-cluster.task.version",
+ "object": "ecs_cluster"
+ },
+ "Volumes": {
+ "key": "x-aws-ecs-cluster.task.volumes",
+ "object": "ecs_cluster"
+ }
+ }
+ },
+ "EksClusterDetails": {
+ "Arn": {
+ "key": "x-aws-eks-cluster.arn",
+ "object": "eks_cluster"
+ },
+ "CreatedAt": {
+ "key": "x-aws-eks-cluster.created_at",
+ "object": "eks_cluster",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "Name": [
+ {
+ "key": "x-aws-eks-cluster.name",
+ "object": "eks_cluster"
+ },
+ {
+ "key": "x-aws-resource.eks_cluster_ref",
+ "object": "resource",
+ "references": "eks_cluster"
+ }
+ ],
+ "Status": {
+ "key": "x-aws-eks-cluster.status",
+ "object": "eks_cluster"
+ },
+ "Tags": {
+ "key": "x-aws-eks-cluster.tags",
+ "object": "eks_cluster"
+ },
+ "VpcId": {
+ "key": "x-aws-eks-cluster.vpc_id",
+ "object": "eks_cluster"
+ }
+ },
+ "InstanceDetails": {
+ "AvailabilityZone": {
+ "key": "x-aws-instance.availability_zone",
+ "object": "instance"
+ },
+ "IamInstanceProfile": {
+ "Arn": {
+ "key": "x-aws-instance.instance_arn",
+ "object": "instance"
+ },
+ "Id": {
+ "key": "x-aws-instance.profile_id",
+ "object": "instance"
+ }
+ },
+ "ImageDescription": {
+ "key": "x-aws-instance.image_description",
+ "object": "instance"
+ },
+ "ImageId": [
+ {
+ "key": "x-aws-instance.image_id",
+ "object": "instance"
+ },
+ {
+ "key": "x-aws-resource.instance_ref",
+ "object": "resource",
+ "references": "instance"
+ }
+ ],
+ "InstanceId": [
+ {
+ "key": "x-aws-instance.instance_id",
+ "object": "instance"
+ }
+ ],
+ "InstanceState": {
+ "key": "x-aws-instance.state",
+ "object": "instance"
+ },
+ "InstanceType": {
+ "key": "x-aws-instance.instance_type",
+ "object": "instance"
+ },
+ "LaunchTime": {
+ "key": "x-aws-instance.launch_time",
+ "object": "instance"
+ },
+ "NetworkInterfaces": {
+ "Ipv6Addresses": [
+ {
+ "key": "ipv6-addr.value",
+ "object": "src_ip_v6",
+ "unwrap": true,
+ "transformer": "FilterIPv6List"
+ },
+ {
+ "key": "x-aws-network-interface.ip_refs",
+ "object": "ni",
+ "references": [
+ "src_ip_v6"
+ ]
+ }
+ ],
+ "NetworkInterfaceId": {
+ "key": "x-aws-network-interface.interface_id",
+ "object": "ni"
+ },
+ "PrivateIpAddresses": {
+ "PrivateDnsName": {
+ "key": "domain-name.value",
+ "object": "instance_private_domain"
+ },
+ "PrivateIpAddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip_private"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "instance_private_domain",
+ "references": [
+ "src_ip_private"
+ ]
+ }
+ ],
+ "GroupPrivateDomainReferences": {
+ "key": "x-aws-network-interface.private_domain_refs",
+ "object": "ni",
+ "references": [
+ "instance_private_domain"
+ ],
+ "group_ref": true
+ }
+ },
+ "PublicDnsName": [
+ {
+ "key": "domain-name.value",
+ "object": "instance_public_domain"
+ },
+ {
+ "key": "x-aws-network-interface.public_domain_ref",
+ "object": "ni",
+ "references": "instance_public_domain"
+ }
+ ],
+ "PublicIp": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip_public"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "instance_public_domain",
+ "references": [
+ "src_ip_public"
+ ]
+ }
+ ],
+ "SecurityGroups": {
+ "key": "x-aws-network-interface.security_groups",
+ "object": "ni"
+ },
+ "SubnetId": {
+ "key": "x-aws-network-interface.subnet_id",
+ "object": "ni"
+ },
+ "VpcId": {
+ "key": "x-aws-network-interface.vpc_id",
+ "object": "ni"
+ },
+ "GroupNetworkInterfaceReferences": {
+ "key": "x-aws-instance.x_network_interface_refs",
+ "object": "instance",
+ "references": [
+ "ni"
+ ],
+ "group_ref": true
+ }
+ },
+ "OutpostArn": {
+ "key": "x-aws-instance.outpost_arn",
+ "object": "instance"
+ },
+ "Platform": [
+ {
+ "key": "software.name",
+ "object": "instance_software"
+ },
+ {
+ "key": "x-aws-instance.os_ref",
+ "object": "instance",
+ "references": "instance_software"
+ }
+ ],
+ "ProductCodes": {
+ "key": "x-aws-instance.product_codes",
+ "object": "instance"
+ },
+ "Tags": {
+ "key": "x-aws-instance.tags",
+ "object": "instance"
+ }
+ },
+ "KubernetesDetails": {
+ "KubernetesUserDetails": {
+ "Groups": {
+ "key": "user-account.x_groups",
+ "object": "kubernetes_user"
+ },
+ "SessionName": {
+ "key": "user-account.x_session_name",
+ "object": "kubernetes_user"
+ },
+ "Uid": [
+ {
+ "key": "user-account.user_id",
+ "object": "kubernetes_user"
+ },
+ {
+ "key": "x-aws-eks-cluster.kubernetes_user_ref",
+ "object": "eks_cluster",
+ "references": "kubernetes_user"
+ },
+ {
+ "key": "x-ibm-finding.src_application_user_ref",
+ "object": "finding",
+ "references": "kubernetes_user"
+ }
+ ],
+ "Username": [
+ {
+ "key": "user-account.display_name",
+ "object": "kubernetes_user"
+ },
+ {
+ "key": "x-aws-eks-cluster.kubernetes_user_ref",
+ "object": "eks_cluster",
+ "references": "kubernetes_user"
+ },
+ {
+ "key": "x-ibm-finding.src_application_user_ref",
+ "object": "finding",
+ "references": "kubernetes_user"
+ }
+ ]
+ },
+ "KubernetesWorkloadDetails": {
+ "Containers": {
+ "ContainerRuntime": {
+ "key": "x-aws-container.container_runtime",
+ "object": "kubernetes_container"
+ },
+ "Id": {
+ "key": "x-aws-container.container_id",
+ "object": "kubernetes_container"
+ },
+ "Image": {
+ "key": "x-aws-container.image",
+ "object": "kubernetes_container"
+ },
+ "ImagePrefix": {
+ "key": "x-aws-container.image_prefix",
+ "object": "kubernetes_container"
+ },
+ "Name": {
+ "key": "x-aws-container.name",
+ "object": "kubernetes_container"
+ },
+ "SecurityContext": {
+ "Privileged": {
+ "key": "x-aws-container.is_container_privileged",
+ "object": "kubernetes_container"
+ }
+ },
+ "VolumeMounts": {
+ "MountPath": {
+ "key": "x-aws-container-volume-mount.path",
+ "object": "kubernetes_container_volume_mount"
+ },
+ "Name": {
+ "key": "x-aws-container-volume-mount.name",
+ "object": "kubernetes_container_volume_mount"
+ },
+ "GroupContainerVolumeMountReferences": {
+ "key": "x-aws-container.volume_mount_refs",
+ "object": "kubernetes_container",
+ "references": [
+ "kubernetes_container_volume_mount"
+ ],
+ "group_ref": true
+ }
+ },
+ "GroupKubernetesContainerReferences": {
+ "key": "x-aws-kubernetes-workload.container_refs",
+ "object": "kubernetes",
+ "references": [
+ "kubernetes_container"
+ ],
+ "group_ref": true
+ }
+ },
+ "HostNetwork": {
+ "key": "x-aws-kubernetes-workload.is_enabled_host_network_for_pods",
+ "object": "kubernetes"
+ },
+ "Name": [
+ {
+ "key": "x-aws-kubernetes-workload.workload_name",
+ "object": "kubernetes"
+ },
+ {
+ "key": "x-aws-eks-cluster.kubernetes_workload_ref",
+ "object": "eks_cluster",
+ "references": "kubernetes"
+ }
+ ],
+ "Namespace": {
+ "key": "x-aws-kubernetes-workload.workload_namespace",
+ "object": "kubernetes"
+ },
+ "Type": {
+ "key": "x-aws-kubernetes-workload.workload_type",
+ "object": "kubernetes"
+ },
+ "Uid": {
+ "key": "x-aws-kubernetes-workload.workload_id",
+ "object": "kubernetes"
+ },
+ "Volumes": {
+ "key": "x-aws-kubernetes-workload.volumes",
+ "object": "kubernetes"
+ }
+ }
+ },
+ "RdsDbInstanceDetails": {
+ "DbClusterIdentifier": [
+ {
+ "key": "x-aws-rds-db-instance.cluster_id",
+ "object": "rds_db"
+ },
+ {
+ "key": "x-aws-resource.rds_database_ref",
+ "object": "resource",
+ "references": "rds_db"
+ }
+ ],
+ "DbInstanceArn": {
+ "key": "x-aws-rds-db-instance.instance_arn",
+ "object": "rds_db"
+ },
+ "DbInstanceIdentifier": [
+ {
+ "key": "x-aws-rds-db-instance.instance_id",
+ "object": "rds_db"
+ },
+ {
+ "key": "x-aws-resource.rds_database_ref",
+ "object": "resource",
+ "references": "rds_db"
+ }
+ ],
+ "Engine": {
+ "key": "x-aws-rds-db-instance.engine",
+ "object": "rds_db"
+ },
+ "EngineVersion": {
+ "key": "x-aws-rds-db-instance.engine_version",
+ "object": "rds_db"
+ },
+ "Tags": {
+ "key": "x-aws-rds-db-instance.tags",
+ "object": "rds_db"
+ }
+ },
+ "RdsDbUserDetails": {
+ "Application": [
+ {
+ "key": "x-aws-rds-db-user.application_name",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "AuthMethod": [
+ {
+ "key": "x-aws-rds-db-user.authentication_method",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "Database": [
+ {
+ "key": "x-aws-rds-db-user.database_name",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "Ssl": [
+ {
+ "key": "x-aws-rds-db-user.ssl",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "User": [
+ {
+ "key": "x-aws-rds-db-user.user_name",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ]
+ },
+ "S3BucketDetails": {
+ "Arn": {
+ "key": "x-aws-s3-bucket.arn",
+ "object": "s3"
+ },
+ "CreatedAt": {
+ "key": "x-aws-s3-bucket.created_at",
+ "object": "s3",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "DefaultServerSideEncryption": {
+ "EncryptionType": {
+ "key": "x-aws-s3-bucket.server_side_encryption_type",
+ "object": "s3"
+ },
+ "KmsMasterKeyArn": {
+ "key": "x-aws-s3-bucket.kms_encryption_key_arn",
+ "object": "s3"
+ }
+ },
+ "Name": {
+ "key": "x-aws-s3-bucket.name",
+ "object": "s3"
+ },
+ "Owner": {
+ "Id": {
+ "key": "x-aws-s3-bucket.canonical_id_of_bucket_owner",
+ "object": "s3"
+ }
+ },
+ "PublicAccess": {
+ "EffectivePermission": {
+ "key": "x-aws-s3-bucket.bucket_permission",
+ "object": "s3"
+ },
+ "PermissionConfiguration": {
+ "AccountLevelPermissions": {
+ "BlockPublicAccess": {
+ "BlockPublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.account_level.block_public_acls",
+ "object": "s3"
+ },
+ "BlockPublicPolicy": {
+ "key": "x-aws-s3-bucket.permissions.account_level.block_public_policy",
+ "object": "s3"
+ },
+ "IgnorePublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.account_level.ignore_public_acls",
+ "object": "s3"
+ },
+ "RestrictPublicBuckets": {
+ "key": "x-aws-s3-bucket.permissions.account_level.restrict_public_buckets",
+ "object": "s3"
+ }
+ }
+ },
+ "BucketLevelPermissions": {
+ "AccessControlList": {
+ "AllowsPublicReadAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.access_control_policies.allows_public_read_access",
+ "object": "s3"
+ },
+ "AllowsPublicWriteAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.access_control_policies.allows_public_write_access",
+ "object": "s3"
+ }
+ },
+ "BlockPublicAccess": {
+ "BlockPublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.block_public_acls",
+ "object": "s3"
+ },
+ "BlockPublicPolicy": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.block_public_policy",
+ "object": "s3"
+ },
+ "IgnorePublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.ignore_public_acls",
+ "object": "s3"
+ },
+ "RestrictPublicBuckets": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.restrict_public_buckets",
+ "object": "s3"
+ }
+ },
+ "BucketPolicy": {
+ "AllowsPublicReadAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.bucket_policies.allows_public_read_access",
+ "object": "s3"
+ },
+ "AllowsPublicWriteAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.bucket_policies.allows_public_write_access",
+ "object": "s3"
+ }
+ }
+ }
+ }
+ },
+ "Tags": {
+ "key": "x-aws-s3-bucket.tags",
+ "object": "s3"
+ },
+ "Type": {
+ "key": "x-aws-s3-bucket.bucket_type",
+ "object": "s3"
+ },
+ "GroupS3BucketReferences": {
+ "key": "x-aws-resource.s3_bucket_refs",
+ "object": "resource",
+ "references": [
+ "s3"
+ ],
+ "group_ref": true
+ }
+ },
+ "LambdaDetails": {
+ "Description": {
+ "key": "x-aws-lambda.description",
+ "object": "lambda"
+ },
+ "FunctionArn": {
+ "key": "x-aws-lambda.function_arn",
+ "object": "lambda"
+ },
+ "FunctionName": [
+ {
+ "key": "x-aws-lambda.function_name",
+ "object": "lambda"
+ },
+ {
+ "key": "x-aws-resource.lambda_details_ref",
+ "object": "resource",
+ "references": "lambda"
+ }
+ ],
+ "FunctionVersion": {
+ "key": "x-aws-lambda.function_version",
+ "object": "lambda"
+ },
+ "LastModifiedAt": {
+ "key": "x-aws-lambda.last_modified_at",
+ "object": "lambda",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "RevisionId": {
+ "key": "x-aws-lambda.revision_id",
+ "object": "lambda"
+ },
+ "Role": {
+ "key": "x-aws-lambda.execution_role",
+ "object": "lambda"
+ },
+ "Tags": {
+ "key": "x-aws-lambda.tags",
+ "object": "lambda"
+ },
+ "VpcConfig": {
+ "securityGroups": {
+ "key": "x-aws-lambda.security_groups",
+ "object": "lambda"
+ },
+ "SubnetIds": {
+ "key": "x-aws-lambda.subnet_ids",
+ "object": "lambda"
+ },
+ "VpcId": {
+ "key": "x-aws-lambda.amazon_vpc_id",
+ "object": "lambda"
+ }
+ }
+ }
+ },
+ "Service": {
+ "Action": {
+ "ActionType": [
+ {
+ "key": "x-aws-finding-service.x_action.action_type",
+ "object": "service_action"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "DnsRequestAction": {
+ "Blocked": {
+ "key": "network-traffic.x_is_target_port_blocked",
+ "object": "nt"
+ },
+ "Domain": [
+ {
+ "key": "domain-name.value",
+ "object": "dns_req_domain"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "dns_req_domain"
+ }
+ ],
+ "Protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ },
+ {
+ "key": "x-aws-finding-service.x_action.network_ref",
+ "object": "service_action",
+ "references": "nt"
+ }
+ ]
+ },
+ "PortProbeAction": {
+ "Blocked": {
+ "key": "x-aws-finding-service.x_action.is_port_probe_blocked",
+ "object": "service_action"
+ },
+ "PortProbeDetails": {
+ "LocalIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "port_probe_src_ip"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "port_probe_src_ip"
+ }
+ ]
+ },
+ "LocalPortDetails": {
+ "Port": {
+ "key": "network-traffic.src_port",
+ "object": "nt"
+ },
+ "PortName": {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ }
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ }
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ },
+ "GroupPortProbeDetailsReferences": {
+ "key": "x-aws-finding-service.x_action.network_refs",
+ "object": "service_action",
+ "references": [
+ "nt"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "AwsApiCallAction": {
+ "AffectedResources": {
+ "key": "x-aws-finding-service.x_action.affected_resources",
+ "object": "service_action"
+ },
+ "Api": [
+ {
+ "key": "x-aws-finding-service.x_action.api_called",
+ "object": "service_action"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "CallerType": {
+ "key": "x-aws-finding-service.x_action.caller_type",
+ "object": "service_action"
+ },
+ "DomainDetails": {
+ "Domain": [
+ {
+ "key": "domain-name.value",
+ "object": "aws_call_domain"
+ },
+ {
+ "key": "x-aws-finding-service.x_action.domain_ref",
+ "object": "service_action",
+ "references": "aws_call_domain"
+ }
+ ]
+ },
+ "ErrorCode": {
+ "key": "x-aws-finding-service.x_action.error_code",
+ "object": "service_action"
+ },
+ "ServiceName": {
+ "key": "x-aws-finding-service.x_action.service_name",
+ "object": "service_action"
+ },
+ "UserAgent": [
+ {
+ "key": "software.name",
+ "object": "api_call_software"
+ },
+ {
+ "key": "x-aws-finding-service.x_action.software_ref",
+ "object": "service_action",
+ "references": "api_call_software"
+ }
+ ],
+ "RemoteAccountDetails": {
+ "AccountId": {
+ "key": "x-aws-finding-service.x_action.caller_account_id",
+ "object": "service_action"
+ },
+ "Affiliated": {
+ "key": "x-aws-finding-service.x_action.is_caller_account_affiliated_to_aws",
+ "object": "service_action"
+ }
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "x-aws-finding-service.x_action.remote_ref",
+ "object": "service_action",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ }
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ }
+ },
+ "NetworkConnectionAction": {
+ "ConnectionDirection": {
+ "key": "network-traffic.x_direction",
+ "object": "nt"
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ }
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ },
+ "RemotePortDetails": {
+ "Port": {
+ "key": "network-traffic.dst_port",
+ "object": "nt"
+ },
+ "PortName": {
+ "key": "network-traffic.x_dst_port_name",
+ "object": "nt"
+ }
+ },
+ "LocalPortDetails": {
+ "Port": {
+ "key": "network-traffic.src_port",
+ "object": "nt"
+ },
+ "PortName": {
+ "key": "network-traffic.x_src_port_name",
+ "object": "nt"
+ }
+ },
+ "Protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ },
+ {
+ "key": "x-aws-finding-service.x_action.network_ref",
+ "object": "service_action",
+ "references": "nt"
+ }
+ ],
+ "Blocked": {
+ "key": "network-traffic.x_is_target_port_blocked",
+ "object": "nt"
+ },
+ "LocalIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "src_ip"
+ }
+ ]
+ }
+ },
+ "KubernetesApiCallAction": {
+ "Protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ },
+ {
+ "key": "x-aws-finding-service.x_action.network_ref",
+ "object": "service_action",
+ "references": "nt"
+ }
+ ],
+ "Parameters": {
+ "key": "network-traffic.extensions.http-request-ext.x_parameters",
+ "object": "nt"
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": [
+ {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ },
+ "RequestUri": {
+ "key": "network-traffic.extensions.http-request-ext.request_value",
+ "object": "nt"
+ },
+ "SourceIPs": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "kubernetes_api_call_source_ip",
+ "unwrap": true,
+ "transformer": "FilterIPv4List"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "kubernetes_api_call_source_ip"
+ }
+ ],
+ "StatusCode": {
+ "key": "network-traffic.extensions.http-request-ext.x_status_code",
+ "object": "nt"
+ },
+ "UserAgent": {
+ "key": "network-traffic.extensions.http-request-ext.request_header.User-Agent",
+ "object": "nt"
+ },
+ "Verb": {
+ "key": "network-traffic.extensions.http-request-ext.request_method",
+ "object": "nt"
+ }
+ },
+ "RdsLoginAttemptAction": {
+ "LoginAttributes": {
+ "Application": [
+ {
+ "key": "x-aws-rds-login-attributes.login_application_name",
+ "object": "login_attr"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "FailedLoginAttempts": {
+ "key": "x-aws-rds-login-attributes.failed_login_attempts",
+ "object": "login_attr"
+ },
+ "SuccessfulLoginAttempts": {
+ "key": "x-aws-rds-login-attributes.successful_login_attempts",
+ "object": "login_attr"
+ },
+ "User": {
+ "key": "x-aws-rds-login-attributes.login_attempted_user_name",
+ "object": "login_attr"
+ },
+ "GroupRdsLoginAttributes": {
+ "key": "x-aws-finding-service.x_action.rds_login_refs",
+ "object": "service_action",
+ "references": [
+ "login_attr"
+ ],
+ "group_ref": true
+ }
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "x-aws-finding-service.x_action.remote_ref",
+ "object": "service_action",
+ "references": "dst_ip"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip"
+ }
+ ]
+ },
+ "City": {
+ "CityName": [
+ {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip"
+ }
+ ]
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ }
+ }
+ },
+ "AdditionalInfo": {
+ "key": "x-aws-finding-service.additional_info",
+ "object": "service_action"
+ },
+ "Archived": {
+ "key": "x-ibm-finding.x_archived",
+ "object": "finding"
+ },
+ "Count": {
+ "key": "x-ibm-finding.event_count",
+ "object": "finding"
+ },
+ "DetectorId": {
+ "key": "x-ibm-finding.x_detector_id",
+ "object": "finding"
+ },
+ "EventFirstSeen": [
+ {
+ "key": "x-aws-finding-service.event_first_seen",
+ "object": "service_action"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "EventLastSeen": {
+ "key": "x-aws-finding-service.event_last_seen",
+ "object": "service_action"
+ },
+ "Evidence": {
+ "ThreatIntelligenceDetails": {
+ "ThreatListName": {
+ "key": "x-aws-evidence.threat_intelligence_list_name",
+ "object": "evidence"
+ },
+ "ThreatNames": {
+ "key": "x-aws-evidence.threat_names",
+ "object": "evidence"
+ },
+ "GroupEvidenceReferences": {
+ "key": "x-aws-finding-service.evidence_refs",
+ "object": "service_action",
+ "references": [
+ "evidence"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "FeatureName": {
+ "key": "x-ibm-finding.x_feature_name",
+ "object": "finding"
+ },
+ "ResourceRole": {
+ "key": "x-aws-resource.resource_role",
+ "object": "resource"
+ },
+ "EbsVolumeScanDetails": {
+ "ScanCompletedAt": {
+ "key": "x-aws-ebs-volume-malware-scan.scan_completed_at",
+ "object": "ebsvolume",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "ScanDetections": {
+ "HighestSeverityThreatDetails": {
+ "Count": {
+ "key": "x-aws-ebs-volume-malware-scan.highest_severity_threat.total_infected_files",
+ "object": "ebsvolume"
+ },
+ "Severity": {
+ "key": "x-aws-ebs-volume-malware-scan.highest_severity_threat.severity",
+ "object": "ebsvolume"
+ },
+ "ThreatName": {
+ "key": "x-aws-ebs-volume-malware-scan.highest_severity_threat.name",
+ "object": "ebsvolume"
+ }
+ },
+ "ScannedItemCount": {
+ "Files": {
+ "key": "x-aws-ebs-volume-malware-scan.scanned_items.total_scanned_files",
+ "object": "ebsvolume"
+ },
+ "TotalGb": {
+ "key": "x-aws-ebs-volume-malware-scan.scanned_items.total_files_scanned_in_gb",
+ "object": "ebsvolume"
+ },
+ "Volumes": {
+ "key": "x-aws-ebs-volume-malware-scan.scanned_items.total_volumes_scanned",
+ "object": "ebsvolume"
+ }
+ },
+ "ThreatDetectedByName": {
+ "ItemCount": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.infected_files_count",
+ "object": "ebsvolume"
+ },
+ "Shortened": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.is_finding_shortened",
+ "object": "ebsvolume"
+ },
+ "ThreatNames": {
+ "FilePaths": {
+ "FileName": {
+ "key": "file.name",
+ "object": "ebsvolume_file"
+ },
+ "FilePath": {
+ "key": "file.x_path",
+ "object": "ebsvolume_file"
+ },
+ "FileSha256": {
+ "key": "file.hashes.SHA-256",
+ "object": "ebsvolume_file"
+ },
+ "FileSha1": {
+ "key": "file.hashes.SHA-1",
+ "object": "ebsvolume_file"
+ },
+ "FileMd5": {
+ "key": "file.hashes.MD5",
+ "object": "ebsvolume_file"
+ },
+ "UnknownHash": {
+ "key": "file.x_unknown_hash",
+ "object": "ebsvolume_file"
+ },
+ "VolumeArn": {
+ "key": "file.x_volume_arn",
+ "object": "ebsvolume_file"
+ },
+ "GroupThreatFileReferences": {
+ "key": "x-aws-threat.infected_file_refs",
+ "object": "ebsvolume_threat",
+ "references": [
+ "ebsvolume_file"
+ ],
+ "group_ref": true
+ }
+ },
+ "ItemCount": {
+ "key": "x-aws-threat.total_files_infected",
+ "object": "ebsvolume_threat"
+ },
+ "Name": {
+ "key": "x-aws-threat.threat_name",
+ "object": "ebsvolume_threat"
+ },
+ "Severity": {
+ "key": "x-aws-threat.x_severity",
+ "object": "ebsvolume_threat"
+ },
+ "GroupThreatNamesReferences": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.threat_refs",
+ "object": "ebsvolume",
+ "references": [
+ "ebsvolume_threat"
+ ],
+ "group_ref": true
+ }
+ },
+ "UniqueThreatNameCount": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.unique_threats_count_based_on_name",
+ "object": "ebsvolume"
+ }
+ },
+ "ThreatsDetectedItemCount": {
+ "Files": {
+ "key": "x-aws-ebs-volume-malware-scan.total_infected_files",
+ "object": "ebsvolume"
+ }
+ }
+ },
+ "ScanId": [
+ {
+ "key": "x-aws-ebs-volume-malware-scan.scan_id",
+ "object": "ebsvolume"
+ },
+ {
+ "key": "x-aws-finding-service.ebs_volume_malware_scan_ref",
+ "object": "service_action",
+ "references": "ebsvolume"
+ }
+ ],
+ "ScanStartedAt": {
+ "key": "x-aws-ebs-volume-malware-scan.scan_started_time",
+ "object": "ebsvolume",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "ScanType": {
+ "key": "x-aws-ebs-volume-malware-scan.scan_type",
+ "object": "ebsvolume"
+ },
+ "Sources": {
+ "key": "x-aws-ebs-volume-malware-scan.sources",
+ "object": "ebsvolume"
+ },
+ "TriggerFindingId": {
+ "key": "x-aws-ebs-volume-malware-scan.triggered_finding_id",
+ "object": "ebsvolume"
+ }
+ },
+ "RuntimeDetails": {
+ "Context": {
+ "AddressFamily": {
+ "key": "x-aws-runtime-context.address_family",
+ "object": "runtime"
+ },
+ "FileSystemType": {
+ "key": "x-aws-runtime-context.mounted_file_system_type",
+ "object": "runtime"
+ },
+ "Flags": {
+ "key": "x-aws-runtime-context.flags",
+ "object": "runtime"
+ },
+ "IanaProtocolNumber": {
+ "key": "x-aws-runtime-context.iana_protocol_number",
+ "object": "runtime"
+ },
+ "LdPreloadValue": {
+ "key": "x-aws-runtime-context.environmental_variables.LD_PRELOAD",
+ "object": "runtime"
+ },
+ "LibraryPath": {
+ "key": "x-aws-runtime-context.new_library_path",
+ "object": "runtime"
+ },
+ "MemoryRegions": {
+ "key": "x-aws-runtime-context.memory_regions",
+ "object": "runtime"
+ },
+ "ModifiedAt": [
+ {
+ "key": "x-aws-runtime-context.process_modified_time",
+ "object": "runtime",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "ModifyingProcess": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_modi_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process",
+ "references": "runtime_modi_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "file.x_path",
+ "object": "runtime_modi_file"
+ },
+ "ExecutableSha256": [
+ {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_modi_file"
+ },
+ {
+ "key": "process.image_ref",
+ "object": "runtime_modi_process",
+ "references": "runtime_modi_file"
+ }
+ ],
+ "Lineage": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_modi_lineage_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process_lineage",
+ "references": "runtime_modi_lineage_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "process.x_absolute_path",
+ "object": "runtime_modi_process_lineage"
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_modi_child_process_lineage"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_modi_process_lineage"
+ ],
+ "references": "runtime_modi_child_process_lineage"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_modi_process_lineage"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_modi_process_lineage"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_modi_process_lineage",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_modi_lineage_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process_lineage",
+ "references": "runtime_modi_lineage_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_modi_process_lineage"
+ },
+ "GroupModifyingProcessLineageReferences": {
+ "key": "process.x_lineage_refs",
+ "object": "runtime_modi_process",
+ "references": [
+ "runtime_modi_process_lineage"
+ ],
+ "group_ref": true
+ }
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_modi_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_modi_process"
+ ],
+ "references": "runtime_modi_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_modi_process"
+ },
+ "Pid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_modi_process"
+ },
+ {
+ "key": "x-aws-runtime-context.modifying_process_ref",
+ "object": "runtime",
+ "references": "runtime_modi_process"
+ },
+ {
+ "key": "x-aws-eks-cluster.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "Pwd": [
+ {
+ "key": "process.cwd",
+ "object": "runtime_modi_process"
+ },
+ {
+ "key": "x-aws-runtime-context.modifying_process_ref",
+ "object": "runtime",
+ "references": "runtime_modi_process"
+ },
+ {
+ "key": "x-aws-eks-cluster.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_modi_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "User": {
+ "key": "user-account.display_name",
+ "object": "runtime_modi_user"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_modi_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process",
+ "references": "runtime_modi_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_modi_process"
+ }
+ },
+ "ModuleFilePath": [
+ {
+ "key": "file.x_path",
+ "object": "runtime_file"
+ },
+ {
+ "key": "x-aws-runtime-context.module_ref",
+ "object": "runtime",
+ "references": "runtime_file"
+ }
+ ],
+ "ModuleName": [
+ {
+ "key": "file.name",
+ "object": "runtime_file"
+ },
+ {
+ "key": "x-aws-runtime-context.module_ref",
+ "object": "runtime",
+ "references": "runtime_file"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime_file"
+ }
+ ],
+ "ModuleSha256": {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_file"
+ },
+ "MountSource": {
+ "key": "x-aws-runtime-context.host_path",
+ "object": "runtime"
+ },
+ "MountTarget": {
+ "key": "x-aws-runtime-context.container_path",
+ "object": "runtime"
+ },
+ "ReleaseAgentPath": {
+ "key": "x-aws-runtime-context.release_agent_path",
+ "object": "runtime"
+ },
+ "RuncBinaryPath": {
+ "key": "x-aws-runtime-context.runc_implementation_path",
+ "object": "runtime"
+ },
+ "ScriptPath": [
+ {
+ "key": "x-aws-runtime-context.script_path",
+ "object": "runtime"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "ShellHistoryFilePath": {
+ "key": "x-aws-runtime-context.shell_history_file_path",
+ "object": "runtime"
+ },
+ "SocketPath": {
+ "key": "x-aws-runtime-context.socket_path",
+ "object": "runtime"
+ },
+ "TargetProcess": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_target_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_process",
+ "references": "runtime_target_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "file.x_path",
+ "object": "runtime_target_file"
+ },
+ "ExecutableSha256": [
+ {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_target_file"
+ },
+ {
+ "key": "process.image_ref",
+ "object": "runtime_target_process",
+ "references": "runtime_target_file"
+ }
+ ],
+ "Lineage": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_target_lineage_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_lineage_process",
+ "references": "runtime_target_lineage_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "process.x_absolute_path",
+ "object": "runtime_target_lineage_process"
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_target_child_lineage_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_target_lineage_process"
+ ],
+ "references": "runtime_target_child_lineage_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_target_lineage_process"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_target_lineage_process"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_target_lineage_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_target_lineage_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_lineage_process",
+ "references": "runtime_target_lineage_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_target_lineage_process"
+ },
+ "GroupTargetProcessLineageReferences": {
+ "key": "process.x_lineage_refs",
+ "object": "runtime_target_process",
+ "references": [
+ "runtime_target_lineage_process"
+ ],
+ "group_ref": true
+ }
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_target_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_target_process"
+ ],
+ "references": "runtime_target_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_target_process"
+ },
+ "Pid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_target_process"
+ },
+ {
+ "key": "x-aws-runtime-details.target_process_ref",
+ "object": "runtime",
+ "references": "runtime_target_process"
+ },
+ {
+ "key": "x-aws-eks-cluster.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "Pwd": [
+ {
+ "key": "process.cwd",
+ "object": "runtime_target_process"
+ },
+ {
+ "key": "x-aws-runtime-details.target_process_ref",
+ "object": "runtime",
+ "references": "runtime_target_process"
+ },
+ {
+ "key": "x-aws-eks-cluster.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_target_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "User": {
+ "key": "user-account.display_name",
+ "object": "runtime_target_user"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_target_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_process",
+ "references": "runtime_target_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_target_user"
+ }
+ }
+ },
+ "Process": {
+ "Euid": [{
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_obs_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_process",
+ "references": "runtime_obs_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "file.x_path",
+ "object": "runtime_obs_file"
+ },
+ "ExecutableSha256": [
+ {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_obs_file"
+ },
+ {
+ "key": "process.image_ref",
+ "object": "runtime_obs_process",
+ "references": "runtime_obs_file"
+ }
+ ],
+ "Lineage": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_obs_lineage_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_lineage_process",
+ "references": "runtime_obs_lineage_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "process.x_absolute_path",
+ "object": "runtime_obs_lineage_process"
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_obs_lineage_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_obs_lineage_process"
+ ],
+ "references": "runtime_obs_lineage_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_obs_lineage_process"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_obs_lineage_process"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_obs_lineage_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_obs_lineage_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_lineage_process",
+ "references": "runtime_obs_lineage_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_obs_lineage_process"
+ },
+ "GroupModifiedProcessLineageReferences": {
+ "key": "process.x_lineage_refs",
+ "object": "runtime_obs_process",
+ "references": [
+ "runtime_obs_lineage_process"
+ ],
+ "group_ref": true
+ }
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_obs_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_obs_process"
+ ],
+ "references": "runtime_obs_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_obs_process"
+ },
+ "Pid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_obs_process"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_observed_process_ref",
+ "object": "kubernetes",
+ "references": "runtime_obs_process"
+ }
+ ],
+ "Pwd": [
+ {
+ "key": "process.cwd",
+ "object": "runtime_obs_process"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_observed_process_ref",
+ "object": "kubernetes",
+ "references": "runtime_obs_process"
+ }
+ ],
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_obs_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "User": {
+ "key": "user-account.display_name",
+ "object": "runtime_obs_user"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_obs_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_process",
+ "references": "runtime_obs_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_obs_process"
+ }
+ }
+ },
+ "UserFeedback": {
+ "key": "x-ibm-finding.x_finding_feedback",
+ "object": "finding"
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/json/to_stix_map.json b/stix_shifter_modules/aws_guardduty/stix_translation/json/to_stix_map.json
new file mode 100644
index 000000000..ce772137a
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/json/to_stix_map.json
@@ -0,0 +1,2421 @@
+{
+ "FindingType": {
+ "key": "x-ibm-finding.finding_type",
+ "object": "finding"
+ },
+ "AccountId": [
+ {
+ "key": "x-aws-resource.account_id",
+ "object": "resource"
+ },
+ {
+ "key": "x-ibm-finding.x_resource_ref",
+ "object": "finding",
+ "references": "resource"
+ }
+ ],
+ "Arn": {
+ "key": "x-ibm-finding.x_arn",
+ "object": "finding"
+ },
+ "Confidence": {
+ "key": "x-ibm-finding.confidence",
+ "object": "finding"
+ },
+ "CreatedAt": {
+ "key": "first_observed"
+ },
+ "Description": {
+ "key": "x-ibm-finding.description",
+ "object": "finding"
+ },
+ "Id": {
+ "key": "x-ibm-finding.alert_id",
+ "object": "finding"
+ },
+ "Partition": {
+ "key": "x-aws-resource.partition",
+ "object": "resource"
+ },
+ "Region": {
+ "key": "x-aws-resource.region",
+ "object": "resource"
+ },
+ "SchemaVersion": {
+ "key": "x-ibm-finding.x_schema_version",
+ "object": "finding"
+ },
+ "Severity": {
+ "key": "x-ibm-finding.severity",
+ "object": "finding"
+ },
+ "Title": {
+ "key": "x-ibm-finding.x_title",
+ "object": "finding"
+ },
+ "Type": {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ "UpdatedAt": [
+ {
+ "key": "x-ibm-finding.time_observed",
+ "object": "finding"
+ },
+ {
+ "key": "last_observed"
+ }
+ ],
+ "Resource": {
+ "ResourceType": [
+ {
+ "key": "x-aws-resource.resource_type",
+ "object": "resource"
+ },
+ {
+ "key": "x-ibm-finding.x_resource_ref",
+ "object": "finding",
+ "references": "resource"
+ }
+ ],
+ "AccessKeyDetails": {
+ "AccessKeyId": {
+ "key": "user-account.x_access_key_id",
+ "object": "access_user"
+ },
+ "PrincipalId": [
+ {
+ "key": "user-account.user_id",
+ "object": "access_user"
+ },
+ {
+ "key": "x-aws-resource.access_key_ref",
+ "object": "resource",
+ "references": "access_user"
+ }
+ ],
+ "UserName": {
+ "key": "user-account.display_name",
+ "object": "access_user"
+ },
+ "UserType": {
+ "key": "user-account.x_user_type",
+ "object": "access_user"
+ }
+ },
+ "EbsVolumeDetails": {
+ "ScannedVolumeDetails": {
+ "DeviceName": {
+ "key": "x-aws-ebs-volume-scanned.device_name",
+ "object": "ebsvolume_scanned"
+ },
+ "EncryptionType": {
+ "key": "x-aws-ebs-volume-scanned.encryption_type",
+ "object": "ebsvolume_scanned"
+ },
+ "KmsKeyArn": {
+ "key": "x-aws-ebs-volume-scanned.kms_key_arn",
+ "object": "ebsvolume_scanned"
+ },
+ "SnapshotArn": {
+ "key": "x-aws-ebs-volume-scanned.snapshot_key_arn",
+ "object": "ebsvolume_scanned"
+ },
+ "VolumeArn": {
+ "key": "x-aws-ebs-volume-scanned.volume_arn",
+ "object": "ebsvolume_scanned"
+ },
+ "VolumeSizeInGB": {
+ "key": "x-aws-ebs-volume-scanned.volume_size",
+ "object": "ebsvolume_scanned"
+ },
+ "VolumeType": {
+ "key": "x-aws-ebs-volume-scanned.volume_type",
+ "object": "ebsvolume_scanned"
+ },
+ "GroupEbsVolumeScannedReferences": {
+ "key": "x-aws-resource.ebs_volume.scanned_refs",
+ "object": "resource",
+ "references": [
+ "ebsvolume_scanned"
+ ],
+ "group_ref": true
+ }
+ },
+ "SkippedVolumeDetails": {
+ "DeviceName": {
+ "key": "x-aws-ebs-volume-skipped.device_name",
+ "object": "ebsvolume_skipped"
+ },
+ "EncryptionType": {
+ "key": "x-aws-ebs-volume-skipped.encryption_type",
+ "object": "ebsvolume_skipped"
+ },
+ "KmsKeyArn": {
+ "key": "x-aws-ebs-volume-skipped.kms_key_arn",
+ "object": "ebsvolume_skipped"
+ },
+ "SnapshotArn": {
+ "key": "x-aws-ebs-volume-skipped.snapshot_key_arn",
+ "object": "ebsvolume_skipped"
+ },
+ "VolumeArn": {
+ "key": "x-aws-ebs-volume-skipped.volume_arn",
+ "object": "ebsvolume_skipped"
+ },
+ "VolumeSizeInGB": {
+ "key": "x-aws-ebs-volume-skipped.volume_size",
+ "object": "ebsvolume_skipped"
+ },
+ "VolumeType": {
+ "key": "x-aws-ebs-volume-skipped.volume_type",
+ "object": "ebsvolume_skipped"
+ },
+ "GroupEbsVolumeSkippedReferences": {
+ "key": "x-aws-resource.ebs_volume.skipped_refs",
+ "object": "resource",
+ "references": [
+ "ebsvolume_skipped"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "ContainerDetails": {
+ "ContainerRuntime": {
+ "key": "x-aws-container.container_runtime",
+ "object": "container"
+ },
+ "Id": [
+ {
+ "key": "x-aws-container.container_id",
+ "object": "container"
+ },
+ {
+ "key": "x-aws-resource.standalone_container_ref",
+ "object": "resource",
+ "references": "container"
+ }
+ ],
+ "Image": {
+ "key": "x-aws-container.image",
+ "object": "container"
+ },
+ "ImagePrefix": {
+ "key": "x-aws-container.image_prefix",
+ "object": "container"
+ },
+ "Name": {
+ "key": "x-aws-container.name",
+ "object": "container"
+ },
+ "SecurityContext": {
+ "Privileged": {
+ "key": "x-aws-container.is_container_privileged",
+ "object": "container"
+ }
+ },
+ "VolumeMounts": {
+ "MountPath": {
+ "key": "x-aws-container-volume-mount.path",
+ "object": "container_volume_mount"
+ },
+ "Name": {
+ "key": "x-aws-container-volume-mount.name",
+ "object": "container_volume_mount"
+ },
+ "GroupContainerVolumeMountReferences": {
+ "key": "x-aws-container.volume_mount_refs",
+ "object": "container",
+ "references": [
+ "container_volume_mount"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "EcsClusterDetails": {
+ "ActiveServicesCount": {
+ "key": "x-aws-ecs-cluster.active_services_count",
+ "object": "ecs_cluster"
+ },
+ "Arn": {
+ "key": "x-aws-ecs-cluster.cluster_arn",
+ "object": "ecs_cluster"
+ },
+ "Name": [
+ {
+ "key": "x-aws-ecs-cluster.name",
+ "object": "ecs_cluster"
+ },
+ {
+ "key": "x-aws-resource.ecs_cluster_ref",
+ "object": "resource",
+ "references": "ecs_cluster"
+ }
+ ],
+ "RegisteredContainerInstancesCount": {
+ "key": "x-aws-ecs-cluster.container_instances_registered_count",
+ "object": "ecs_cluster"
+ },
+ "RunningTasksCount": {
+ "key": "x-aws-ecs-cluster.running_tasks_count",
+ "object": "ecs_cluster"
+ },
+ "Status": {
+ "key": "x-aws-ecs-cluster.status",
+ "object": "ecs_cluster"
+ },
+ "Tags": {
+ "key": "x-aws-ecs-cluster.tags",
+ "object": "ecs_cluster"
+ },
+ "TaskDetails": {
+ "Arn": {
+ "key": "x-aws-ecs-cluster.task.arn",
+ "object": "ecs_cluster"
+ },
+ "Containers": {
+ "containerRuntime": {
+ "key": "x-aws-container.container_runtime",
+ "object": "ecs_cluster_container"
+ },
+ "Id": {
+ "key": "x-aws-container.container_id",
+ "object": "ecs_cluster_container"
+ },
+ "Image": {
+ "key": "x-aws-container.image",
+ "object": "ecs_cluster_container"
+ },
+ "ImagePrefix": {
+ "key": "x-aws-container.image_prefix",
+ "object": "ecs_cluster_container"
+ },
+ "Name": {
+ "key": "x-aws-container.name",
+ "object": "ecs_cluster_container"
+ },
+ "SecurityContext": {
+ "Privileged": {
+ "key": "x-aws-container.is_container_privileged",
+ "object": "ecs_cluster_container"
+ }
+ },
+ "VolumeMounts": {
+ "MountPath": {
+ "key": "x-aws-container-volume-mount.path",
+ "object": "ecs_cluster_container_volume_mount"
+ },
+ "Name": {
+ "key": "x-aws-container-volume-mount.name",
+ "object": "ecs_cluster_container_volume_mount"
+ },
+ "GroupContainerVolumeMountReferences": {
+ "key": "x-aws-container.volume_mount_refs",
+ "object": "ecs_cluster_container",
+ "references": [
+ "ecs_cluster_container_volume_mount"
+ ],
+ "group_ref": true
+ }
+ },
+ "GroupClusterContainerReferences": {
+ "key": "x-aws-ecs-cluster.task.container_refs",
+ "object": "ecs_cluster",
+ "references": [
+ "ecs_cluster_container"
+ ],
+ "group_ref": true
+ }
+ },
+ "DefinitionArn": {
+ "key": "x-aws-ecs-cluster.task.definition_arn",
+ "object": "ecs_cluster"
+ },
+ "Group": {
+ "key": "x-aws-ecs-cluster.task.group_name",
+ "object": "ecs_cluster"
+ },
+ "StartedAt": {
+ "key": "x-aws-ecs-cluster.task.started_at",
+ "object": "ecs_cluster",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "StartedBy": {
+ "key": "x-aws-ecs-cluster.task.started_by",
+ "object": "ecs_cluster"
+ },
+ "Tags": {
+ "key": "x-aws-ecs-cluster.task.tags",
+ "object": "ecs_cluster"
+ },
+ "CreatedAt": {
+ "key": "x-aws-ecs-cluster.task.created_at",
+ "object": "ecs_cluster",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "Version": {
+ "key": "x-aws-ecs-cluster.task.version",
+ "object": "ecs_cluster"
+ },
+ "Volumes": {
+ "key": "x-aws-ecs-cluster.task.volumes",
+ "object": "ecs_cluster"
+ }
+ }
+ },
+ "EksClusterDetails": {
+ "Arn": {
+ "key": "x-aws-eks-cluster.arn",
+ "object": "eks_cluster"
+ },
+ "CreatedAt": {
+ "key": "x-aws-eks-cluster.created_at",
+ "object": "eks_cluster",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "Name": [
+ {
+ "key": "x-aws-eks-cluster.name",
+ "object": "eks_cluster"
+ },
+ {
+ "key": "x-aws-resource.eks_cluster_ref",
+ "object": "resource",
+ "references": "eks_cluster"
+ }
+ ],
+ "Status": {
+ "key": "x-aws-eks-cluster.status",
+ "object": "eks_cluster"
+ },
+ "Tags": {
+ "key": "x-aws-eks-cluster.tags",
+ "object": "eks_cluster"
+ },
+ "VpcId": {
+ "key": "x-aws-eks-cluster.vpc_id",
+ "object": "eks_cluster"
+ }
+ },
+ "InstanceDetails": {
+ "AvailabilityZone": {
+ "key": "x-aws-instance.availability_zone",
+ "object": "instance"
+ },
+ "IamInstanceProfile": {
+ "Arn": {
+ "key": "x-aws-instance.instance_arn",
+ "object": "instance"
+ },
+ "Id": {
+ "key": "x-aws-instance.profile_id",
+ "object": "instance"
+ }
+ },
+ "ImageDescription": {
+ "key": "x-aws-instance.image_description",
+ "object": "instance"
+ },
+ "ImageId": [
+ {
+ "key": "x-aws-instance.image_id",
+ "object": "instance"
+ },
+ {
+ "key": "x-aws-resource.instance_ref",
+ "object": "resource",
+ "references": "instance"
+ }
+ ],
+ "InstanceId": [
+ {
+ "key": "x-aws-instance.instance_id",
+ "object": "instance"
+ }
+ ],
+ "InstanceState": {
+ "key": "x-aws-instance.state",
+ "object": "instance"
+ },
+ "InstanceType": {
+ "key": "x-aws-instance.instance_type",
+ "object": "instance"
+ },
+ "LaunchTime": {
+ "key": "x-aws-instance.launch_time",
+ "object": "instance"
+ },
+ "NetworkInterfaces": {
+ "Ipv6Addresses": [
+ {
+ "key": "ipv6-addr.value",
+ "object": "src_ip_v6",
+ "unwrap": true,
+ "transformer": "FilterIPv6List"
+ },
+ {
+ "key": "x-aws-network-interface.ip_refs",
+ "object": "ni",
+ "references": [
+ "src_ip_v6"
+ ]
+ }
+ ],
+ "NetworkInterfaceId": {
+ "key": "x-aws-network-interface.interface_id",
+ "object": "ni"
+ },
+ "PrivateIpAddresses": {
+ "PrivateDnsName": {
+ "key": "domain-name.value",
+ "object": "instance_private_domain"
+ },
+ "PrivateIpAddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip_private"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "instance_private_domain",
+ "references": [
+ "src_ip_private"
+ ]
+ }
+ ],
+ "GroupPrivateDomainReferences": {
+ "key": "x-aws-network-interface.private_domain_refs",
+ "object": "ni",
+ "references": [
+ "instance_private_domain"
+ ],
+ "group_ref": true
+ }
+ },
+ "PublicDnsName": [
+ {
+ "key": "domain-name.value",
+ "object": "instance_public_domain"
+ },
+ {
+ "key": "x-aws-network-interface.public_domain_ref",
+ "object": "ni",
+ "references": "instance_public_domain"
+ }
+ ],
+ "PublicIp": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip_public"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "instance_public_domain",
+ "references": [
+ "src_ip_public"
+ ]
+ }
+ ],
+ "SecurityGroups": {
+ "key": "x-aws-network-interface.security_groups",
+ "object": "ni"
+ },
+ "SubnetId": {
+ "key": "x-aws-network-interface.subnet_id",
+ "object": "ni"
+ },
+ "VpcId": {
+ "key": "x-aws-network-interface.vpc_id",
+ "object": "ni"
+ },
+ "GroupNetworkInterfaceReferences": {
+ "key": "x-aws-instance.x_network_interface_refs",
+ "object": "instance",
+ "references": [
+ "ni"
+ ],
+ "group_ref": true
+ }
+ },
+ "OutpostArn": {
+ "key": "x-aws-instance.outpost_arn",
+ "object": "instance"
+ },
+ "Platform": [
+ {
+ "key": "software.name",
+ "object": "instance_software"
+ },
+ {
+ "key": "x-aws-instance.os_ref",
+ "object": "instance",
+ "references": "instance_software"
+ }
+ ],
+ "ProductCodes": {
+ "key": "x-aws-instance.product_codes",
+ "object": "instance"
+ },
+ "Tags": {
+ "key": "x-aws-instance.tags",
+ "object": "instance"
+ }
+ },
+ "KubernetesDetails": {
+ "KubernetesUserDetails": {
+ "Groups": {
+ "key": "user-account.x_groups",
+ "object": "kubernetes_user"
+ },
+ "SessionName": {
+ "key": "user-account.x_session_name",
+ "object": "kubernetes_user"
+ },
+ "Uid": [
+ {
+ "key": "user-account.user_id",
+ "object": "kubernetes_user"
+ },
+ {
+ "key": "x-aws-eks-cluster.kubernetes_user_ref",
+ "object": "eks_cluster",
+ "references": "kubernetes_user"
+ },
+ {
+ "key": "x-ibm-finding.src_application_user_ref",
+ "object": "finding",
+ "references": "kubernetes_user"
+ }
+ ],
+ "Username": [
+ {
+ "key": "user-account.display_name",
+ "object": "kubernetes_user"
+ },
+ {
+ "key": "x-aws-eks-cluster.kubernetes_user_ref",
+ "object": "eks_cluster",
+ "references": "kubernetes_user"
+ },
+ {
+ "key": "x-ibm-finding.src_application_user_ref",
+ "object": "finding",
+ "references": "kubernetes_user"
+ }
+ ]
+ },
+ "KubernetesWorkloadDetails": {
+ "Containers": {
+ "ContainerRuntime": {
+ "key": "x-aws-container.container_runtime",
+ "object": "kubernetes_container"
+ },
+ "Id": {
+ "key": "x-aws-container.container_id",
+ "object": "kubernetes_container"
+ },
+ "Image": {
+ "key": "x-aws-container.image",
+ "object": "kubernetes_container"
+ },
+ "ImagePrefix": {
+ "key": "x-aws-container.image_prefix",
+ "object": "kubernetes_container"
+ },
+ "Name": {
+ "key": "x-aws-container.name",
+ "object": "kubernetes_container"
+ },
+ "SecurityContext": {
+ "Privileged": {
+ "key": "x-aws-container.is_container_privileged",
+ "object": "kubernetes_container"
+ }
+ },
+ "VolumeMounts": {
+ "MountPath": {
+ "key": "x-aws-container-volume-mount.path",
+ "object": "kubernetes_container_volume_mount"
+ },
+ "Name": {
+ "key": "x-aws-container-volume-mount.name",
+ "object": "kubernetes_container_volume_mount"
+ },
+ "GroupContainerVolumeMountReferences": {
+ "key": "x-aws-container.volume_mount_refs",
+ "object": "kubernetes_container",
+ "references": [
+ "kubernetes_container_volume_mount"
+ ],
+ "group_ref": true
+ }
+ },
+ "GroupKubernetesContainerReferences": {
+ "key": "x-aws-kubernetes-workload.container_refs",
+ "object": "kubernetes",
+ "references": [
+ "kubernetes_container"
+ ],
+ "group_ref": true
+ }
+ },
+ "HostNetwork": {
+ "key": "x-aws-kubernetes-workload.is_enabled_host_network_for_pods",
+ "object": "kubernetes"
+ },
+ "Name": [
+ {
+ "key": "x-aws-kubernetes-workload.workload_name",
+ "object": "kubernetes"
+ },
+ {
+ "key": "x-aws-eks-cluster.kubernetes_workload_ref",
+ "object": "eks_cluster",
+ "references": "kubernetes"
+ }
+ ],
+ "Namespace": {
+ "key": "x-aws-kubernetes-workload.workload_namespace",
+ "object": "kubernetes"
+ },
+ "Type": {
+ "key": "x-aws-kubernetes-workload.workload_type",
+ "object": "kubernetes"
+ },
+ "Uid": {
+ "key": "x-aws-kubernetes-workload.workload_id",
+ "object": "kubernetes"
+ },
+ "Volumes": {
+ "key": "x-aws-kubernetes-workload.volumes",
+ "object": "kubernetes"
+ }
+ }
+ },
+ "RdsDbInstanceDetails": {
+ "DbClusterIdentifier": [
+ {
+ "key": "x-aws-rds-db-instance.cluster_id",
+ "object": "rds_db"
+ },
+ {
+ "key": "x-aws-resource.rds_database_ref",
+ "object": "resource",
+ "references": "rds_db"
+ }
+ ],
+ "DbInstanceArn": {
+ "key": "x-aws-rds-db-instance.instance_arn",
+ "object": "rds_db"
+ },
+ "DbInstanceIdentifier": [
+ {
+ "key": "x-aws-rds-db-instance.instance_id",
+ "object": "rds_db"
+ },
+ {
+ "key": "x-aws-resource.rds_database_ref",
+ "object": "resource",
+ "references": "rds_db"
+ }
+ ],
+ "Engine": {
+ "key": "x-aws-rds-db-instance.engine",
+ "object": "rds_db"
+ },
+ "EngineVersion": {
+ "key": "x-aws-rds-db-instance.engine_version",
+ "object": "rds_db"
+ },
+ "Tags": {
+ "key": "x-aws-rds-db-instance.tags",
+ "object": "rds_db"
+ }
+ },
+ "RdsDbUserDetails": {
+ "Application": [
+ {
+ "key": "x-aws-rds-db-user.application_name",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "AuthMethod": [
+ {
+ "key": "x-aws-rds-db-user.authentication_method",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "Database": [
+ {
+ "key": "x-aws-rds-db-user.database_name",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "Ssl": [
+ {
+ "key": "x-aws-rds-db-user.ssl",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ],
+ "User": [
+ {
+ "key": "x-aws-rds-db-user.user_name",
+ "object": "rds_db_user"
+ },
+ {
+ "key": "x-aws-rds-db-instance.anomalous_login_user_ref",
+ "object": "rds_db",
+ "references": "rds_db_user"
+ }
+ ]
+ },
+ "S3BucketDetails": {
+ "Arn": {
+ "key": "x-aws-s3-bucket.arn",
+ "object": "s3"
+ },
+ "CreatedAt": {
+ "key": "x-aws-s3-bucket.created_at",
+ "object": "s3",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "DefaultServerSideEncryption": {
+ "EncryptionType": {
+ "key": "x-aws-s3-bucket.server_side_encryption_type",
+ "object": "s3"
+ },
+ "KmsMasterKeyArn": {
+ "key": "x-aws-s3-bucket.kms_encryption_key_arn",
+ "object": "s3"
+ }
+ },
+ "Name": {
+ "key": "x-aws-s3-bucket.name",
+ "object": "s3"
+ },
+ "Owner": {
+ "Id": {
+ "key": "x-aws-s3-bucket.canonical_id_of_bucket_owner",
+ "object": "s3"
+ }
+ },
+ "PublicAccess": {
+ "EffectivePermission": {
+ "key": "x-aws-s3-bucket.bucket_permission",
+ "object": "s3"
+ },
+ "PermissionConfiguration": {
+ "AccountLevelPermissions": {
+ "BlockPublicAccess": {
+ "BlockPublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.account_level.block_public_acls",
+ "object": "s3"
+ },
+ "BlockPublicPolicy": {
+ "key": "x-aws-s3-bucket.permissions.account_level.block_public_policy",
+ "object": "s3"
+ },
+ "IgnorePublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.account_level.ignore_public_acls",
+ "object": "s3"
+ },
+ "RestrictPublicBuckets": {
+ "key": "x-aws-s3-bucket.permissions.account_level.restrict_public_buckets",
+ "object": "s3"
+ }
+ }
+ },
+ "BucketLevelPermissions": {
+ "AccessControlList": {
+ "AllowsPublicReadAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.access_control_policies.allows_public_read_access",
+ "object": "s3"
+ },
+ "AllowsPublicWriteAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.access_control_policies.allows_public_write_access",
+ "object": "s3"
+ }
+ },
+ "BlockPublicAccess": {
+ "BlockPublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.block_public_acls",
+ "object": "s3"
+ },
+ "BlockPublicPolicy": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.block_public_policy",
+ "object": "s3"
+ },
+ "IgnorePublicAcls": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.ignore_public_acls",
+ "object": "s3"
+ },
+ "RestrictPublicBuckets": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.block_public_access_settings.restrict_public_buckets",
+ "object": "s3"
+ }
+ },
+ "BucketPolicy": {
+ "AllowsPublicReadAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.bucket_policies.allows_public_read_access",
+ "object": "s3"
+ },
+ "AllowsPublicWriteAccess": {
+ "key": "x-aws-s3-bucket.permissions.bucket_level.bucket_policies.allows_public_write_access",
+ "object": "s3"
+ }
+ }
+ }
+ }
+ },
+ "Tags": {
+ "key": "x-aws-s3-bucket.tags",
+ "object": "s3"
+ },
+ "Type": {
+ "key": "x-aws-s3-bucket.bucket_type",
+ "object": "s3"
+ },
+ "GroupS3BucketReferences": {
+ "key": "x-aws-resource.s3_bucket_refs",
+ "object": "resource",
+ "references": [
+ "s3"
+ ],
+ "group_ref": true
+ }
+ },
+ "LambdaDetails": {
+ "Description": {
+ "key": "x-aws-lambda.description",
+ "object": "lambda"
+ },
+ "FunctionArn": {
+ "key": "x-aws-lambda.function_arn",
+ "object": "lambda"
+ },
+ "FunctionName": [
+ {
+ "key": "x-aws-lambda.function_name",
+ "object": "lambda"
+ },
+ {
+ "key": "x-aws-resource.lambda_details_ref",
+ "object": "resource",
+ "references": "lambda"
+ }
+ ],
+ "FunctionVersion": {
+ "key": "x-aws-lambda.function_version",
+ "object": "lambda"
+ },
+ "LastModifiedAt": {
+ "key": "x-aws-lambda.last_modified_at",
+ "object": "lambda",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "RevisionId": {
+ "key": "x-aws-lambda.revision_id",
+ "object": "lambda"
+ },
+ "Role": {
+ "key": "x-aws-lambda.execution_role",
+ "object": "lambda"
+ },
+ "Tags": {
+ "key": "x-aws-lambda.tags",
+ "object": "lambda"
+ },
+ "VpcConfig": {
+ "securityGroups": {
+ "key": "x-aws-lambda.security_groups",
+ "object": "lambda"
+ },
+ "SubnetIds": {
+ "key": "x-aws-lambda.subnet_ids",
+ "object": "lambda"
+ },
+ "VpcId": {
+ "key": "x-aws-lambda.amazon_vpc_id",
+ "object": "lambda"
+ }
+ }
+ }
+ },
+ "Service": {
+ "Action": {
+ "ActionType": [
+ {
+ "key": "x-aws-finding-service.action.action_type",
+ "object": "service_action"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "DnsRequestAction": {
+ "Blocked": {
+ "key": "network-traffic.x_is_target_port_blocked",
+ "object": "nt"
+ },
+ "Domain": [
+ {
+ "key": "domain-name.value",
+ "object": "dns_req_domain"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "dns_req_domain"
+ }
+ ],
+ "Protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ },
+ {
+ "key": "x-aws-finding-service.action.network_ref",
+ "object": "service_action",
+ "references": "nt"
+ }
+ ]
+ },
+ "PortProbeAction": {
+ "Blocked": {
+ "key": "x-aws-finding-service.action.is_port_probe_blocked",
+ "object": "service_action"
+ },
+ "PortProbeDetails": {
+ "LocalIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "port_probe_src_ip"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "port_probe_src_ip"
+ }
+ ]
+ },
+ "LocalPortDetails": {
+ "Port": {
+ "key": "network-traffic.src_port",
+ "object": "nt"
+ },
+ "PortName": {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ }
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ }
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ },
+ "GroupPortProbeDetailsReferences": {
+ "key": "x-aws-finding-service.action.network_refs",
+ "object": "service_action",
+ "references": [
+ "nt"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "AwsApiCallAction": {
+ "AffectedResources": {
+ "key": "x-aws-finding-service.action.affected_resources",
+ "object": "service_action"
+ },
+ "Api": [
+ {
+ "key": "x-aws-finding-service.action.api_called",
+ "object": "service_action"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "CallerType": {
+ "key": "x-aws-finding-service.action.caller_type",
+ "object": "service_action"
+ },
+ "DomainDetails": {
+ "Domain": [
+ {
+ "key": "domain-name.value",
+ "object": "aws_call_domain"
+ },
+ {
+ "key": "x-aws-finding-service.action.domain_ref",
+ "object": "service_action",
+ "references": "aws_call_domain"
+ }
+ ]
+ },
+ "ErrorCode": {
+ "key": "x-aws-finding-service.action.error_code",
+ "object": "service_action"
+ },
+ "ServiceName": {
+ "key": "x-aws-finding-service.action.service_name",
+ "object": "service_action"
+ },
+ "UserAgent": [
+ {
+ "key": "software.name",
+ "object": "api_call_software"
+ },
+ {
+ "key": "x-aws-finding-service.action.software_ref",
+ "object": "service_action",
+ "references": "api_call_software"
+ }
+ ],
+ "RemoteAccountDetails": {
+ "AccountId": {
+ "key": "x-aws-finding-service.action.caller_account_id",
+ "object": "service_action"
+ },
+ "Affiliated": {
+ "key": "x-aws-finding-service.action.is_caller_account_affiliated_to_aws",
+ "object": "service_action"
+ }
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "x-aws-finding-service.action.remote_ref",
+ "object": "service_action",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ }
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ }
+ },
+ "NetworkConnectionAction": {
+ "ConnectionDirection": {
+ "key": "network-traffic.x_direction",
+ "object": "nt"
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ }
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ },
+ "RemotePortDetails": {
+ "Port": {
+ "key": "network-traffic.dst_port",
+ "object": "nt"
+ },
+ "PortName": {
+ "key": "network-traffic.x_dst_port_name",
+ "object": "nt"
+ }
+ },
+ "LocalPortDetails": {
+ "Port": {
+ "key": "network-traffic.src_port",
+ "object": "nt"
+ },
+ "PortName": {
+ "key": "network-traffic.x_src_port_name",
+ "object": "nt"
+ }
+ },
+ "Protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ },
+ {
+ "key": "x-aws-finding-service.action.network_ref",
+ "object": "service_action",
+ "references": "nt"
+ }
+ ],
+ "Blocked": {
+ "key": "network-traffic.x_is_target_port_blocked",
+ "object": "nt"
+ },
+ "LocalIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "src_ip"
+ }
+ ]
+ }
+ },
+ "KubernetesApiCallAction": {
+ "Protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ },
+ {
+ "key": "x-aws-finding-service.action.network_ref",
+ "object": "service_action",
+ "references": "nt"
+ }
+ ],
+ "Parameters": {
+ "key": "network-traffic.extensions.http-request-ext.x_parameters",
+ "object": "nt"
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "City": {
+ "CityName": [
+ {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip",
+ "references": "remote_geo"
+ }
+ ]
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ },
+ "RequestUri": {
+ "key": "network-traffic.extensions.http-request-ext.request_value",
+ "object": "nt"
+ },
+ "SourceIPs": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "kubernetes_api_call_source_ip",
+ "unwrap": true,
+ "transformer": "FilterIPv4List"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "kubernetes_api_call_source_ip"
+ }
+ ],
+ "StatusCode": {
+ "key": "network-traffic.extensions.http-request-ext.x_status_code",
+ "object": "nt"
+ },
+ "UserAgent": {
+ "key": "network-traffic.extensions.http-request-ext.request_header.User-Agent",
+ "object": "nt"
+ },
+ "Verb": {
+ "key": "network-traffic.extensions.http-request-ext.request_method",
+ "object": "nt"
+ }
+ },
+ "RdsLoginAttemptAction": {
+ "LoginAttributes": {
+ "Application": [
+ {
+ "key": "x-aws-rds-login-attributes.login_application_name",
+ "object": "login_attr"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "FailedLoginAttempts": {
+ "key": "x-aws-rds-login-attributes.failed_login_attempts",
+ "object": "login_attr"
+ },
+ "SuccessfulLoginAttempts": {
+ "key": "x-aws-rds-login-attributes.successful_login_attempts",
+ "object": "login_attr"
+ },
+ "User": {
+ "key": "x-aws-rds-login-attributes.login_attempted_user_name",
+ "object": "login_attr"
+ },
+ "GroupRdsLoginAttributes": {
+ "key": "x-aws-finding-service.action.rds_login_refs",
+ "object": "service_action",
+ "references": [
+ "login_attr"
+ ],
+ "group_ref": true
+ }
+ },
+ "RemoteIpDetails": {
+ "IpAddressV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "x-aws-finding-service.action.remote_ref",
+ "object": "service_action",
+ "references": "dst_ip"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "Organization": {
+ "AsnOrg": {
+ "key": "autonomous-system.name",
+ "object": "as"
+ },
+ "Asn": [
+ {
+ "key": "autonomous-system.number",
+ "object": "as",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "ipv4-addr.belongs_to_refs",
+ "object": "dst_ip",
+ "references": [
+ "as"
+ ]
+ }
+ ],
+ "Isp": {
+ "key": "autonomous-system.x_isp",
+ "object": "as"
+ },
+ "Org": {
+ "key": "autonomous-system.x_organisation",
+ "object": "as"
+ }
+ },
+ "Country": {
+ "CountryCode": {
+ "key": "x-oca-geo.country_iso_code",
+ "object": "remote_geo"
+ },
+ "CountryName": [
+ {
+ "key": "x-oca-geo.country_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip"
+ }
+ ]
+ },
+ "City": {
+ "CityName": [
+ {
+ "key": "x-oca-geo.city_name",
+ "object": "remote_geo"
+ },
+ {
+ "key": "ipv4-addr.x_geo_ref",
+ "object": "dst_ip"
+ }
+ ]
+ },
+ "GeoLocation": {
+ "key": "x-oca-geo.location",
+ "object": "remote_geo"
+ }
+ }
+ }
+ },
+ "AdditionalInfo": {
+ "key": "x-aws-finding-service.additional_info",
+ "object": "service_action"
+ },
+ "Archived": {
+ "key": "x-ibm-finding.x_archived",
+ "object": "finding"
+ },
+ "Count": {
+ "key": "x-ibm-finding.event_count",
+ "object": "finding"
+ },
+ "DetectorId": {
+ "key": "x-ibm-finding.x_detector_id",
+ "object": "finding"
+ },
+ "EventFirstSeen": [
+ {
+ "key": "x-aws-finding-service.event_first_seen",
+ "object": "service_action"
+ },
+ {
+ "key": "x-ibm-finding.x_service_ref",
+ "object": "finding",
+ "references": "service_action"
+ }
+ ],
+ "EventLastSeen": {
+ "key": "x-aws-finding-service.event_last_seen",
+ "object": "service_action"
+ },
+ "Evidence": {
+ "ThreatIntelligenceDetails": {
+ "ThreatListName": {
+ "key": "x-aws-evidence.threat_intelligence_list_name",
+ "object": "evidence"
+ },
+ "ThreatNames": {
+ "key": "x-aws-evidence.threat_names",
+ "object": "evidence"
+ },
+ "GroupEvidenceReferences": {
+ "key": "x-aws-finding-service.evidence_refs",
+ "object": "service_action",
+ "references": [
+ "evidence"
+ ],
+ "group_ref": true
+ }
+ }
+ },
+ "FeatureName": {
+ "key": "x-ibm-finding.x_feature_name",
+ "object": "finding"
+ },
+ "ResourceRole": {
+ "key": "x-aws-resource.resource_role",
+ "object": "resource"
+ },
+ "EbsVolumeScanDetails": {
+ "ScanCompletedAt": {
+ "key": "x-aws-ebs-volume-malware-scan.scan_completed_at",
+ "object": "ebsvolume",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "ScanDetections": {
+ "HighestSeverityThreatDetails": {
+ "Count": {
+ "key": "x-aws-ebs-volume-malware-scan.highest_severity_threat.total_infected_files",
+ "object": "ebsvolume"
+ },
+ "Severity": {
+ "key": "x-aws-ebs-volume-malware-scan.highest_severity_threat.severity",
+ "object": "ebsvolume"
+ },
+ "ThreatName": {
+ "key": "x-aws-ebs-volume-malware-scan.highest_severity_threat.name",
+ "object": "ebsvolume"
+ }
+ },
+ "ScannedItemCount": {
+ "Files": {
+ "key": "x-aws-ebs-volume-malware-scan.scanned_items.total_scanned_files",
+ "object": "ebsvolume"
+ },
+ "TotalGb": {
+ "key": "x-aws-ebs-volume-malware-scan.scanned_items.total_files_scanned_in_gb",
+ "object": "ebsvolume"
+ },
+ "Volumes": {
+ "key": "x-aws-ebs-volume-malware-scan.scanned_items.total_volumes_scanned",
+ "object": "ebsvolume"
+ }
+ },
+ "ThreatDetectedByName": {
+ "ItemCount": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.infected_files_count",
+ "object": "ebsvolume"
+ },
+ "Shortened": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.is_finding_shortened",
+ "object": "ebsvolume"
+ },
+ "ThreatNames": {
+ "FilePaths": {
+ "FileName": {
+ "key": "file.name",
+ "object": "ebsvolume_file"
+ },
+ "FilePath": {
+ "key": "file.x_path",
+ "object": "ebsvolume_file"
+ },
+ "FileSha256": {
+ "key": "file.hashes.SHA-256",
+ "object": "ebsvolume_file"
+ },
+ "FileSha1": {
+ "key": "file.hashes.SHA-1",
+ "object": "ebsvolume_file"
+ },
+ "FileMd5": {
+ "key": "file.hashes.MD5",
+ "object": "ebsvolume_file"
+ },
+ "UnknownHash": {
+ "key": "file.x_unknown_hash",
+ "object": "ebsvolume_file"
+ },
+ "VolumeArn": {
+ "key": "file.x_volume_arn",
+ "object": "ebsvolume_file"
+ },
+ "GroupThreatFileReferences": {
+ "key": "x-aws-threat.infected_file_refs",
+ "object": "ebsvolume_threat",
+ "references": [
+ "ebsvolume_file"
+ ],
+ "group_ref": true
+ }
+ },
+ "ItemCount": {
+ "key": "x-aws-threat.total_files_infected",
+ "object": "ebsvolume_threat"
+ },
+ "Name": {
+ "key": "x-aws-threat.threat_name",
+ "object": "ebsvolume_threat"
+ },
+ "Severity": {
+ "key": "x-aws-threat.severity",
+ "object": "ebsvolume_threat"
+ },
+ "GroupThreatNamesReferences": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.threat_refs",
+ "object": "ebsvolume",
+ "references": [
+ "ebsvolume_threat"
+ ],
+ "group_ref": true
+ }
+ },
+ "UniqueThreatNameCount": {
+ "key": "x-aws-ebs-volume-malware-scan.threat_detected_by_name.unique_threats_count_based_on_name",
+ "object": "ebsvolume"
+ }
+ },
+ "ThreatsDetectedItemCount": {
+ "Files": {
+ "key": "x-aws-ebs-volume-malware-scan.total_infected_files",
+ "object": "ebsvolume"
+ }
+ }
+ },
+ "ScanId": [
+ {
+ "key": "x-aws-ebs-volume-malware-scan.scan_id",
+ "object": "ebsvolume"
+ },
+ {
+ "key": "x-aws-finding-service.ebs_volume_malware_scan_ref",
+ "object": "service_action",
+ "references": "ebsvolume"
+ }
+ ],
+ "ScanStartedAt": {
+ "key": "x-aws-ebs-volume-malware-scan.scan_started_time",
+ "object": "ebsvolume",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "ScanType": {
+ "key": "x-aws-ebs-volume-malware-scan.scan_type",
+ "object": "ebsvolume"
+ },
+ "Sources": {
+ "key": "x-aws-ebs-volume-malware-scan.sources",
+ "object": "ebsvolume"
+ },
+ "TriggerFindingId": {
+ "key": "x-aws-ebs-volume-malware-scan.triggered_finding_id",
+ "object": "ebsvolume"
+ }
+ },
+ "RuntimeDetails": {
+ "Context": {
+ "AddressFamily": {
+ "key": "x-aws-runtime-context.address_family",
+ "object": "runtime"
+ },
+ "FileSystemType": {
+ "key": "x-aws-runtime-context.mounted_file_system_type",
+ "object": "runtime"
+ },
+ "Flags": {
+ "key": "x-aws-runtime-context.flags",
+ "object": "runtime"
+ },
+ "IanaProtocolNumber": {
+ "key": "x-aws-runtime-context.iana_protocol_number",
+ "object": "runtime"
+ },
+ "LdPreloadValue": {
+ "key": "x-aws-runtime-context.environmental_variables.LD_PRELOAD",
+ "object": "runtime"
+ },
+ "LibraryPath": {
+ "key": "x-aws-runtime-context.new_library_path",
+ "object": "runtime"
+ },
+ "MemoryRegions": {
+ "key": "x-aws-runtime-context.memory_regions",
+ "object": "runtime"
+ },
+ "ModifiedAt": [
+ {
+ "key": "x-aws-runtime-context.process_modified_time",
+ "object": "runtime",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "ModifyingProcess": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_modi_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process",
+ "references": "runtime_modi_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "file.x_path",
+ "object": "runtime_modi_file"
+ },
+ "ExecutableSha256": [
+ {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_modi_file"
+ },
+ {
+ "key": "process.binary_ref",
+ "object": "runtime_modi_process",
+ "references": "runtime_modi_file"
+ }
+ ],
+ "Lineage": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_modi_lineage_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process_lineage",
+ "references": "runtime_modi_lineage_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "process.x_absolute_path",
+ "object": "runtime_modi_process_lineage"
+ },
+ "Name": {
+ "key": "process.name",
+ "object": "runtime_modi_process_lineage"
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_modi_child_process_lineage"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_modi_process_lineage"
+ ],
+ "references": "runtime_modi_child_process_lineage"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_modi_process_lineage"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_modi_process_lineage"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_modi_process_lineage",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_modi_lineage_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process_lineage",
+ "references": "runtime_modi_lineage_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_modi_process_lineage"
+ },
+ "GroupModifyingProcessLineageReferences": {
+ "key": "process.x_lineage_refs",
+ "object": "runtime_modi_process",
+ "references": [
+ "runtime_modi_process_lineage"
+ ],
+ "group_ref": true
+ }
+ },
+ "Name": [
+ {
+ "key": "process.name",
+ "object": "runtime_modi_process"
+ },
+ {
+ "key": "x-aws-runtime-context.modifying_process_ref",
+ "object": "runtime",
+ "references": "runtime_modi_process"
+ },
+ {
+ "key": "x-aws-eks-cluster.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_modi_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_modi_process"
+ ],
+ "references": "runtime_modi_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_modi_process"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_modi_process"
+ },
+ "Pwd": {
+ "key": "process.cwd",
+ "object": "runtime_modi_process"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_modi_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "User": {
+ "key": "user-account.display_name",
+ "object": "runtime_modi_user"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_modi_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_modi_process",
+ "references": "runtime_modi_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_modi_process"
+ }
+ },
+ "ModuleFilePath": [
+ {
+ "key": "file.x_path",
+ "object": "runtime_file"
+ },
+ {
+ "key": "x-aws-runtime-context.module_ref",
+ "object": "runtime",
+ "references": "runtime_file"
+ }
+ ],
+ "ModuleName": [
+ {
+ "key": "file.name",
+ "object": "runtime_file"
+ },
+ {
+ "key": "x-aws-runtime-context.module_ref",
+ "object": "runtime",
+ "references": "runtime_file"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime_file"
+ }
+ ],
+ "ModuleSha256": {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_file"
+ },
+ "MountSource": {
+ "key": "x-aws-runtime-context.host_path",
+ "object": "runtime"
+ },
+ "MountTarget": {
+ "key": "x-aws-runtime-context.container_path",
+ "object": "runtime"
+ },
+ "ReleaseAgentPath": {
+ "key": "x-aws-runtime-context.release_agent_path",
+ "object": "runtime"
+ },
+ "RuncBinaryPath": {
+ "key": "x-aws-runtime-context.runc_implementation_path",
+ "object": "runtime"
+ },
+ "ScriptPath": [
+ {
+ "key": "x-aws-runtime-context.script_path",
+ "object": "runtime"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "ShellHistoryFilePath": {
+ "key": "x-aws-runtime-context.shell_history_file_path",
+ "object": "runtime"
+ },
+ "SocketPath": {
+ "key": "x-aws-runtime-context.socket_path",
+ "object": "runtime"
+ },
+ "TargetProcess": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_target_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_process",
+ "references": "runtime_target_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "file.x_path",
+ "object": "runtime_target_file"
+ },
+ "ExecutableSha256": [
+ {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_target_file"
+ },
+ {
+ "key": "process.binary_ref",
+ "object": "runtime_target_process",
+ "references": "runtime_target_file"
+ }
+ ],
+ "Lineage": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_target_lineage_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_lineage_process",
+ "references": "runtime_target_lineage_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "process.x_absolute_path",
+ "object": "runtime_target_lineage_process"
+ },
+ "Name": {
+ "key": "process.name",
+ "object": "runtime_target_lineage_process"
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_target_child_lineage_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_target_lineage_process"
+ ],
+ "references": "runtime_target_child_lineage_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_target_lineage_process"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_target_lineage_process"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_target_lineage_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_target_lineage_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_lineage_process",
+ "references": "runtime_target_lineage_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_target_lineage_process"
+ },
+ "GroupTargetProcessLineageReferences": {
+ "key": "process.x_lineage_refs",
+ "object": "runtime_target_process",
+ "references": [
+ "runtime_target_lineage_process"
+ ],
+ "group_ref": true
+ }
+ },
+ "Name": [
+ {
+ "key": "process.name",
+ "object": "runtime_target_process"
+ },
+ {
+ "key": "x-aws-runtime-details.target_process_ref",
+ "object": "runtime",
+ "references": "runtime_target_process"
+ },
+ {
+ "key": "x-aws-eks-cluster.runtime_context_ref",
+ "object": "kubernetes",
+ "references": "runtime"
+ }
+ ],
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_target_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_target_process"
+ ],
+ "references": "runtime_target_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_target_process"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_target_process"
+ },
+ "Pwd": {
+ "key": "process.cwd",
+ "object": "runtime_target_process"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_target_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "User": {
+ "key": "user-account.display_name",
+ "object": "runtime_target_user"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_target_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_target_process",
+ "references": "runtime_target_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_target_user"
+ }
+ }
+ },
+ "Process": {
+ "Euid": [{
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_obs_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_process",
+ "references": "runtime_obs_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "file.x_path",
+ "object": "runtime_obs_file"
+ },
+ "ExecutableSha256": [
+ {
+ "key": "file.hashes.SHA-256",
+ "object": "runtime_obs_file"
+ },
+ {
+ "key": "process.binary_ref",
+ "object": "runtime_obs_process",
+ "references": "runtime_obs_file"
+ }
+ ],
+ "Lineage": {
+ "Euid": [
+ {
+ "key": "user-account.x_effective_user_id",
+ "object": "runtime_obs_lineage_user"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_lineage_process",
+ "references": "runtime_obs_lineage_user"
+ }
+ ],
+ "ExecutablePath": {
+ "key": "process.x_absolute_path",
+ "object": "runtime_obs_lineage_process"
+ },
+ "Name": {
+ "key": "process.name",
+ "object": "runtime_obs_lineage_process"
+ },
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_obs_lineage_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_obs_lineage_process"
+ ],
+ "references": "runtime_obs_lineage_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_obs_lineage_process"
+ },
+ "Pid": {
+ "key": "process.pid",
+ "object": "runtime_obs_lineage_process"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_obs_lineage_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_obs_lineage_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_lineage_process",
+ "references": "runtime_obs_lineage_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_obs_lineage_process"
+ },
+ "GroupModifiedProcessLineageReferences": {
+ "key": "process.x_lineage_refs",
+ "object": "runtime_obs_process",
+ "references": [
+ "runtime_obs_lineage_process"
+ ],
+ "group_ref": true
+ }
+ },
+ "Name": [
+ {
+ "key": "process.name",
+ "object": "runtime_obs_process"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_observed_process_ref",
+ "object": "kubernetes",
+ "references": "runtime_obs_process"
+ }
+ ],
+ "NamespacePid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_obs_child_process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": [
+ "runtime_obs_process"
+ ],
+ "references": "runtime_obs_child_process"
+ }
+ ],
+ "ParentUuid": {
+ "key": "process.x_parent_unique_id",
+ "object": "runtime_obs_process"
+ },
+ "Pid": [
+ {
+ "key": "process.pid",
+ "object": "runtime_obs_process"
+ },
+ {
+ "key": "x-aws-kubernetes.runtime_observed_process_ref",
+ "object": "kubernetes",
+ "references": "runtime_obs_process"
+ }
+ ],
+ "Pwd": {
+ "key": "process.cwd",
+ "object": "runtime_obs_process"
+ },
+ "StartTime": {
+ "key": "process.created",
+ "object": "runtime_obs_process",
+ "transformer": "FormatDateTimeObjectToTimestamp"
+ },
+ "User": {
+ "key": "user-account.display_name",
+ "object": "runtime_obs_user"
+ },
+ "UserId": [
+ {
+ "key": "user-account.user_id",
+ "object": "runtime_obs_user",
+ "transformer": "ToString"
+ },
+ {
+ "key": "process.creator_user_ref",
+ "object": "runtime_obs_process",
+ "references": "runtime_obs_user"
+ }
+ ],
+ "Uuid": {
+ "key": "process.x_unique_id",
+ "object": "runtime_obs_process"
+ }
+ }
+ },
+ "UserFeedback": {
+ "key": "x-ibm-finding.x_finding_feedback",
+ "object": "finding"
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py b/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py
new file mode 100644
index 000000000..e472c794a
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py
@@ -0,0 +1,537 @@
+from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, \
+ ComparisonExpression, ComparisonComparators, Pattern, \
+ CombinedComparisonExpression, CombinedObservationExpression
+import logging
+import re
+import json
+from datetime import datetime, timedelta
+from os import path
+import copy
+
+logger = logging.getLogger(__name__)
+
+START_STOP_PATTERN = r"(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z)"
+STOP_TIME = datetime.utcnow()
+CONFIG_MAP_PATH = "json/config_map.json"
+
+
+class FileNotFoundException(Exception):
+ pass
+
+
+class StartStopQualifierValueException(Exception):
+ pass
+
+
+class SimilarExpressionForAndOperatorException(Exception):
+ pass
+
+
+class QueryStringPatternTranslator:
+
+ def __init__(self, pattern: Pattern, data_model_mapper, options):
+ logger.info("AWS GuardDuty Connector")
+ self.dmm = data_model_mapper
+ self.options = options
+ self.qualified_queries = []
+ self.config_map = self.load_json(CONFIG_MAP_PATH)
+ self.comparator_lookup = self.dmm.map_comparator()
+ self.parse_expression(pattern)
+
+ @staticmethod
+ def load_json(rel_path_of_file):
+ """
+ Consumes a json file and returns a dictionary
+ :param rel_path_of_file: str
+ :return: dict
+ """
+
+ _json_path = path.dirname(path.abspath(__file__)) + "/" + rel_path_of_file
+ try:
+ if path.exists(_json_path):
+ with open(_json_path, encoding='utf-8') as f_obj:
+ return json.load(f_obj)
+ raise FileNotFoundException
+ except FileNotFoundException as e:
+ raise FileNotFoundError(f'{rel_path_of_file} not found') from e
+
+ @staticmethod
+ def _format_value_type(expression, value, mapped_field_type, comparator):
+ """
+ Converts input value that matches with the mapped field value type
+ :param expression
+ :param value
+ :param mapped_field_type: str
+ :param comparator
+ :return formatted value
+ """
+ stix_object, stix_field = expression.object_path.split(':')
+ converted_value = str(value)
+ if mapped_field_type == "int":
+ if not converted_value.isdigit():
+ raise NotImplementedError(f'string type input - {converted_value} is not supported for '
+ f'integer type field {stix_object}:{stix_field}')
+ if str(comparator) not in ("ComparisonComparators.Equal", "ComparisonComparators.NotEqual",
+ "ComparisonComparators.In"):
+ converted_value = int(value)
+ elif mapped_field_type == "boolean":
+ converted_value = QueryStringPatternTranslator._check_boolean_value(converted_value)
+ return converted_value
+
+ @staticmethod
+ def _check_boolean_value(final_value):
+ """
+ returns boolean value of input
+ :param final_value:str
+ :return bool
+ """
+ if final_value.lower() == "true" or (final_value.isdigit() and final_value == "1"):
+ boolean_value = "true"
+ elif final_value.lower() == "false" or (final_value.isdigit() and final_value == "0"):
+ boolean_value = "false"
+ else:
+ raise NotImplementedError('Invalid boolean type input')
+ return boolean_value
+
+ @staticmethod
+ def _format_set(expression, values, mapped_field_type, comparator):
+ """
+ Formatting value in the event of set operation
+ :param expression
+ :param values: str or int ,
+ :param mapped_field_type: str
+ :param comparator
+ :return: list of formatted values
+ """
+ gen = values.element_iterator()
+ formatted_values = []
+ for value in gen:
+ formatted_value = QueryStringPatternTranslator._escape_value(
+ QueryStringPatternTranslator._format_value_type(expression, value, mapped_field_type, comparator))
+ formatted_values.append(formatted_value)
+ return formatted_values
+
+ @staticmethod
+ def _format_equality(expression, value, mapped_field_type, comparator):
+ """
+ Formatting value in the event of equality operation
+ :param expression
+ :param value: str or int ,
+ :param mapped_field_type: str
+ :param comparator
+ :return: list of formatted values
+ """
+ value = QueryStringPatternTranslator._escape_value(
+ QueryStringPatternTranslator._format_value_type(expression, value, mapped_field_type, comparator))
+ if comparator in [ComparisonComparators.GreaterThan, ComparisonComparators.GreaterThanOrEqual,
+ ComparisonComparators.LessThan, ComparisonComparators.LessThanOrEqual]:
+ return value
+ return [value]
+
+ @staticmethod
+ def _escape_value(value):
+ """
+ Format the value with escape characters
+ :param value: str or int
+ :return: str or int
+ """
+ if isinstance(value, str):
+ return '{}'.format(value.replace('\\', '\\\\').replace('\"', '\\"').replace('(', '\\(').replace(')', '\\)'))
+ return value
+
+ @staticmethod
+ def _negate_comparator(comparator):
+ """
+ returns negation of input operator
+ :param comparator:str
+ :return str
+ """
+ negate_comparator = {
+ "Equals": "NotEquals",
+ "NotEquals": "Equals",
+ "LessThan": "GreaterThanOrEqual",
+ "LessThanOrEqual": "GreaterThan",
+ "GreaterThan": "LessThanOrEqual",
+ "GreaterThanOrEqual": "LessThan"
+ }
+ return negate_comparator[comparator]
+
+ @staticmethod
+ def _format_datetime(value):
+ """
+ Converts timestamp to seconds
+ :param value
+ :return: int, converted epoch value
+ """
+ try:
+ time_pattern = '%Y-%m-%dT%H:%M:%S.%fZ'
+ if re.search(r"\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}Z", str(value)):
+ time_pattern = '%Y-%m-%dT%H:%M:%SZ'
+ epoch = datetime(1970, 1, 1)
+ converted_time = int(((datetime.strptime(value,
+ time_pattern) - epoch).total_seconds()) * 1000)
+ return converted_time
+ except ValueError:
+ logger.error("Cannot convert the timestamp %s to seconds", value)
+ raise NotImplementedError(f'cannot convert the timestamp {value} to seconds')
+
+ def _check_enum_supported_values(self, value, mapped_fields_array, stix_object, stix_field):
+ """
+ checks for enum supported values
+ :param mapped_fields_array: list
+ :param value:str
+ :param stix_object: str
+ :param stix_field: str
+ :return: None
+ """
+ all_enum_values = []
+ if mapped_fields_array[0] in self.config_map["enum_supported_values"]:
+ all_enum_values = self.config_map["enum_supported_values"][mapped_fields_array[0]]
+ value_not_present = False
+ for val in value:
+ if val not in all_enum_values:
+ value_not_present = True
+ break
+
+ if value_not_present:
+ raise NotImplementedError(f"The input value provided for the field "
+ f"{stix_object}:{stix_field} is not among the possible values of the field."
+ f"Suggested values are {all_enum_values}")
+
+ @staticmethod
+ def _or_operator_query(previous_all_queries, current_all_queries):
+ """
+ Create individual queries for different fields and merge the values incase of similar fields
+ :param previous_all_queries:list
+ :param current_all_queries:list
+ :return: list
+ """
+ merged_query = []
+ similar_query = []
+ individual_query = []
+ already_merged_query = []
+ for previous_queries in previous_all_queries:
+ for current_queries in current_all_queries:
+ current_query = copy.deepcopy(current_queries)
+ previous_query = copy.deepcopy(previous_queries)
+ if previous_query.keys() == current_query.keys():
+ matched_key = [i for i in current_query.keys() if i != 'updatedAt'][0]
+ p_operator = list(previous_query[matched_key].keys())[0]
+ c_operator = list(current_query[matched_key].keys())[0]
+ if c_operator == p_operator and c_operator in ('Equals', 'NotEquals') and p_operator in \
+ ('Equals', 'NotEquals'):
+ # merge values of similar attributes for =,!= operator
+ merged_similar_query = copy.deepcopy(previous_query)
+ merged_similar_query[matched_key][p_operator].extend(current_query[matched_key][c_operator])
+ merged_similar_query[matched_key][p_operator] = list(set(merged_similar_query
+ [matched_key][p_operator]))
+ if previous_query in individual_query:
+ individual_query.remove(previous_query)
+ if current_query in individual_query:
+ individual_query.remove(current_query)
+ if previous_query not in already_merged_query:
+ already_merged_query.append(previous_query)
+ if current_query not in already_merged_query:
+ already_merged_query.append(current_query)
+ if merged_similar_query not in similar_query:
+ similar_query.append(merged_similar_query)
+ else:
+ # create individual queries for similar attributes if operator is not =, !=
+ if previous_query not in individual_query and previous_query not in \
+ already_merged_query:
+ individual_query.append(previous_query)
+ if current_query not in individual_query and current_query not in \
+ already_merged_query:
+ individual_query.append(current_query)
+
+ else:
+ # create individual queries in case of different attributes
+ if previous_query not in individual_query and previous_query not in already_merged_query:
+ individual_query.append(previous_query)
+ if current_query not in individual_query and current_query not in already_merged_query:
+ individual_query.append(current_query)
+
+ merged_query.extend(individual_query)
+ merged_query.extend(similar_query)
+ return merged_query
+
+ @staticmethod
+ def _and_operator_query(previous_all_queries, current_all_queries, expression):
+ """
+ Merge previous query with current query, and log the error in case of similar fields
+ :param expression
+ :param previous_all_queries:list
+ :param current_all_queries:list
+ :return: list
+ """
+ merged_query = []
+
+ for previous_queries in previous_all_queries:
+ for current_queries in current_all_queries:
+ current_query = copy.deepcopy(current_queries)
+ previous_query = copy.deepcopy(previous_queries)
+ if not current_query.keys() - previous_query.keys():
+ comparison = str(expression).split(" ")
+ raise SimilarExpressionForAndOperatorException(f'The expression [{comparison[0][21:]}] has same '
+ f'data source field mapping with another expression '
+ f'in the pattern which has only AND comparison '
+ f'operator. Recommended to Use OR operator. ')
+ # merge multiple queries into a single query
+ previous_query.update(current_query)
+ if previous_query not in merged_query:
+ merged_query.append(previous_query)
+ return merged_query
+
+ def _lookup_comparison_operator(self, expression_operator):
+ """
+ lookup operators support in AWS GuardDuty
+ :param expression_operator:enum object
+ :return: str
+ """
+ if str(expression_operator) not in self.comparator_lookup:
+ raise NotImplementedError(
+ f'Comparison operator {expression_operator.name} unsupported for AWS GuardDuty connector')
+
+ return self.comparator_lookup[str(expression_operator)]
+
+ def _create_single_comparison_query(self, formatted_value, mapped_fields_array, mapped_field_type, expression,
+ qualifier):
+ """
+ Create a query for a comparison expression
+ :param formatted_value, str or int or boolean
+ :param mapped_fields_array, list
+ :param mapped_field_type, str
+ :param expression
+ :param qualifier, str
+ :return: list
+ """
+ queries = []
+ stix_object, stix_field = expression.object_path.split(':')
+ comparator = self._lookup_comparison_operator(expression.comparator)
+ if mapped_field_type == "enum":
+ self._check_enum_supported_values(formatted_value, mapped_fields_array, stix_object, stix_field)
+ if expression.negated:
+ comparator = QueryStringPatternTranslator._negate_comparator(comparator)
+ time_range_list = QueryStringPatternTranslator._parse_time_range(qualifier, self.options["time_range"])
+ converted_time_range = QueryStringPatternTranslator._check_time_range_values(time_range_list)
+ for field_name in mapped_fields_array:
+ query = dict()
+ query[field_name] = {comparator: formatted_value}
+ query['updatedAt'] = {"GreaterThanOrEqual": converted_time_range[0],
+ "LessThanOrEqual": converted_time_range[1]}
+ queries.append(query)
+ return queries
+
+ def _eval_comparison_value(self, expression, mapped_field_type):
+ """
+ Function for parsing comparison expression value
+ :param expression, expression object
+ :param mapped_field_type, str
+ :return: formatted value
+ """
+ self._check_value_comparator_support(expression, expression.comparator, mapped_field_type)
+ if expression.comparator == ComparisonComparators.In:
+ value = QueryStringPatternTranslator._format_set(expression, expression.value, mapped_field_type,
+ expression.comparator)
+ elif expression.comparator in [ComparisonComparators.GreaterThan, ComparisonComparators.GreaterThanOrEqual,
+ ComparisonComparators.LessThan, ComparisonComparators.LessThanOrEqual,
+ ComparisonComparators.Equal, ComparisonComparators.NotEqual]:
+ value = QueryStringPatternTranslator._format_equality(expression, expression.value, mapped_field_type,
+ expression.comparator)
+
+ else:
+ raise NotImplementedError('Unknown comparator expression operator')
+ return value
+
+ @staticmethod
+ def _parse_time_range(qualifier, time_range):
+ """
+ Converts qualifier to timestamp format
+ :param qualifier: str
+ :param time_range: int
+ return: list of formatted timestamps
+ """
+ try:
+ compile_timestamp_regex = re.compile(START_STOP_PATTERN)
+ if qualifier and compile_timestamp_regex.search(qualifier):
+ time_range_iterator = compile_timestamp_regex.finditer(qualifier)
+ time_range_list = [each.group() for each in time_range_iterator]
+ else:
+ start_time = STOP_TIME - timedelta(minutes=time_range)
+ converted_start_time = start_time.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
+ # limit 3 digit value for millisecond
+ converted_stop_time = STOP_TIME.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
+ time_range_list = [converted_start_time, converted_stop_time]
+ return time_range_list
+ except (KeyError, IndexError, TypeError) as e:
+ raise e
+
+ @staticmethod
+ def _check_time_range_values(time_range_list):
+ """
+ checks for valid start and stop time
+ :param time_range_list: list
+ """
+ utc_timestamp = STOP_TIME.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
+ converted_utc_timestamp = QueryStringPatternTranslator._format_datetime(utc_timestamp)
+ converted_timestamp = []
+ for timestamp in time_range_list:
+ converted_time = QueryStringPatternTranslator._format_datetime(timestamp)
+ if converted_time > converted_utc_timestamp:
+ raise StartStopQualifierValueException('Start/Stop time should not be in the future UTC timestamp')
+ converted_timestamp.append(converted_time)
+ if converted_timestamp[0] >= converted_timestamp[1]:
+ raise StartStopQualifierValueException('Start time should be lesser than Stop time')
+ return converted_timestamp
+
+ def _check_value_comparator_support(self, expression, comparator, mapped_field_type):
+ """
+ checks the comparator and value support
+ :param comparator
+ :param mapped_field_type: str
+ :return: None
+ """
+ stix_object, stix_field = expression.object_path.split(':')
+ comparator_str = str(comparator).split(".")[1]
+ if expression.negated:
+ comparator_str = f'NOT {comparator_str}'
+ if mapped_field_type == "enum" and (comparator not in [ComparisonComparators.Equal,
+ ComparisonComparators.NotEqual,
+ ComparisonComparators.In]):
+ raise NotImplementedError(f'{comparator_str} operator is not supported for Enum type field {stix_object}:'
+ f'{stix_field}. Possible supported operators are =, !=, IN, NOT IN ')
+ if mapped_field_type == "string" and comparator not in [ComparisonComparators.Equal,
+ ComparisonComparators.NotEqual,
+ ComparisonComparators.In]:
+ raise NotImplementedError(f'{comparator_str} operator is not supported for string type field {stix_object}:'
+ f'{stix_field}.Possible supported operators are =, !=, IN, NOT IN')
+ if mapped_field_type == "boolean" and comparator not in [ComparisonComparators.Equal,
+ ComparisonComparators.NotEqual]:
+ raise NotImplementedError(f'{comparator_str} operator is not supported for Boolean type field '
+ f'{stix_object}:{stix_field}. Possible supported operators are =, != ')
+
+ def _get_mapped_field_type(self, mapped_field_array):
+ """
+ Returns the type of mapped field array
+ :param mapped_field_array: list
+ :return: str
+ """
+ mapped_field = mapped_field_array[0]
+ mapped_field_type = "string"
+ for key, value in self.config_map.items():
+ if mapped_field in value and key in ["int_supported_fields",
+ "enum_supported_fields",
+ "boolean_supported_fields"
+ ]:
+ mapped_field_type = key.split('_')[0]
+ break
+ return mapped_field_type
+
+ def _parse_mapped_fields(self, value, mapped_fields_array, mapped_field_type, expression, qualifier, or_operator):
+ """
+ Creates queries based on combined comparison expression.
+ Created queries will be updated in combined_query
+ :param value: formatted list
+ :param mapped_field_type: string
+ :param expression
+ :param qualifier
+ :param mapped_fields_array : list of mapped fields
+ :param or_operator: boolean
+ """
+ current_query = self._create_single_comparison_query(value, mapped_fields_array, mapped_field_type, expression,
+ qualifier)
+
+ if not self.qualified_queries[-1]:
+ self.qualified_queries[-1] = current_query
+ else:
+ previous_query = self.qualified_queries.pop()
+ if or_operator:
+ merged_query = QueryStringPatternTranslator._or_operator_query(previous_query, current_query)
+ else:
+ merged_query = QueryStringPatternTranslator._and_operator_query(previous_query, current_query,
+ expression)
+ self.qualified_queries.append(merged_query)
+
+ @staticmethod
+ def verify_common_stix_attributes(comparison_expression):
+ """
+ Raise Exception if similar six attributes are used in a pattern which has only AND operator
+ :param comparison_expression
+ """
+ comparison_expression_str = str(comparison_expression)
+ comparison_pattern_1 = re.finditer(pattern=r'\(ComparisonExpression\(', string=comparison_expression_str)
+ comparison_pattern_2 = re.finditer(pattern=r' ComparisonExpression\(', string=comparison_expression_str)
+ indices = [index.start() for index in comparison_pattern_1] + [index.start() for index in comparison_pattern_2]
+ indices.sort()
+ for i in indices:
+ end_index = comparison_expression_str.find(')', i)
+ exp = comparison_expression_str[i:end_index + 1]
+ comparison = exp.split(" ")
+ if comparison[0] != "" and comparison_expression_str.find(comparison[0][1:], end_index) != -1:
+ raise SimilarExpressionForAndOperatorException(
+ f'Multiple [{comparison[0][22:]}] expression is used in the pattern which has only AND comparison '
+ f'operator. Recommended to Use OR operator for similar STIX attributes.')
+
+ def _parse_expression(self, expression, qualifier=None, or_operator=None):
+ """
+ parse ANTLR pattern to AWS GuardDuty query format
+ :param expression: expression object, ANTLR parsed expression object
+ :param qualifier: str, default in None
+ :param or_operator: boolean
+ """
+ if isinstance(expression, ComparisonExpression): # Base Case
+ stix_object, stix_field = expression.object_path.split(':')
+ mapped_fields_array = self.dmm.map_field(stix_object, stix_field)
+ mapped_field_type = self._get_mapped_field_type(mapped_fields_array)
+ value = self._eval_comparison_value(expression, mapped_field_type)
+ self._parse_mapped_fields(value, mapped_fields_array, mapped_field_type, expression, qualifier,
+ or_operator)
+
+ elif isinstance(expression, CombinedComparisonExpression):
+ if self.or_operator_enabled:
+ self._parse_expression(expression.expr1, qualifier, True)
+ self._parse_expression(expression.expr2, qualifier, True)
+ else:
+ self._parse_expression(expression.expr1, qualifier)
+ self._parse_expression(expression.expr2, qualifier)
+
+ elif isinstance(expression, ObservationExpression):
+ self.or_operator_enabled = False
+ self.qualified_queries.append([])
+ if 'ComparisonExpressionOperators.Or' in str(expression.comparison_expression):
+ self.or_operator_enabled = True
+ else:
+ QueryStringPatternTranslator.verify_common_stix_attributes(expression.comparison_expression)
+ self._parse_expression(expression.comparison_expression, qualifier)
+ elif hasattr(expression, 'qualifier') and hasattr(expression, 'observation_expression'):
+ if isinstance(expression.observation_expression, CombinedObservationExpression):
+ self._parse_expression(expression.observation_expression.expr1, expression.qualifier)
+ self._parse_expression(expression.observation_expression.expr2, expression.qualifier)
+ else:
+ self._parse_expression(expression.observation_expression, expression.qualifier)
+
+ elif isinstance(expression, CombinedObservationExpression):
+ self._parse_expression(expression.expr1, qualifier)
+ self._parse_expression(expression.expr2, qualifier)
+
+ elif isinstance(expression, Pattern):
+ self._parse_expression(expression.expression)
+ else:
+ raise RuntimeError(f"Unknown Recursion Case for expression={expression}, "
+ f"type(expression)={type(expression)}")
+
+ def parse_expression(self, pattern: Pattern):
+ self._parse_expression(pattern)
+
+
+def translate_pattern(pattern: Pattern, data_model_mapping, options):
+ """
+ Conversion of ANTLR pattern to AWS GuardDuty query
+ :param pattern: expression object, ANTLR parsed expression object
+ :param data_model_mapping: DataMapper object, mapping object obtained by parsing json
+ :param options: dict
+ :return: list
+ """
+ query = QueryStringPatternTranslator(pattern, data_model_mapping, options).qualified_queries
+ final_queries = [{'FindingCriteria': {'Criterion': item}} for sublist in query for item in sublist]
+ return final_queries
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/query_translator.py b/stix_shifter_modules/aws_guardduty/stix_translation/query_translator.py
new file mode 100644
index 000000000..45ff86188
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/query_translator.py
@@ -0,0 +1,27 @@
+import logging
+
+from stix_shifter_utils.modules.base.stix_translation.base_query_translator import BaseQueryTranslator
+from . import query_constructor
+
+logger = logging.getLogger(__name__)
+
+
+class QueryTranslator(BaseQueryTranslator):
+
+ def transform_antlr(self, data, antlr_parsing_object):
+ """
+ Transforms STIX pattern into a different query format. Based on a mapping file
+ :param antlr_parsing_object: Antlr parsing objects for the STIX pattern
+ :type antlr_parsing_object: object
+ :param mapping: The mapping file path to use as instructions on how to transform the given STIX query into
+ another format. This should default to something if one isn't passed in
+ :type mapping: str (filepath)
+ :return: transformed query string
+ :rtype: str
+ """
+
+ logger.info("Converting STIX2 Pattern to data source query")
+
+ query_string = query_constructor.translate_pattern(
+ antlr_parsing_object, self, self.options)
+ return query_string
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/transformers.py b/stix_shifter_modules/aws_guardduty/stix_translation/transformers.py
new file mode 100644
index 000000000..812caa2a2
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_translation/transformers.py
@@ -0,0 +1,21 @@
+from stix_shifter_utils.stix_translation.src.utils.transformers import ValueTransformer
+from stix_shifter_utils.utils import logger
+from datetime import timezone
+LOGGER = logger.set_logger(__name__)
+
+
+class FormatDateTimeObjectToTimestamp(ValueTransformer):
+ """A value transformer to convert local datetime object to UTC timestamp"""
+
+ @staticmethod
+ def transform(obj):
+
+ try:
+ if not isinstance(obj, str):
+ utc_timestamp_str = obj.astimezone(timezone.utc).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
+ return utc_timestamp_str
+ return obj
+
+ except ValueError:
+ LOGGER.error("Cannot convert root value to timestamp format")
+ raise
diff --git a/stix_shifter_modules/aws_guardduty/stix_transmission/__init__.py b/stix_shifter_modules/aws_guardduty/stix_transmission/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/stix_shifter_modules/aws_guardduty/stix_transmission/boto3_client.py b/stix_shifter_modules/aws_guardduty/stix_transmission/boto3_client.py
new file mode 100644
index 000000000..8674126ba
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_transmission/boto3_client.py
@@ -0,0 +1,117 @@
+import aioboto3
+import string
+import random
+import botocore
+
+
+class BOTO3Client:
+
+ def __init__(self, connection, configuration):
+ self.connection = connection
+ self.configuration = configuration
+ self.session = None
+ self.timeout = connection['options'].get('timeout')
+ self.result_limit = connection['options'].get('result_limit')
+ self.verify = False
+ self.detector_ids = connection.get('detector_ids', '')
+
+ async def get_session(self):
+ """
+ Create an AWS GuardDuty Client session for the user.
+ :return: session object
+ """
+ if self.session is None:
+ region_name = self.connection.get('region')
+ auth = self.configuration.get('auth')
+ aws_access_key_id = auth.get('aws_access_key_id')
+ aws_secret_access_key = auth.get('aws_secret_access_key')
+ try:
+ if not region_name:
+ raise KeyError('Region must be specified')
+ if 'aws_iam_role' in auth and auth.get('aws_iam_role'):
+ # specific for role based authentication.Links user to role and
+ # generates client object with role based Credentials.
+ session = aioboto3.Session()
+ async with session.client('sts',
+ aws_access_key_id=aws_access_key_id,
+ aws_secret_access_key=aws_secret_access_key,
+ verify=self.verify
+ ) as client:
+ role_to_assume_arn = auth.get('aws_iam_role')
+ assume_role_external_id = auth.get('aws_assume_role_external_id')
+ prefix = 'AWS_'
+ letters = string.ascii_lowercase
+ role_session_name = prefix + ''.join(random.sample(letters, 4))
+ if assume_role_external_id:
+ response = await client.assume_role(
+ RoleArn=role_to_assume_arn,
+ RoleSessionName=role_session_name,
+ ExternalId=assume_role_external_id
+ )
+ else:
+ response = await client.assume_role(
+ RoleArn=role_to_assume_arn,
+ RoleSessionName=role_session_name
+ )
+ aws_creds = response['Credentials']
+ self.session = aioboto3.Session(
+ aws_access_key_id=aws_creds['AccessKeyId'],
+ aws_secret_access_key=aws_creds['SecretAccessKey'],
+ aws_session_token=aws_creds['SessionToken'],
+ region_name=region_name
+ )
+ else:
+ # basic client object authentication with access_key and aws_secret_access_key.
+ self.session = aioboto3.Session(
+ aws_access_key_id=aws_access_key_id,
+ aws_secret_access_key=aws_secret_access_key,
+ region_name=region_name
+ )
+ except KeyError as e:
+ raise e
+ except Exception as e:
+ raise KeyError(e.args)
+
+ return self.session
+
+ async def get_paginated_result(self, api_name, method, **kwargs):
+ """
+ Fetch the results through pagination for the corresponding GuardDuty method.
+ :param api_name,str
+ :param method,str
+ :return: dict containing a list of finding ids/detector ids with next page token
+ """
+ result_response_list = []
+ session = await self.get_session()
+ config = botocore.config.Config(
+ read_timeout=self.timeout,
+ connect_timeout=self.timeout
+ )
+ async with session.client(api_name, verify=self.verify, config=config) as cl:
+ paginator = cl.get_paginator(method)
+ get_query_response = paginator.paginate(**kwargs)
+ async for page in get_query_response:
+ if page.get('ResponseMetadata').get('HTTPStatusCode') == 200:
+ if page.get('DetectorIds'):
+ result_response_list.extend(page.get('DetectorIds'))
+ elif page.get('FindingIds'):
+ result_response_list.extend(page.get('FindingIds'))
+ else:
+ return page['ResponseMetadata']
+ result_dict = {'data': result_response_list, 'next_token': page.get('NextToken')}
+ return result_dict
+
+ async def make_request(self, api_name, method, **kwargs):
+ """
+ Fetch the results for the corresponding GuardDuty method
+ :return: Response object
+ """
+ session = await self.get_session()
+ config = botocore.config.Config(
+ read_timeout=self.timeout,
+ connect_timeout=self.timeout
+ )
+ async with session.client(api_name, verify=self.verify, config=config) as cl:
+ call = getattr(cl, method.lower())
+ response = await call(**kwargs)
+ return response
diff --git a/stix_shifter_modules/aws_guardduty/stix_transmission/connector.py b/stix_shifter_modules/aws_guardduty/stix_transmission/connector.py
new file mode 100644
index 000000000..2047fe3e3
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_transmission/connector.py
@@ -0,0 +1,298 @@
+import copy
+import re
+from stix_shifter_utils.modules.base.stix_transmission.base_json_sync_connector import BaseJsonSyncConnector
+from stix_shifter_utils.utils.error_response import ErrorResponder
+from stix_shifter_utils.utils import logger
+from .boto3_client import BOTO3Client
+import json
+from botocore.exceptions import EndpointConnectionError, ParamValidationError, ClientError, InvalidRegionError, \
+ ReadTimeoutError, ConnectTimeoutError
+
+
+class InvalidMetadataException(Exception):
+ pass
+
+
+class Connector(BaseJsonSyncConnector):
+
+ def __init__(self, connection, configuration):
+
+ self.client = BOTO3Client(connection, configuration)
+ self.logger = logger.set_logger(__name__)
+ self.connector = __name__.split('.')[1]
+
+ async def create_results_connection(self, query, offset, length, metadata=None):
+ """
+ Fetching the results using query, offset and length and metadata
+ :param query: str, Data Source query
+ :param offset: str, Offset value
+ :param length: str, Length value
+ :param metadata: dict
+ :return: return_obj, dict
+ """
+ return_obj = {}
+ response_dict = {}
+ local_result_count = 0
+ local_data = []
+ try:
+ if not isinstance(query, dict):
+ query = json.loads(query)
+
+ if metadata:
+ if isinstance(metadata, dict) and metadata.get('result_count') and metadata.get('detector_ids') \
+ and metadata.get('next_page_token'):
+ result_count, detector_ids, next_page_token = metadata['result_count'], metadata['detector_ids'], \
+ metadata['next_page_token']
+ result_count = int(result_count)
+ total_records = int(length)
+ if abs(self.client.result_limit - result_count) < total_records:
+ total_records = abs(self.client.result_limit - result_count)
+ else:
+ # raise exception when metadata doesn't contain result count or detector ids or next page token
+ raise InvalidMetadataException(f'Invalid Metadata{metadata}')
+ else:
+ if not self.client.detector_ids:
+ detector_response = await self.client.get_paginated_result('guardduty', 'list_detectors')
+ detector_ids = detector_response['data']
+ else:
+ detector_ids = self.client.detector_ids.split(",")
+ result_count = 0
+ next_page_token = None
+ total_records = int(offset) + int(length)
+ if self.client.result_limit < total_records:
+ total_records = self.client.result_limit
+ track_detector_id = copy.deepcopy(detector_ids)
+ max_items = total_records
+ if (result_count == 0 and detector_ids and next_page_token is None) or (
+ result_count < self.client.result_limit and detector_ids):
+
+ for detector_id in detector_ids:
+ list_findings = await self.client.get_paginated_result('guardduty', 'list_findings',
+ DetectorId=detector_id,
+ FindingCriteria=query['FindingCriteria'],
+ PaginationConfig={'MaxItems': max_items,
+ 'StartingToken':
+ next_page_token})
+ if list_findings.get('data'):
+ findings = list_findings['data']
+ next_page_token = list_findings.get('next_token')
+ result_count += len(list_findings['data'])
+ local_result_count += len(list_findings['data'])
+ if not next_page_token:
+ track_detector_id.remove(detector_id)
+ final_response = await self.get_findings(findings, detector_id)
+ local_data += final_response['data']
+ if local_result_count >= total_records:
+ break
+ else:
+ max_items = total_records - local_result_count
+
+ if local_data:
+ return_obj['success'] = True
+ if metadata:
+ return_obj['data'] = local_data
+ else:
+ return_obj['data'] = local_data[int(offset):total_records]
+
+ if result_count < self.client.result_limit:
+ return_obj['metadata'] = {"result_count": result_count,
+ "next_page_token": next_page_token,
+ "detector_ids": track_detector_id}
+
+ else:
+ return_obj['success'] = True
+ return_obj['data'] = []
+ else:
+ return_obj['success'] = True
+ return_obj['data'] = []
+
+ except ClientError as ex:
+ response_dict['code'] = ex.response.get('ResponseMetadata', {}).get('HTTPStatusCode')
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except EndpointConnectionError as ex:
+ response_dict['code'] = 503
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except (ParamValidationError, InvalidMetadataException) as ex:
+ response_dict['code'] = 400
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except InvalidRegionError as ex:
+ response_dict['code'] = 403
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except ReadTimeoutError as ex:
+ response_dict['code'] = 503
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except ConnectTimeoutError as ex:
+ response_dict['code'] = 408
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except KeyError as ex:
+ if 'InvalidClientTokenId' in str(ex) or 'SignatureDoesNotMatch' in str(ex) or 'ValidationError' in str(ex) \
+ or 'AccessDenied' in str(ex):
+ response_dict['code'] = 403
+ elif 'endpoint URL' in str(ex):
+ response_dict['code'] = 503
+ else:
+ response_dict['code'] = 100
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except Exception as ex:
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ return return_obj
+
+ async def ping_connection(self):
+ """
+ Ping the endpoint
+ :return: return_object, dict
+ """
+ return_obj = {}
+ response_dict = {}
+ try:
+ await self.client.make_request('guardduty', 'list_detectors')
+ return_obj['success'] = True
+
+ except ClientError as ex:
+ response_dict['code'] = ex.response.get('ResponseMetadata', {}).get('HTTPStatusCode')
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except EndpointConnectionError as ex:
+ response_dict['code'] = 503
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except InvalidRegionError as ex:
+ response_dict['code'] = 403
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except ReadTimeoutError as ex:
+ response_dict['code'] = 503
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except ConnectTimeoutError as ex:
+ response_dict['code'] = 408
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except KeyError as ex:
+ if 'InvalidClientTokenId' in str(ex) or 'SignatureDoesNotMatch' in str(ex) or 'ValidationError' in str(ex) \
+ or 'AccessDenied' in str(ex):
+ response_dict['code'] = 403
+ elif 'endpoint URL' in str(ex):
+ response_dict['code'] = 503
+ else:
+ response_dict['code'] = 100
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except Exception as ex:
+ response_dict['message'] = ex
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ return return_obj
+
+ async def get_findings(self, findings, detector_id):
+ """
+ Get the finding details of the list of finding ids
+ :param findings, list
+ :param detector_id, int
+ :return: return_obj, dict
+ """
+ data = []
+ max_findings = 50
+ return_obj = {}
+ if len(findings) <= max_findings:
+ final_response = await self.client.make_request('guardduty', 'get_findings',
+ DetectorId=detector_id,
+ FindingIds=findings)
+ data += final_response.get('Findings')
+
+ else:
+ for finding in range(0, len(findings), max_findings):
+ split_findings = findings[finding:finding + max_findings]
+ final_response = await self.client.make_request('guardduty', 'get_findings',
+ DetectorId=detector_id,
+ FindingIds=split_findings)
+
+ data += final_response['Findings']
+
+ if data:
+ return_obj['data'] = Connector.format_result(data)
+ return return_obj
+
+ @staticmethod
+ def format_result(response):
+ """
+ Formats the results
+ param: response, list
+ """
+ updated_response = []
+ for finding in response:
+ finding['FindingType'] = 'alert'
+ finding = Connector.format_private_ip_address(finding)
+ finding = Connector.format_kubernetes_api_call(finding)
+ finding = Connector.format_ebs_volume_hash_value(finding)
+ updated_response.append(finding)
+ return updated_response
+
+ @staticmethod
+ def format_private_ip_address(finding):
+ """
+ remove the private ip address which matches either target or local ip address inorder to avoid
+ duplicate ip address object creation
+ :param finding,dict
+ :return dict
+ """
+ local_affected_ip, target_affected_ip = 0, 0
+ if finding.get('Service', {}) and finding['Service'].get('ResourceRole', '') == 'TARGET':
+ local_affected_ip = finding.get('Service', {}).get('Action', {}).get('NetworkConnectionAction', {}). \
+ get('LocalIpDetails', {}).get('IpAddressV4', '')
+ else:
+ target_affected_ip = finding.get('Service', {}).get('Action', {}).get('NetworkConnectionAction', {}). \
+ get('RemoteIpDetails', {}).get('IpAddressV4', '')
+ if local_affected_ip or target_affected_ip:
+ if finding.get('Resource', {}).get('InstanceDetails', {}).get('NetworkInterfaces', []):
+ for ni in finding['Resource']['InstanceDetails']['NetworkInterfaces']:
+ if ni.get('PrivateIpAddresses', []):
+ for private_ip in ni['PrivateIpAddresses']:
+ if private_ip.get('PrivateIpAddress', '') == local_affected_ip or \
+ private_ip.get('PrivateIpAddress', '') == target_affected_ip:
+ del private_ip['PrivateIpAddress']
+ break
+ return finding
+
+ @staticmethod
+ def format_kubernetes_api_call(finding):
+ """
+ Set the Protocol value for Kubernetes API Call action
+ :param finding,dict
+ :return: dict
+ """
+ if finding.get('Service', {}).get('Action', {}).get('KubernetesApiCallAction', {}):
+ finding['Service']['Action']['KubernetesApiCallAction']['Protocol'] = 'http'
+ return finding
+
+ @staticmethod
+ def format_ebs_volume_hash_value(finding):
+ """
+ Format the Hash value for EBS Volume details
+ :param finding,dict
+ :return: dict
+ """
+ if finding.get('Service', {}).get('EbsVolumeScanDetails', {}).get('ScanDetections', {}). \
+ get('ThreatDetectedByName', {}).get('ThreatNames', []):
+ for threat in finding['Service']['EbsVolumeScanDetails']['ScanDetections']['ThreatDetectedByName'][
+ 'ThreatNames']:
+ if threat.get('FilePaths', []):
+ for file in threat['FilePaths']:
+ if 'Hash' in file:
+ if re.compile("^[a-f0-9]{32}$").match(file['Hash']) is not None:
+ file.update({"FileMd5": file['Hash']})
+ elif re.compile(r'\b[0-9a-f]{40}\b').match(file['Hash']) is not None:
+ file.update({"FileSha1": file['Hash']})
+ elif re.compile("[A-Fa-f0-9]{64}").match(file['Hash']) is not None:
+ file.update({"FileSha256": file['Hash']})
+ else:
+ file.update({"UnknownHash": file['Hash']})
+ del file['Hash']
+ return finding
diff --git a/stix_shifter_modules/aws_guardduty/stix_transmission/error_mapper.py b/stix_shifter_modules/aws_guardduty/stix_transmission/error_mapper.py
new file mode 100644
index 000000000..6a4143ba1
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/stix_transmission/error_mapper.py
@@ -0,0 +1,35 @@
+from stix_shifter_utils.utils.error_mapper_base import ErrorMapperBase
+from stix_shifter_utils.utils.error_response import ErrorCode
+from stix_shifter_utils.utils import logger
+
+error_mapping = {
+ 100: ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ 400: ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ 403: ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
+ 503: ErrorCode.TRANSMISSION_CONNECT,
+ 408: ErrorCode.TRANSMISSION_CONNECT,
+ 500: ErrorCode.TRANSMISSION_CONNECT
+}
+
+
+class ErrorMapper():
+ logger = logger.set_logger(__name__)
+ DEFAULT_ERROR = ErrorCode.TRANSMISSION_MODULE_DEFAULT_ERROR
+
+ @staticmethod
+ def set_error_code(json_data, return_obj, connector=None):
+ code = None
+ try:
+ code = int(json_data['code'])
+ except Exception:
+ pass
+
+ error_code = ErrorMapper.DEFAULT_ERROR
+
+ if code in error_mapping:
+ error_code = error_mapping[code]
+
+ if error_code == ErrorMapper.DEFAULT_ERROR:
+ ErrorMapper.logger.error("failed to map: " + str(json_data))
+
+ ErrorMapperBase.set_error_code(return_obj, error_code, connector=connector)
diff --git a/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_json_to_stix.py b/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_json_to_stix.py
new file mode 100644
index 000000000..4e654ac18
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_json_to_stix.py
@@ -0,0 +1,1200 @@
+""" test script to perform unit test case for aws_guardduty translate results """
+import unittest
+from stix_shifter_modules.aws_guardduty.entry_point import EntryPoint
+from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator
+from stix_shifter_utils.stix_translation.src.utils.transformer_utils import get_module_transformers
+
+MODULE = "aws_guardduty"
+entry_point = EntryPoint()
+map_data = entry_point.get_results_translator().map_data
+data_source = {
+ "type": "identity",
+ "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+ "name": "aws_guardduty",
+ "identity_class": "events"
+}
+options = {}
+
+aws_guardduty_sample_response = {
+ "AccountId": "12345678910",
+ "Arn": "arn:aws:guardduty:us-east-1:12345678910:detector/123abc456def789ghi/finding/"
+ "123abc456def789ghi123456",
+ "CreatedAt": "2023-05-05T06:12:49.891Z",
+ "Description": "15.116.116.115 is performing RDP brute force attacks against i-0bc12345678910. "
+ "Brute force attacks are used to gain unauthorized access to your instance "
+ "by guessing the RDP password.",
+ "Id": "123abc456def789ghi123456",
+ "Partition": "aws",
+ "Region": "us-east-1",
+ "Resource": {
+ "InstanceDetails": {
+ "AvailabilityZone": "us-east-1c",
+ "ImageId": "ami-0b12345678910",
+ "InstanceId": "i-0bc12345678910",
+ "InstanceState": "running",
+ "InstanceType": "t2.medium",
+ "LaunchTime": "2023-05-04T04:18:46.000Z",
+ "NetworkInterfaces": [
+ {
+ "Ipv6Addresses": [],
+ "NetworkInterfaceId": "eni-025723cd79287c910",
+ "PrivateDnsName": "ip-11-111-111-111.ec2.internal",
+ "PrivateIpAddress": "11.111.111.111",
+ "PrivateIpAddresses": [
+ {
+ "PrivateDnsName": "ip-11-111-111-111.ec2.internal"
+ }
+ ],
+ "PublicDnsName": "ec2-22-112-112-112.compute-1.amazonaws.com",
+ "PublicIp": "22.112.112.112",
+ "SecurityGroups": [
+ {
+ "GroupId": "sg-07a9c258f2c08e2a3",
+ "GroupName": "launch-wizard-31"
+ }
+ ],
+ "SubnetId": "subnet-11111",
+ "VpcId": "vpc-11111"
+ }
+ ],
+ "Platform": "windows",
+ "ProductCodes": [],
+ "Tags": [
+ {
+ "Key": "Name",
+ "Value": "cp4s_proofpoint_development"
+ }
+ ]
+ },
+ "ResourceType": "Instance"
+ },
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Action": {
+ "ActionType": "NETWORK_CONNECTION",
+ "NetworkConnectionAction": {
+ "Blocked": 'false',
+ "ConnectionDirection": "INBOUND",
+ "LocalPortDetails": {
+ "Port": 3389,
+ "PortName": "RDP"
+ },
+ "Protocol": "TCP",
+ "LocalIpDetails": {
+ "IpAddressV4": "11.111.111.111"
+ },
+ "RemoteIpDetails": {
+ "City": {
+ "CityName": "Berlin"
+ },
+ "Country": {
+ "CountryName": "Germany"
+ },
+ "GeoLocation": {
+ "Lat": 52.5196,
+ "Lon": 13.4069
+ },
+ "IpAddressV4": "15.116.116.115",
+ "Organization": {
+ "Asn": "174",
+ "AsnOrg": "COGENT-174",
+ "Isp": "Cogent Communications",
+ "Org": "Cogent Communications"
+ }
+ },
+ "RemotePortDetails": {
+ "Port": 49163,
+ "PortName": "Unknown"
+ }
+ }
+ },
+ "Archived": 'false',
+ "Count": 43,
+ "DetectorId": "abcdefghij123456",
+ "EventFirstSeen": "2023-05-05T05:59:51.000Z",
+ "EventLastSeen": "2023-05-05T13:08:11.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{}",
+ "Type": "default"
+ }
+ },
+ "Severity": 2,
+ "Title": "15.116.116.115 is performing RDP brute force attacks against i-0bc12345678910.",
+ "Type": "UnauthorizedAccess:EC2/RDPBruteForce",
+ "UpdatedAt": "2023-05-05T13:13:02.364Z",
+ "FindingType": "alert"
+}
+
+aws_guardduty_sample_response_2 = {
+ "AccountId": "12345678910",
+ "Arn": "arn:aws:guardduty:us-east-1:12345678910:detector/123abc456def789ghi/"
+ "finding/0011c11111404002875f3ab698ae5b9b",
+ "CreatedAt": "2023-03-29T07:26:01.797Z",
+ "Description": "API GeneratedFindingAPIName was used to access bucket GeneratedFindingS3Bucket "
+ "from Tor exit node IP address 111.11.000.1.",
+ "Id": "0011c11111404002875f3ab698ae5b9b",
+ "Partition": "aws",
+ "Region": "us-east-1",
+ "Resource": {
+ "AccessKeyDetails": {
+ "AccessKeyId": "GeneratedFindingAccessKeyId",
+ "PrincipalId": "GeneratedFindingPrincipalId",
+ "UserName": "GeneratedFindingUserName",
+ "UserType": "IAMUser"
+ },
+ "S3BucketDetails": [
+ {
+ "Arn": "arn:aws:s3:::bucketName",
+ "Name": "bucketName",
+ "Type": "Destination",
+ "CreatedAt": "2017-12-18 21:28:11.551000+05:30",
+ "Owner": {
+ "Id": "CanonicalId of Owner"
+ },
+ "Tags": [
+ {
+ "Key": "foo",
+ "Value": "bar"
+ }
+ ],
+ "DefaultServerSideEncryption": {
+ "EncryptionType": "SSEAlgorithm",
+ "KmsMasterKeyArn": "arn:aws:kms:region:1111111111:key/key-id"
+ },
+ "PublicAccess": {
+ "PermissionConfiguration": {
+ "BucketLevelPermissions": {
+ "AccessControlList": {
+ "AllowsPublicReadAccess": 'false',
+ "AllowsPublicWriteAccess": 'false'
+ },
+ "BucketPolicy": {
+ "AllowsPublicReadAccess": 'false',
+ "AllowsPublicWriteAccess": 'false'
+ },
+ "BlockPublicAccess": {
+ "IgnorePublicAcls": 'false',
+ "RestrictPublicBuckets": 'false',
+ "BlockPublicAcls": 'false',
+ "BlockPublicPolicy": 'false'
+ }
+ },
+ "AccountLevelPermissions": {
+ "BlockPublicAccess": {
+ "IgnorePublicAcls": 'false',
+ "RestrictPublicBuckets": 'false',
+ "BlockPublicAcls": 'false',
+ "BlockPublicPolicy": 'false'
+ }
+ }
+ },
+ "EffectivePermission": "NOT_PUBLIC"
+ }
+ }
+ ],
+ "InstanceDetails": {
+ "AvailabilityZone": "GeneratedFindingInstaceAvailabilityZone",
+ "IamInstanceProfile": {
+ "Arn": "arn:aws:iam::12345678910:example/instance/profile",
+ "Id": "GeneratedFindingInstanceProfileId"
+ },
+ "ImageDescription": "GeneratedFindingInstaceImageDescription",
+ "ImageId": "ami-100000000",
+ "InstanceId": "i-10000000",
+ "InstanceState": "running",
+ "InstanceType": "m3.xlarge",
+ "OutpostArn": "arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3",
+ "LaunchTime": "2016-08-02T02:05:06.000Z",
+ "NetworkInterfaces": [
+ {
+ "Ipv6Addresses": [],
+ "NetworkInterfaceId": "eni-aaaaaa88",
+ "PrivateDnsName": "GeneratedFindingPrivateDnsName",
+ "PrivateIpAddress": "10.0.0.1",
+ "PrivateIpAddresses": [
+ {
+ "PrivateDnsName": "GeneratedFindingPrivateName",
+ "PrivateIpAddress": "10.0.0.1"
+ }
+ ],
+ "PublicDnsName": "GeneratedFindingPublicDNSName",
+ "PublicIp": "111.11.000.1",
+ "SecurityGroups": [
+ {
+ "GroupId": "GeneratedFindingSecurityId",
+ "GroupName": "GeneratedFindingSecurityGroupName"
+ }
+ ],
+ "SubnetId": "GeneratedFindingSubnetId",
+ "VpcId": "GeneratedFindingVPCId"
+ }
+ ],
+ "ProductCodes": [
+ {
+ "Code": "GeneratedFindingProductCodeId",
+ "ProductType": "GeneratedFindingProductCodeType"
+ }
+ ],
+ "Tags": [
+ {
+ "Key": "GeneratedFindingInstaceTag1",
+ "Value": "GeneratedFindingInstaceValue1"
+ }
+ ]
+ },
+ "ResourceType": "S3Bucket"
+ },
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Action": {
+ "ActionType": "AWS_API_CALL",
+ "AwsApiCallAction": {
+ "Api": "GeneratedFindingAPIName",
+ "CallerType": "Remote IP",
+ "ErrorCode": "AccessDenied",
+ "RemoteIpDetails": {
+ "City": {
+ "CityName": "GeneratedFindingCityName"
+ },
+ "Country": {
+ "CountryName": "GeneratedFindingCountryName"
+ },
+ "GeoLocation": {
+ "Lat": 0,
+ "Lon": 0
+ },
+ "IpAddressV4": "111.11.000.1",
+ "Organization": {
+ "Asn": "-1",
+ "AsnOrg": "GeneratedFindingASNOrg",
+ "Isp": "GeneratedFindingISP",
+ "Org": "GeneratedFindingORG"
+ }
+ },
+ "ServiceName": "GeneratedFindingAPIServiceName",
+ "AffectedResources": {
+ "AWS::S3::Bucket": "GeneratedFindingS3Bucket"
+ }
+ }
+ },
+ "Archived": 'false',
+ "Count": 4,
+ "DetectorId": "123abc456def789ghi",
+ "EventFirstSeen": "2023-03-29T07:26:01.000Z",
+ "EventLastSeen": "2023-06-01T15:31:39.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{\"unusual\":{\"hoursOfDay\":[1513609200000],\"userNames\":"
+ "[\"GeneratedFindingUserName\"]},\"sample\":true}",
+ "Type": "default"
+ }
+ },
+ "Severity": 8,
+ "Title": "API GeneratedFindingAPIName was invoked from a Tor exit node.",
+ "Type": "UnauthorizedAccess:S3/TorIPCaller",
+ "UpdatedAt": "2023-06-01T15:31:39.178Z",
+ "FindingType": "alert"
+}
+
+aws_guardduty_sample_response_3 = {
+
+ "AccountId": "10987654321",
+ "Arn": "arn:aws:guardduty:us-east-1:10987654321:detector/2ab2e2ee222ed222f3b2ca22acdc24df/"
+ "finding/12c12dd12dc12bf1ad12121ef1212cb",
+ "CreatedAt": "2023-06-08T09:23:06.809Z",
+ "Description": "AWS CloudTrail trail arn:aws:cloudtrail:us-east-1:10987654321:trail/"
+ "sampleguardtrail was disabled by abc@abc.com calling DeleteTrail under unusual "
+ "circumstances. This can be attackers attempt to cover their tracks by eliminating any "
+ "trace of activity performed while they accessed your account.",
+ "Id": "12c12dd12dc12bf1ad12121ef1212cb",
+ "Partition": "aws",
+ "Region": "us-east-1",
+ "Resource": {
+ "AccessKeyDetails": {
+ "AccessKeyId": "SSSSSSSSSSSSSSS",
+ "PrincipalId": "AABBCCDDEEFFGGHHII",
+ "UserName": "abc@abc.com",
+ "UserType": "IAMUser"
+ },
+ "ResourceType": "AccessKey"
+ },
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Action": {
+ "ActionType": "AWS_API_CALL",
+ "AwsApiCallAction": {
+ "Api": "DeleteTrail",
+ "CallerType": "Remote IP",
+ "RemoteIpDetails": {
+ "City": {
+ "CityName": "Mumbai"
+ },
+ "Country": {
+ "CountryName": "India"
+ },
+ "GeoLocation": {
+ "Lat": 19.0748,
+ "Lon": 72.8856
+ },
+ "IpAddressV4": "222.22.222.22",
+ "Organization": {
+ "Asn": "396982",
+ "AsnOrg": "GOOGLE-CLOUD-PLATFORM",
+ "Isp": "Symantec Endpoint Protection",
+ "Org": "Symantec Endpoint Protection"
+ }
+ },
+ "ServiceName": "cloudtrail.amazonaws.com",
+ "AffectedResources": {
+ "AWS::CloudTrail::Trail": "arn:aws:cloudtrail:us-east-1:10987654321:trail/"
+ "sampleguardtrail"
+ }
+ }
+ },
+ "Archived": 'false',
+ "Count": 1,
+ "DetectorId": "2ab2e2ee222ed222f3b2ca22acdc24df",
+ "EventFirstSeen": "2023-06-08T09:13:13.000Z",
+ "EventLastSeen": "2023-06-08T09:13:13.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{}",
+ "Type": "default"
+ }
+ },
+ "Severity": 2,
+ "Title": "AWS CloudTrail trail arn:aws:cloudtrail:us-east-1:10987654321:trail/"
+ "sampleguardtrail was disabled.",
+ "Type": "Stealth:IAMUser/CloudTrailLoggingDisabled",
+ "UpdatedAt": "2023-06-08T09:23:06.809Z",
+ "FindingType": "alert"
+}
+aws_guardduty_sample_response_4 = {
+
+ "AccountId": "10987654321",
+ "Arn": "arn:aws:guardduty:us-east-1:10987654321:detector/1ab1e6ee111ed111f11ca11acdc11df/"
+ "finding/01fc453c5efe4cfd895a83ee6111111",
+ "CreatedAt": "2023-03-29T07:26:01.798Z",
+ "Description": "IP address 1.2.3.4, that is associated with known malicious activity, "
+ "unsuccessfully attempted to log in to RDS database GeneratedFindingDBInstanceId.",
+ "Id": "01fc453c5efe4cfd895a83ee6111111",
+ "Partition": "aws",
+ "Region": "us-east-1",
+ "Resource": {
+ "ResourceType": "RDSDBInstance"
+ },
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Action": {
+ "ActionType": "RDS_LOGIN_ATTEMPT"
+ },
+ "Evidence": {
+ "ThreatIntelligenceDetails": [
+ {
+ "ThreatListName": "GeneratedFindingThreatListName",
+ "ThreatNames": [
+ "GeneratedFindingThreatName"
+ ]
+ }
+ ]
+ },
+ "Archived": 'false',
+ "Count": 4,
+ "DetectorId": "1ab1e6ee111ed111f11ca11acdc11df",
+ "EventFirstSeen": "2023-03-29T07:26:01.000Z",
+ "EventLastSeen": "2023-06-01T15:31:39.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{\"sample\":true}",
+ "Type": "default"
+ }
+ },
+ "Severity": 5,
+ "Title": "An IP address that is associated with known malicious activity unsuccessfully attempted "
+ "to log in to RDS database GeneratedFindingDBInstanceId.",
+ "Type": "CredentialAccess:RDS/MaliciousIPCaller.FailedLogin",
+ "UpdatedAt": "2023-06-01T15:31:39.180Z",
+ "FindingType": "alert"
+}
+
+
+class TestAwsGuarddutyResultsToStix(unittest.TestCase):
+ """
+ class to perform unit test case for aws_guardduty translate results
+ """
+
+ @staticmethod
+ def get_first(itr, constraint):
+ """
+ return the obj in the itr if constraint is true
+ """
+ return next(
+ (obj for obj in itr if constraint(obj)),
+ None
+ )
+
+ @staticmethod
+ def get_first_of_type(itr, typ):
+ """
+ to check whether the object belongs to respective stix object
+ """
+ return TestAwsGuarddutyResultsToStix.get_first(itr, lambda o: isinstance(o, dict) and o.get('type') == typ)
+
+ @staticmethod
+ def get_observed_data_objects(data):
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [data], get_module_transformers(MODULE), options)
+ result_bundle_objects = result_bundle['objects']
+
+ result_bundle_identity = result_bundle_objects[0]
+ assert result_bundle_identity['type'] == data_source['type']
+ observed_data = result_bundle_objects[1]
+
+ assert 'objects' in observed_data
+ return observed_data['objects']
+
+ def test_ipv4_addr_json_to_stix(self):
+ """
+ to test ipv4-addr stix object properties
+ """
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ ipv4_obj = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'ipv4-addr')
+ assert (ipv4_obj.keys() == {'type', 'value'})
+ assert ipv4_obj is not None
+ assert ipv4_obj['type'] == 'ipv4-addr'
+ assert ipv4_obj['value'] == '22.112.112.112'
+
+ def test_network_traffic_json_to_stix(self):
+ """
+ to test network_traffic stix object properties
+ """
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ network_traffic_obj = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
+ assert (network_traffic_obj.keys() == {'type', 'x_is_target_port_blocked', 'x_direction',
+ 'src_port', 'x_src_port_name', 'protocols', 'src_ref',
+ 'dst_ref', 'dst_port', 'x_dst_port_name'})
+ assert network_traffic_obj is not None
+ assert network_traffic_obj['type'] == 'network-traffic'
+ assert network_traffic_obj['x_is_target_port_blocked'] == 'false'
+ assert network_traffic_obj['src_port'] == 3389
+ assert network_traffic_obj['protocols'] == ['tcp']
+ assert network_traffic_obj['x_direction'] == 'INBOUND'
+
+ dst_ref = network_traffic_obj['dst_ref']
+ assert (dst_ref in objects), f"dst_ref with key {network_traffic_obj['dst_ref']} " \
+ f"not found"
+ dst_obj = objects[dst_ref]
+ assert dst_obj['type'] == 'ipv4-addr'
+ src_ref = network_traffic_obj['src_ref']
+ assert (src_ref in objects), f"src_ref with key {network_traffic_obj['src_ref']} " \
+ f"not found"
+ src_obj = objects[src_ref]
+ assert src_obj['type'] == 'ipv4-addr'
+
+ def test_x_aws_instance_json_to_stix(self):
+ """
+ to test x_aws_instance stix object properties
+ """
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ x_aws_instance_obj = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-instance')
+ assert (x_aws_instance_obj.keys() == {'type', 'availability_zone', 'image_id', 'instance_id', 'state',
+ 'instance_type', 'launch_time', 'x_network_interface_refs', 'os_ref',
+ 'tags'})
+
+ assert x_aws_instance_obj is not None
+ assert x_aws_instance_obj['type'] == 'x-aws-instance'
+ assert x_aws_instance_obj['image_id'] == 'ami-0b12345678910'
+ assert x_aws_instance_obj['instance_id'] == 'i-0bc12345678910'
+ assert x_aws_instance_obj['availability_zone'] == 'us-east-1c'
+ assert x_aws_instance_obj['state'] == 'running'
+ assert x_aws_instance_obj['instance_type'] == 't2.medium'
+ assert x_aws_instance_obj['launch_time'] == '2023-05-04T04:18:46.000Z'
+
+ os_ref = x_aws_instance_obj['os_ref']
+ assert (os_ref in objects), f"os_ref with key{x_aws_instance_obj['os_ref']}" f"not found"
+ os_obj = objects[os_ref]
+ assert os_obj['type'] == 'software'
+
+ interface_ref = x_aws_instance_obj['x_network_interface_refs']
+ assert (ref_value in objects for ref_value in interface_ref), \
+ f"x_network_interface_refs with key {x_aws_instance_obj['x_network_interface_refs']} not found"
+
+ def test_ibm_finding_json_to_stix(self):
+ """
+ to test x-ibm-finding stix object properties
+ """
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ ibm_finding_obj = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding')
+ assert (ibm_finding_obj.keys() == {'type', 'x_arn', 'description', 'alert_id',
+ 'x_resource_ref', 'x_schema_version', 'x_service_ref',
+ 'x_archived', 'event_count', 'x_detector_id', 'severity', 'x_title',
+ 'name', 'time_observed', 'finding_type'})
+ assert ibm_finding_obj is not None
+ assert ibm_finding_obj['type'] == 'x-ibm-finding'
+ assert ibm_finding_obj['alert_id'] == '123abc456def789ghi123456'
+ assert ibm_finding_obj['x_archived'] == 'false'
+ assert ibm_finding_obj['severity'] == 2
+ assert ibm_finding_obj['event_count'] == 43
+
+ assert ibm_finding_obj['name'] == 'UnauthorizedAccess:EC2/RDPBruteForce'
+ assert ibm_finding_obj['description'] == "15.116.116.115 is performing RDP brute force attacks against " \
+ "i-0bc12345678910. " \
+ "Brute force attacks are used to gain unauthorized " \
+ "access to your instance by guessing the RDP password."
+ assert ibm_finding_obj['x_detector_id'] == 'abcdefghij123456'
+
+ x_service_ref = ibm_finding_obj['x_service_ref']
+ assert (x_service_ref in objects), f"x_service_ref with key {ibm_finding_obj['x_service_ref']} " \
+ f"not found"
+ resource_ref = ibm_finding_obj['x_resource_ref']
+ assert (resource_ref in objects), f" resource_ref with key " \
+ f"{ibm_finding_obj['x_resource_ref']} " \
+ f"not found"
+
+ def test_autonomous_system_json_to_stix(self):
+ """to test autonomous-system stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ autonomous_system_obj = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(),
+ 'autonomous-system')
+ assert (autonomous_system_obj.keys() == {'type', 'number', 'name', 'x_isp', 'x_organisation'})
+ assert autonomous_system_obj is not None
+ assert autonomous_system_obj['type'] == 'autonomous-system'
+ assert autonomous_system_obj['number'] == 174
+ assert autonomous_system_obj['name'] == 'COGENT-174'
+ assert autonomous_system_obj['x_isp'] == 'Cogent Communications'
+ assert autonomous_system_obj['x_organisation'] == 'Cogent Communications'
+
+ def test_x_oca_geo_json_to_stix(self):
+ """to test x-oca-geo stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ x_oca_obj = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-oca-geo')
+ assert (x_oca_obj.keys() == {'type', 'city_name', 'country_name', 'location'})
+ assert x_oca_obj is not None
+ assert x_oca_obj['type'] == 'x-oca-geo'
+ assert x_oca_obj['city_name'] == 'Berlin'
+ assert x_oca_obj['country_name'] == 'Germany'
+ assert x_oca_obj['location']['Lat'] == 52.5196
+ assert x_oca_obj['location']['Lon'] == 13.4069
+
+ def test_resource_type_json_to_stix(self):
+ """to test resource-type stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ resource_type = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-resource')
+ assert (resource_type.keys() == {'type', 'account_id', 'partition', 'region', 'resource_type',
+ 'resource_role', 'instance_ref'})
+ assert resource_type is not None
+ assert resource_type['type'] == 'x-aws-resource'
+ assert resource_type['resource_type'] == 'Instance'
+ assert resource_type['resource_role'] == 'TARGET'
+ assert resource_type['account_id'] == '12345678910'
+
+ def test_domain_name_json_to_stix(self):
+ """to test domain-name stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ domain_name = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'domain-name')
+ assert (domain_name.keys() == {'type', 'value'})
+ assert domain_name is not None
+ assert domain_name['type'] == 'domain-name'
+ assert domain_name['value'] == 'ip-11-111-111-111.ec2.internal'
+
+ def test_x_aws_network_interface_json_to_stix(self):
+ """to test network-interface stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response)
+ x_aws_network_interface = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(),
+ 'x-aws-network-interface')
+ assert (x_aws_network_interface.keys() == {'type', 'interface_id', 'private_domain_refs', 'public_domain_ref',
+ 'security_groups', 'subnet_id', 'vpc_id'})
+ assert x_aws_network_interface is not None
+ assert x_aws_network_interface['type'] == 'x-aws-network-interface'
+ assert x_aws_network_interface['interface_id'] == 'eni-025723cd79287c910'
+ assert x_aws_network_interface['subnet_id'] == 'subnet-11111'
+ assert x_aws_network_interface['vpc_id'] == 'vpc-11111'
+ security_gps = x_aws_network_interface['security_groups']
+ assert (security_groups['GroupId'] == 'sg-07a9c258f2c08e2a3' and security_groups['GroupName'] ==
+ 'launch-wizard-31' for security_groups in security_gps)
+
+ private_domain_refs = x_aws_network_interface['private_domain_refs']
+ assert (private_domain in objects for private_domain in
+ private_domain_refs), f"private_domain with key {x_aws_network_interface['private_domain_refs']} " \
+ f"not found"
+ public_domain_ref = x_aws_network_interface['public_domain_ref']
+ assert (public_domain_ref in objects), f"public_domain_ref with key " \
+ f"{x_aws_network_interface['public_domain_ref']}" f"not found"
+
+ def test_x_aws_s3_bucket_json_to_stix(self):
+ """to test x-aws-s3-bucket stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response_2)
+ x_aws_s3_bucket = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-s3-bucket')
+ assert (x_aws_s3_bucket.keys() == {'type', 'arn', 'name', 'bucket_type', 'created_at',
+ 'canonical_id_of_bucket_owner', 'tags', 'server_side_encryption_type',
+ 'kms_encryption_key_arn', 'permissions', 'bucket_permission'})
+ assert x_aws_s3_bucket is not None
+ assert x_aws_s3_bucket['type'] == 'x-aws-s3-bucket'
+ assert x_aws_s3_bucket['arn'] == 'arn:aws:s3:::bucketName'
+ assert x_aws_s3_bucket['name'] == 'bucketName'
+ assert x_aws_s3_bucket['bucket_type'] == 'Destination'
+ assert x_aws_s3_bucket['server_side_encryption_type'] == 'SSEAlgorithm'
+ assert x_aws_s3_bucket['bucket_permission'] == 'NOT_PUBLIC'
+ assert x_aws_s3_bucket['kms_encryption_key_arn'] == 'arn:aws:kms:region:1111111111:key/key-id'
+ assert x_aws_s3_bucket['permissions']['bucket_level']['access_control_policies']['allows_public_read_access'] \
+ is not True
+ assert x_aws_s3_bucket['permissions']['bucket_level']['block_public_access_settings']['block_public_policy'] \
+ is not True
+ assert x_aws_s3_bucket['permissions']['account_level']['block_public_acls'] is not True
+
+ def test_x_aws_finding_service_with_api_call_action_json_to_stix(self):
+ """to test x-aws-finding-service stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response_3)
+ x_aws_finding_service = TestAwsGuarddutyResultsToStix. \
+ get_first_of_type(objects.values(), 'x-aws-finding-service')
+ assert (x_aws_finding_service.keys() == {'type', 'action', 'event_first_seen',
+ 'event_last_seen', 'additional_info'})
+ assert x_aws_finding_service is not None
+ assert x_aws_finding_service['type'] == 'x-aws-finding-service'
+ assert x_aws_finding_service['action']['action_type'] == 'AWS_API_CALL'
+ assert x_aws_finding_service['action']['api_called'] == 'DeleteTrail'
+ assert x_aws_finding_service['action']['caller_type'] == 'Remote IP'
+ assert x_aws_finding_service['action']['service_name'] == 'cloudtrail.amazonaws.com'
+ assert x_aws_finding_service['event_last_seen'] == '2023-06-08T09:13:13.000Z'
+ remote_ref = x_aws_finding_service['action']['remote_ref']
+ assert (remote_ref in objects), f"remote references with key " \
+ f"{x_aws_finding_service['action']['remote_ref']} not found"
+
+ def test_user_account_json_to_stix(self):
+ """to test user-account stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response_3)
+ user_account = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'user-account')
+ assert (user_account.keys() == {'type', 'x_access_key_id', 'user_id', 'display_name', 'x_user_type'})
+ assert user_account is not None
+ assert user_account['type'] == 'user-account'
+ assert user_account['x_access_key_id'] == 'SSSSSSSSSSSSSSS'
+ assert user_account['user_id'] == 'AABBCCDDEEFFGGHHII'
+ assert user_account['display_name'] == 'abc@abc.com'
+ assert user_account['x_user_type'] == 'IAMUser'
+
+ def test_x_aws_evidence_json_to_stix(self):
+ """to test x-aws-evidence stix object properties"""
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(aws_guardduty_sample_response_4)
+ x_aws_evidence = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-evidence')
+ assert (x_aws_evidence.keys() == {'type', 'threat_intelligence_list_name', 'threat_names'})
+ assert x_aws_evidence is not None
+ assert x_aws_evidence['type'] == 'x-aws-evidence'
+ assert x_aws_evidence['threat_intelligence_list_name'] == 'GeneratedFindingThreatListName'
+ assert x_aws_evidence['threat_names'] == ["GeneratedFindingThreatName"]
+
+ def test_x_aws_eks_cluster_json_to_stix(self):
+ """to test x-aws-eks-cluster-details stix object properties"""
+ data = {"Resource": {
+ "EksClusterDetails": {
+ "Name": "GeneratedFindingEKSClusterName",
+ "Arn": "GeneratedFindingEKSClusterArn",
+ "VpcId": "GeneratedFindingEKSClusterVpcId",
+ "Status": "ACTIVE",
+ "Tags": [
+ {
+ "Key": "GeneratedFindingEKSClusterTag1",
+ "Value": "GeneratedFindingEKSClusterTagValue1"
+ }
+ ],
+ "CreatedAt": "2021-11-11 15:45:55.218000+05:30"
+ },
+ "KubernetesDetails": {
+ "KubernetesUserDetails": {
+ "Username": "GeneratedFindingUserName",
+ "Uid": "GeneratedFindingUID",
+ "Groups": [
+ "GeneratedFindingUserGroup"
+ ]
+ },
+ "KubernetesWorkloadDetails": {
+ "Name": "GeneratedFindingKubernetesWorkloadName",
+ "Type": "GeneratedFindingKubernetesWorkloadType",
+ "Uid": "GeneratedFindingKubernetesWorkloadUID",
+ "Namespace": "GeneratedFindingKubernetesWorkloadNamespace",
+ "Containers": [
+ {
+ "Name": "GeneratedFindingContainerName",
+ "Image": "GeneratedFindingContainerImage",
+ "ImagePrefix": "GeneratedFindingContainerImagePrefix",
+ "VolumeMounts": [
+ {
+ "Name": "GeneratedFindingVolumeName",
+ "MountPath": "GeneratedFindingVolumeMountPath"
+ }
+ ]
+ }
+ ],
+ "Volumes": [
+ {
+ "Name": "GeneratedFindingVolumeName",
+ "HostPath": {
+ "Path": "GeneratedFindingHostPath"
+ }
+ }
+ ]
+ }
+ },
+ "ResourceType": "EKSCluster"
+ },
+ "SchemaVersion": "2.0",
+ }
+
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ resource = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-resource')
+ assert (resource.keys() == {'type', 'eks_cluster_ref', 'resource_type'})
+ assert resource is not None
+ eks_cluster_details_ref = resource['eks_cluster_ref']
+ assert (eks_cluster_details_ref in objects), f"EKS Cluster details references with " \
+ f"key{resource['eks_cluster_ref']} not found"
+ eks_cluster_details = objects[eks_cluster_details_ref]
+ assert (eks_cluster_details.keys() == {'type', 'name', 'arn', 'vpc_id', 'status', 'tags', 'created_at',
+ 'kubernetes_user_ref', 'kubernetes_workload_ref'})
+ assert eks_cluster_details is not None
+ assert eks_cluster_details['type'] == 'x-aws-eks-cluster'
+ assert eks_cluster_details['name'] == 'GeneratedFindingEKSClusterName'
+ assert eks_cluster_details['arn'] == 'GeneratedFindingEKSClusterArn'
+ assert eks_cluster_details['vpc_id'] == 'GeneratedFindingEKSClusterVpcId'
+ assert eks_cluster_details['status'] == 'ACTIVE'
+ kubernetes_workload_ref = eks_cluster_details['kubernetes_workload_ref']
+ assert (kubernetes_workload_ref in objects), f"kubernetes_workload_ref with key" \
+ f"{eks_cluster_details['kubernetes_workload_ref']}" f"not found"
+ kubernetes_user_ref = eks_cluster_details['kubernetes_user_ref']
+ assert (kubernetes_user_ref in objects), f"kubernetes_user_ref with key" \
+ f"{eks_cluster_details['kubernetes_user_ref']}" f"not found"
+
+ x_aws_kubernetes_workload = objects[kubernetes_workload_ref]
+ assert (x_aws_kubernetes_workload.keys() == {'type', 'workload_name', 'workload_type',
+ 'workload_id', 'workload_namespace', 'container_refs',
+ 'volumes'})
+ assert x_aws_kubernetes_workload is not None
+ assert x_aws_kubernetes_workload['type'] == 'x-aws-kubernetes-workload'
+ assert x_aws_kubernetes_workload['workload_name'] == 'GeneratedFindingKubernetesWorkloadName'
+ assert x_aws_kubernetes_workload['workload_type'] == 'GeneratedFindingKubernetesWorkloadType'
+ container_refs = x_aws_kubernetes_workload['container_refs']
+ assert (container in objects for container in container_refs), \
+ f"container_refs with key{x_aws_kubernetes_workload['container_refs']}" f"not found"
+
+ def test_x_aws_container_json_to_stix(self):
+ """to test x-aws-container stix object properties"""
+ data = {
+ "Resource": {
+ "ResourceType": "EKSCluster",
+ "ContainerDetails": {
+ "Id": "GeneratedFindingContainerId",
+ "Name": "GeneratedFindingContainerName",
+ "Image": "GeneratedFindingContainerImage",
+ "ImagePrefix": "GeneratedFindingContainerImagePrefix",
+ "VolumeMounts": [
+ {
+ "Name": "GeneratedFindingVolumeName",
+ "MountPath": "GeneratedFindingVolumeMountPath"
+ }
+ ]
+ }
+ },
+ "SchemaVersion": "2.0"
+ }
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ x_aws_container = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-container')
+ assert (x_aws_container.keys() == {'type', 'container_id', 'name', 'image', 'image_prefix',
+ 'volume_mount_refs'})
+ assert x_aws_container is not None
+ assert x_aws_container['type'] == 'x-aws-container'
+ assert x_aws_container['container_id'] == 'GeneratedFindingContainerId'
+ assert x_aws_container['name'] == 'GeneratedFindingContainerName'
+ assert x_aws_container['image'] == 'GeneratedFindingContainerImage'
+ volume_refs = x_aws_container['volume_mount_refs']
+ assert (volume in objects for volume in volume_refs), \
+ f"volume_mount_refs with key{x_aws_container['volume_mount_refs']} not found"
+ for vol in volume_refs:
+ assert (objects[vol].keys() == {'type', 'name', 'path'})
+
+ def test_x_aws_ecs_cluster_details_json_to_stix(self):
+ """to test x-aws-ecs-cluster-details stix object properties"""
+ data = {
+ "Resource": {
+ "ResourceType": "ECSCluster",
+ "EcsClusterDetails": {
+ "Name": "GeneratedFindingECSClusterName",
+ "Arn": "arn:aws:ecs:region:123456789000:cluster/clusterName",
+ "Status": "ACTIVE",
+ "Tags": [
+ {
+ "Key": "GeneratedFindingECSClusterTag1",
+ "Value": "GeneratedFindingECSClusterTagValue1"
+ }
+ ],
+ "TaskDetails": {
+ "Arn": "arn:aws:ecs:region:123456789000:task/mycluster/043de9ab3",
+ "DefinitionArn": "arn:aws:ecs:region:123456789000:task-definition/mycluster/76f1f1asdf",
+ "Version": "1",
+ "TaskCreatedAt": "2021-12-09 04:53:50+05:30",
+ "StartedAt": "2021-12-09 04:53:50+05:30",
+ "StartedBy": "GeneratedFindingECSTaskStartedBy",
+ "Containers": [
+ {
+ "Name": "GeneratedFindingContainerName",
+ "Image": "GeneratedFindingContainerImage"
+ }
+ ]
+ }
+ }
+ },
+ "SchemaVersion": "2.0",
+ }
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ x_aws_ecs_cluster_details = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(),
+ 'x-aws-ecs-cluster')
+ assert (x_aws_ecs_cluster_details.keys() == {'type', 'name', 'cluster_arn', 'status', 'tags', 'task'})
+ assert x_aws_ecs_cluster_details is not None
+ assert x_aws_ecs_cluster_details['type'] == 'x-aws-ecs-cluster'
+ assert x_aws_ecs_cluster_details['name'] == 'GeneratedFindingECSClusterName'
+ assert x_aws_ecs_cluster_details['cluster_arn'] == 'arn:aws:ecs:region:123456789000:cluster/clusterName'
+ assert x_aws_ecs_cluster_details['status'] == 'ACTIVE'
+ assert x_aws_ecs_cluster_details['task']['arn'] == 'arn:aws:ecs:region:123456789000:task/mycluster/043de9ab3'
+ assert x_aws_ecs_cluster_details['task']['definition_arn'] == \
+ 'arn:aws:ecs:region:123456789000:task-definition/mycluster/76f1f1asdf'
+ assert x_aws_ecs_cluster_details['task']['version'] == '1'
+ container_refs = x_aws_ecs_cluster_details['task']['container_refs']
+ assert (container_ref in objects for container_ref in container_refs), \
+ f"container_refs with key{x_aws_ecs_cluster_details['task']['container_refs']}" f"not found"
+
+ def test_process_and_file_details_json_to_stix(self):
+ """to test process and file details stix object properties"""
+ data = {"Service": {
+ "Evidence": {
+ "ThreatIntelligenceDetails": [
+ {
+ "ThreatListName": "GeneratedFindingThreatListName",
+ "ThreatNames": [
+ "GeneratedFindingThreatName"
+ ]
+ }
+ ]
+ },
+ "Archived": 'false',
+ "Count": 4,
+ "DetectorId": "123abc456def456ghij",
+ "EventFirstSeen": "2023-06-01T15:31:22.000Z",
+ "EventLastSeen": "2023-06-30T11:54:18.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{\"threatListName\":\"GeneratedFindingThreatListName\",\"sample\":true,\"agentDetails\":"
+ "{\"agentVersion\":\"1\",\"agentId\":\"GeneratedFindingAgentId\"}}",
+ "Type": "default"
+ },
+ "FeatureName": "RuntimeMonitoring",
+ "RuntimeDetails": {
+ "Process": {
+ "Name": "GeneratedFindingProcessName",
+ "ExecutablePath": "GeneratedFindingPath",
+ "ExecutableSha256": "GeneratedFindingHash",
+ "Pwd": "GeneratedFindingPath",
+ "Pid": 1234,
+ "StartTime": "2023-06-01T13:14:57.000Z",
+ "Uuid": "GeneratedFindingUUId",
+ "ParentUuid": "GeneratedFindingUUId",
+ "User": "ec2-user",
+ "UserId": 1000,
+ "Euid": 1000,
+ "Lineage": [
+ {
+ "Pid": 1233,
+ "Uuid": "GeneratedFindingUUId",
+ "ExecutablePath": "GeneratedFindingPath",
+ "Euid": 1000,
+ "ParentUuid": "GeneratedFindingUUId"
+ },
+ {
+ "Pid": 1230,
+ "Uuid": "GeneratedFindingUUId",
+ "ExecutablePath": "GeneratedFindingPath",
+ "Euid": 1000,
+ "ParentUuid": "GeneratedFindingUUId"
+ }
+ ]
+ },
+ "Context": {
+ "ReleaseAgentPath": "GeneratedFindingPath"
+ }
+ }
+ },
+ "Severity": 8,
+ "Title": "Container escape via cgroups was detected in EC2 instance i-99999999.",
+ "Type": "PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified",
+ "UpdatedAt": "2023-06-30T11:54:18.614Z"
+ }
+
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ process = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'process')
+ assert (process.keys() == {'type', 'name', 'binary_ref', 'cwd', 'pid', 'created',
+ 'x_unique_id', 'x_parent_unique_id', 'creator_user_ref', 'x_lineage_refs'})
+ assert process is not None
+ assert process['type'] == 'process'
+ assert process['name'] == 'GeneratedFindingProcessName'
+ assert process['cwd'] == 'GeneratedFindingPath'
+ assert process['pid'] == 1234
+ assert process['x_unique_id'] == 'GeneratedFindingUUId'
+ assert process['x_parent_unique_id'] == 'GeneratedFindingUUId'
+ x_lineage_refs = process['x_lineage_refs']
+ assert (lineage in objects for lineage in x_lineage_refs), \
+ f"x_lineage_refs with key{process['x_lineage_refs']}" f"not found"
+
+ creator_user_ref = process['creator_user_ref']
+ assert (creator_user_ref in objects), f"creator_user_ref with key {process['creator_user_ref']} " \
+ f"not found"
+ user = objects[creator_user_ref]
+ assert user['type'] == 'user-account'
+
+ binary_ref = process['binary_ref']
+ assert (binary_ref in objects), f"binary_ref with key {process['binary_ref']} not found"
+ file = objects[binary_ref]
+ assert (file.keys() == {'type', 'x_path', 'hashes'})
+ assert file['type'] == 'file'
+ assert file['x_path'] == 'GeneratedFindingPath'
+ assert file['hashes']['SHA-256'] == 'GeneratedFindingHash'
+
+ def test_x_aws_rds_db_user_json_to_stix(self):
+ """to test x-aws-rds-db-user stix object properties"""
+ data = {
+ "Resource": {
+ "ResourceType": "RDSDBInstance",
+ "RdsDbUserDetails": {
+ "User": "GeneratedFindingUserName",
+ "Application": "GeneratedFindingApplicationName",
+ "Database": "GeneratedFindingDatabaseName",
+ "Ssl": "GeneratedFindingSSLValue",
+ "AuthMethod": "GeneratedFindingAuthMethod"
+ }
+ }}
+
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ rds_db_user = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-rds-db-user')
+ assert (rds_db_user.keys() == {'type', 'user_name', 'application_name', 'database_name',
+ 'ssl', 'authentication_method'})
+ assert rds_db_user is not None
+ assert rds_db_user['type'] == 'x-aws-rds-db-user'
+ assert rds_db_user['user_name'] == 'GeneratedFindingUserName'
+ assert rds_db_user['application_name'] == 'GeneratedFindingApplicationName'
+ assert rds_db_user['database_name'] == 'GeneratedFindingDatabaseName'
+ assert rds_db_user['ssl'] == 'GeneratedFindingSSLValue'
+ assert rds_db_user['authentication_method'] == 'GeneratedFindingAuthMethod'
+
+ def test_x_aws_rds_db_instance_json_to_stix(self):
+ """to test x-aws-rds-db-instance stix object properties"""
+ data = {
+ "Resource": {
+ "ResourceType": "RDSDBInstance",
+ "RdsDbInstanceDetails": {
+ "DbInstanceIdentifier": "GeneratedFindingDBInstanceId",
+ "Engine": "GeneratedFindingEngine",
+ "EngineVersion": "13.6",
+ "DbClusterIdentifier": "GeneratedFindingDBClusterId",
+ "DbInstanceArn": "arn:aws:rds:us-east-1:12345678910:db:GeneratedFindingDBInstanceId",
+ "Tags": [
+ {
+ "Key": "GeneratedFindingRDSDBInstanceTag1",
+ "Value": "GeneratedFindingRDSDBInstanceValue1"
+ }
+ ]
+ }
+ }
+ }
+
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ rds_db_instance = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-rds-db-instance')
+ assert (rds_db_instance.keys() == {'type', 'instance_id', 'engine', 'engine_version',
+ 'cluster_id', 'instance_arn', 'tags'})
+ assert rds_db_instance is not None
+ assert rds_db_instance['type'] == 'x-aws-rds-db-instance'
+ assert rds_db_instance['instance_id'] == 'GeneratedFindingDBInstanceId'
+ assert rds_db_instance['engine'] == 'GeneratedFindingEngine'
+ assert rds_db_instance['engine_version'] == '13.6'
+ assert rds_db_instance['cluster_id'] == 'GeneratedFindingDBClusterId'
+ assert rds_db_instance['instance_arn'] == 'arn:aws:rds:us-east-1:12345678910:db:GeneratedFindingDBInstanceId'
+
+ def test_ebs_volume_details_json_to_stix(self):
+ """to test EbsVolumeDetails stix object properties"""
+ data = {
+ "Resource": {
+ "ResourceType": "Container",
+ "EbsVolumeDetails": {
+ "ScannedVolumeDetails": [
+ {
+ "VolumeArn": "arn:aws:ec2:us-west-2:12345678910:volume/vol-09d5050dea915943d",
+ "VolumeType": "GeneratedScannedVolumeType",
+ "DeviceName": "GeneratedScannedDeviceName",
+ "VolumeSizeInGB": 8,
+ "EncryptionType": "UNENCRYPTED",
+ "SnapshotArn": "arn:aws:ec2:us-east-2:12345678910:snapshot/snap-12345678901234567",
+ "KmsKeyArn": 'null'
+ }
+ ]
+ },
+ "ContainerDetails": {
+ "Id": "abcdefghijklmn",
+ "Name": "GeneratedFindingContainerName",
+ "Image": "GeneratedFindingContainerImage"
+ }
+ },
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Archived": 'false',
+ "Count": 6,
+ "DetectorId": "abcdefghijklmn",
+ "EventFirstSeen": "2023-03-29T07:26:01.000Z",
+ "EventLastSeen": "2023-06-30T11:54:18.000Z",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{\"sample\":true}",
+ "Type": "default"
+ },
+ "FeatureName": "EbsVolumeScan",
+ "EbsVolumeScanDetails": {
+ "ScanId": "12345",
+ "ScanStartedAt": "2021-12-09T00:45:03.000Z",
+ "ScanCompletedAt": "2021-12-09T00:53:46.000Z",
+ "TriggerFindingId": "xyz",
+ "Sources": [
+ "Bitdefender"
+ ],
+ "ScanDetections": {
+ "ScannedItemCount": {
+ "TotalGb": 1,
+ "Files": 65226,
+ "Volumes": 1
+ },
+ "ThreatsDetectedItemCount": {
+ "Files": 2
+ },
+ "HighestSeverityThreatDetails": {
+ "Severity": "HIGH",
+ "ThreatName": "EICAR-Test-File",
+ "Count": 2
+ },
+ "ThreatDetectedByName": {
+ "ItemCount": 2,
+ "UniqueThreatNameCount": 1,
+ "Shortened": 'false',
+ "ThreatNames": [
+ {
+ "Name": "EICAR-Test-File",
+ "Severity": "HIGH",
+ "ItemCount": 2,
+ "FilePaths": [
+ {
+ "FilePath": "tmp/eicar.com",
+ "VolumeArn": "arn:aws:ec2:us-west-2:12345678910:"
+ "volume/vol-09d5050dea915943d",
+ "FileSha256": "a021bbfb6489e54d471899f7dbaaa9d1663fc345ec2fe2a2c4538aabf65"
+ "1fd0f",
+ "FileName": "eicar.com"
+ },
+ {
+ "FilePath": "tmp/eicar-2.txt",
+ "VolumeArn": "arn:aws:ec2:us-west-2:12345678910:volume/"
+ "vol-09d5050dea915943d",
+ "UnknownHash": "a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651"
+ "ad0x",
+ "FileName": "eicar-2.txt"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ "ScanType": "ON_DEMAND"
+ }
+ }
+ }
+
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ ebs_volume = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'x-aws-ebs-volume-malware-scan')
+ assert (ebs_volume.keys() == {'type', 'scan_id', 'scan_started_time', 'scan_completed_at',
+ 'triggered_finding_id', 'sources', 'scanned_items', 'total_infected_files',
+ 'highest_severity_threat', 'threat_detected_by_name', 'scan_type'})
+ assert ebs_volume is not None
+ assert ebs_volume['type'] == 'x-aws-ebs-volume-malware-scan'
+ assert ebs_volume['scan_id'] == '12345'
+ assert ebs_volume['triggered_finding_id'] == 'xyz'
+ assert ebs_volume['sources'] == ['Bitdefender']
+ assert ebs_volume['scanned_items']['total_files_scanned_in_gb'] == 1
+ assert ebs_volume['scanned_items']['total_scanned_files'] == 65226
+ assert ebs_volume['scanned_items']['total_volumes_scanned'] == 1
+ assert ebs_volume['total_infected_files'] == 2
+ assert ebs_volume['highest_severity_threat']['severity'] == 'HIGH'
+ assert ebs_volume['highest_severity_threat']['name'] == 'EICAR-Test-File'
+ assert ebs_volume['highest_severity_threat']['total_infected_files'] == 2
+ assert ebs_volume['threat_detected_by_name']['infected_files_count'] == 2
+ assert ebs_volume['scan_type'] == 'ON_DEMAND'
+ assert ebs_volume['threat_detected_by_name']['unique_threats_count_based_on_name'] == 1
+ assert ebs_volume['threat_detected_by_name']['is_finding_shortened'] == 'false'
+ threat_details_ref = ebs_volume['threat_detected_by_name']['threat_refs']
+ assert (threat_details in objects for threat_details in threat_details_ref), \
+ f"container_refs with key{ebs_volume['threat_detected_by_name']['threat_refs']}" f"not found"
+
+ def test_kubernetes_api_call_json_to_stix(self):
+ """to test kubernetes api call stix object properties"""
+ data = {
+ "Service": {
+ "Action": {
+ "ActionType": "KUBERNETES_API_CALL",
+ "KubernetesApiCallAction": {
+ "Protocol": "http",
+ "RequestUri": "GeneratedFindingRequestURI",
+ "Verb": "create",
+ "UserAgent": "",
+ "RemoteIpDetails": {
+ "City": {
+ "CityName": "GeneratedFindingCityName"
+ },
+ "Country": {
+ "CountryName": "GeneratedFindingCountryName"
+ },
+ "GeoLocation": {
+ "Lat": 0,
+ "Lon": 0
+ },
+ "IpAddressV4": "111.11.100.0",
+ "Organization": {
+ "Asn": "0",
+ "AsnOrg": "GeneratedFindingASNOrg",
+ "Isp": "GeneratedFindingISP",
+ "Org": "GeneratedFindingORG"
+ }
+ },
+ "StatusCode": 201,
+ "Parameters": "GeneratedFindingActionParameters"
+ }
+ },
+ "Archived": 'false',
+ "Count": 6,
+ "DetectorId": "abcdefghijklmn",
+ "EventFirstSeen": "2023-03-29T07:26:01.000Z",
+ "EventLastSeen": "2023-06-30T11:54:18.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{\"sample\":true}",
+ "Type": "default"
+ }
+ }
+ }
+
+ objects = TestAwsGuarddutyResultsToStix.get_observed_data_objects(data)
+ kubernetes_api_call = TestAwsGuarddutyResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
+ assert (kubernetes_api_call.keys() == {'type', 'extensions', 'dst_ref', 'protocols'})
+ assert kubernetes_api_call is not None
+ assert kubernetes_api_call['protocols'] == ["http"]
+ assert kubernetes_api_call['extensions']['http-request-ext']['request_value'] == 'GeneratedFindingRequestURI'
+ assert kubernetes_api_call['extensions']['http-request-ext']['request_method'] == 'create'
+ assert kubernetes_api_call['extensions']['http-request-ext']['request_header']['User-Agent'] == ''
+ assert kubernetes_api_call['extensions']['http-request-ext']['x_status_code'] == 201
+ assert kubernetes_api_call['extensions']['http-request-ext']['x_parameters'] == 'GeneratedFindingAct' \
+ 'ionParameters'
diff --git a/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py b/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py
new file mode 100644
index 000000000..4fb644afc
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py
@@ -0,0 +1,742 @@
+from stix_shifter.stix_translation import stix_translation
+import unittest
+
+translation = stix_translation.StixTranslation()
+
+
+def _remove_timestamp_from_query(query):
+ for i in range(len(query['queries'])):
+ del (query['queries'][i]['FindingCriteria']['Criterion']['updatedAt'])
+ return query
+
+
+class TestQueryTranslator(unittest.TestCase):
+ """
+ class to perform unit test case aws_guardduty translate query
+ """
+ if __name__ == "__main__":
+ unittest.main()
+
+ def _test_query_assertions(self, query, queries):
+ """
+ to assert the each query in the list against expected result
+ """
+ self.assertIsInstance(queries, dict)
+ self.assertIsInstance(query, dict)
+ self.assertIsInstance(query['queries'], list)
+ self.assertEqual(query, queries)
+
+ def test_ipv4_query(self):
+ stix_pattern = "[ipv4-addr:value = '198.51.100.0']"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress": {
+ "Equals": [
+ "198.51.100.0"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074624826,
+ "LessThanOrEqual": 1687074924826
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.instanceDetails.networkInterfaces.publicIp": {
+ "Equals": [
+ "198.51.100.0"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074624826,
+ "LessThanOrEqual": 1687074924826
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.remoteIpDetails.ipAddressV4": {
+ "Equals": [
+ "198.51.100.0"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074624826,
+ "LessThanOrEqual": 1687074924826
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.remoteIpDetails.ipAddressV4": {
+ "Equals": [
+ "198.51.100.0"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074624826,
+ "LessThanOrEqual": 1687074924826
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4": {
+ "Equals": [
+ "198.51.100.0"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074624826,
+ "LessThanOrEqual": 1687074924826
+ }}}}
+ ]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_autonomous_system_lt_operator(self):
+ stix_pattern = "[autonomous-system:number < 1]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn": {
+ "LessThan": 1
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688202355837,
+ "LessThanOrEqual": 1688202655837
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn": {
+ "LessThan": 1
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688202355837,
+ "LessThanOrEqual": 1688202655837
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_ipv6_not_equal_operator(self):
+ stix_pattern = "[ipv6-addr:value != '2001:0db8:85a3:0000:0000:8a2e:0370:7334']"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [{
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.instanceDetails.networkInterfaces.ipv6Addresses": {
+ "NotEquals": [
+ "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688202475717,
+ "LessThanOrEqual": 1688202775717
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_boolean_operator(self):
+ stix_pattern = "[x-ibm-finding:x_archived = 0 ]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [{"FindingCriteria": {"Criterion": {"service.archived": {"Equals": ["false"]},
+ "updatedAt": {"GreaterThanOrEqual": 1686757300141,
+ "LessThanOrEqual": 1686757600141}}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_x_oca_geo_query(self):
+ stix_pattern = "[x-oca-geo:country_name = 'Germany']"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [{
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.remoteIpDetails.country.countryName": {
+ "Equals": [
+ "Germany"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688202899562,
+ "LessThanOrEqual": 1688203199562
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.remoteIpDetails.country.countryName": {
+ "Equals": [
+ "Germany"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688202899562,
+ "LessThanOrEqual": 1688203199562
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_network_traffic_gt_operator(self):
+ stix_pattern = "[network-traffic:src_port > 32794]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [{"FindingCriteria": {"Criterion": {"service.action.networkConnectionAction.localPort"
+ "Details." "port": {"GreaterThan": 32794},
+ "updatedAt": {"GreaterThanOrEqual": 1685960443489,
+ "LessThanOrEqual": 1685960743489}}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_user_account_query(self):
+ stix_pattern = "[user-account:x_access_key_id='ASIARRRRRRGGGGAAAAAAA']"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [{
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.accessKeyDetails.accessKeyId": {
+ "Equals": [
+ "ASIARRRRRRGGGGAAAAAAA"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688203091738,
+ "LessThanOrEqual": 1688203391738
+ }
+ }}}]}
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_domain_name_query(self):
+ stix_pattern = "[domain-name:value ='ec2-1-1-1-1.compute-1.amazonaws.com']"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [{
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.instanceDetails.networkInterfaces.publicDnsName": {
+ "Equals": [
+ "ec2-1-1-1-1.compute-1.amazonaws.com"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688203150008,
+ "LessThanOrEqual": 1688203450008
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.dnsRequestAction.domain": {
+ "Equals": [
+ "ec2-1-1-1-1.compute-1.amazonaws.com"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688203150008,
+ "LessThanOrEqual": 1688203450008
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_network_traffic_gt_equal_operator(self):
+ stix_pattern = "[network-traffic:src_port >= 32794]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.localPortDetails.port": {
+ "GreaterThanOrEqual": 32794
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688203233380,
+ "LessThanOrEqual": 1688203533380
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_x_ibm_finding_in_operator(self):
+ stix_pattern = "[x-ibm-finding:severity IN (8,15)]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {"queries": [{"FindingCriteria": {"Criterion": {"severity": {"Equals": ["8", "15"]},
+ "updatedAt": {"GreaterThanOrEqual": 1686360236693,
+ "LessThanOrEqual": 1686360536693}}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_enum_type_fields(self):
+ stix_pattern = "[x-aws-finding-service:action.action_type = 'NETWORK_CONNECTION']START " \
+ "t'2023-02-10T16:43:26.000Z' STOP t'2023-05-30T16:43:26.003Z'"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [{
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.actionType": {
+ "Equals": [
+ "NETWORK_CONNECTION"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1676047406000,
+ "LessThanOrEqual": 1685465006003
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_x_ibm_finding_not_in_operator(self):
+ stix_pattern = "[x-ibm-finding:severity NOT IN (8,15)]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "severity": {
+ "NotEquals": [
+ "8",
+ "15"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688206119205,
+ "LessThanOrEqual": 1688206419205
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_autonomous_system_lt_equal_operator(self):
+ stix_pattern = "[autonomous-system:number <= 1]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn": {
+ "LessThanOrEqual": 1
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688204480628,
+ "LessThanOrEqual": 1688204780628
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn": {
+ "LessThanOrEqual": 1
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1688204480628,
+ "LessThanOrEqual": 1688204780628
+ }
+ }}}]}
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_autonomous_system_not_lt_equal_operator(self):
+ stix_pattern = "[autonomous-system:number NOT <= 1]"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.remoteIpDetails.organization.asn": {
+ "GreaterThan": 1
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687071785287,
+ "LessThanOrEqual": 1687072085287
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.remoteIpDetails.organization.asn": {
+ "GreaterThan": 1
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687071785287,
+ "LessThanOrEqual": 1687072085287
+ }
+ }
+ }
+ }
+ ]
+ }
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_query_for_same_stix_attributes_with_different_operators_joined_by_OR(self):
+ stix_pattern = "[x-aws-finding-service:action.service_name='ec2.amazonaws.com' " \
+ "OR x-aws-instance:image_id='ami-99999999' OR x-aws-instance:image_id NOT IN ('ami-55555555')]" \
+ "START t'2023-02-10T16:43:26.000Z' STOP t'2023-05-30T16:43:26.003Z'"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.instanceDetails.imageId": {
+ "NotEquals": [
+ "ami-55555555"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1676047406000,
+ "LessThanOrEqual": 1685465006003
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.serviceName": {
+ "Equals": [
+ "ec2.amazonaws.com"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1676047406000,
+ "LessThanOrEqual": 1685465006003
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.instanceDetails.imageId": {
+ "Equals": [
+ "ami-99999999"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1676047406000,
+ "LessThanOrEqual": 1685465006003
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_query_for_morethan_two_comparison_expressions_joined_by_AND(self):
+ stix_pattern = "[x-aws-finding-service:action.service_name='ec2.amazonaws.com' " \
+ "AND x-aws-instance:image_id='ami-99999999' AND x-aws-s3-bucket:tag_value = 'bar']START " \
+ "t'2023-01-10T16:43:26.000Z' STOP t'2023-05-16T16:43:26.003Z'"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.s3BucketDetails.tags.value": {
+ "Equals": [
+ "bar"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1673369006000,
+ "LessThanOrEqual": 1684255406003
+ },
+ "resource.instanceDetails.imageId": {
+ "Equals": [
+ "ami-99999999"
+ ]
+ },
+ "service.action.awsApiCallAction.serviceName": {
+ "Equals": [
+ "ec2.amazonaws.com"
+ ]
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_query_with_multiple_comparison_expressions_with_AND_OR_combinations(self):
+ stix_pattern = "[x-aws-s3-bucket:bucket_type='Destination' OR x-aws-finding-service:action." \
+ "service_name='ec2.amazonaws.com' AND network-traffic:x_direction = 'INBOUND'" \
+ " AND x-aws-resource:resource_role = 'TARGET']"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.resourceRole": {
+ "Equals": [
+ "TARGET"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074952666,
+ "LessThanOrEqual": 1687075252666
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.s3BucketDetails.type": {
+ "Equals": [
+ "Destination"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074952666,
+ "LessThanOrEqual": 1687075252666
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.awsApiCallAction.serviceName": {
+ "Equals": [
+ "ec2.amazonaws.com"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074952666,
+ "LessThanOrEqual": 1687075252666
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.connectionDirection": {
+ "Equals": [
+ "INBOUND"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687074952666,
+ "LessThanOrEqual": 1687075252666
+ }}}}]}
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_query_for_multiple_observation_with_and_without_qualifier(self):
+ stix_pattern = "[network-traffic:src_port >= 32794 OR x-aws-resource:account_id='123456789']" \
+ "AND [x-ibm-finding:alert_id='0ff5ef449377437b9c9c0892d38d5adf' AND " \
+ "user-account:user_id = 'user1'] OR [x-aws-s3-bucket:bucket_type='Destination']" \
+ "START t'2023-05-10T11:00:00.000Z'STOP t'2023-06-01T11:00:00.003Z'"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "accountId": {
+ "Equals": [
+ "123456789"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687099841192,
+ "LessThanOrEqual": 1687100141192
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.localPortDetails.port": {
+ "GreaterThanOrEqual": 32794
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687099841192,
+ "LessThanOrEqual": 1687100141192
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.accessKeyDetails.principalId": {
+ "Equals": [
+ "user1"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1687099841192,
+ "LessThanOrEqual": 1687100141192
+ },
+ "id": {
+ "Equals": [
+ "0ff5ef449377437b9c9c0892d38d5adf"
+ ]
+ }}}},
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.s3BucketDetails.type": {
+ "Equals": [
+ "Destination"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1683716400000,
+ "LessThanOrEqual": 1685617200003
+ }}}}]
+ }
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_multiple_observation_with_single_qualifier_with_precedence_bracket(self):
+ stix_pattern = "([x-aws-s3-bucket:bucket_type = 'Destination' AND network-traffic:protocols[*] = 'UDP'] " \
+ "OR [x-aws-resource:account_id='123456789' OR x-aws-instance:image_id='ami-99999999'])" \
+ "START t'2023-03-15T11:20:35.000Z'STOP t'2023-05-10T11:00:00.003Z'"
+ query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ query = _remove_timestamp_from_query(query)
+ queries = {
+ "queries": [
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "service.action.networkConnectionAction.protocol": {
+ "Equals": [
+ "UDP"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1678879235000,
+ "LessThanOrEqual": 1683716400003
+ },
+ "resource.s3BucketDetails.type": {
+ "Equals": [
+ "Destination"
+ ]
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "resource.instanceDetails.imageId": {
+ "Equals": [
+ "ami-99999999"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1678879235000,
+ "LessThanOrEqual": 1683716400003
+ }
+ }
+ }
+ },
+ {
+ "FindingCriteria": {
+ "Criterion": {
+ "accountId": {
+ "Equals": [
+ "123456789"
+ ]
+ },
+ "updatedAt": {
+ "GreaterThanOrEqual": 1678879235000,
+ "LessThanOrEqual": 1683716400003
+ }
+ }
+ }
+ }
+ ]
+ }
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_invalid_qualifier_with_future_timestamp(self):
+ stix_pattern = "[network-traffic:src_port >= 32794]START t'2023-01-19T11:00:00.000Z' " \
+ "STOP t'2024-02-07T11:00:00.003Z'"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "translation_error" == result['code']
+ assert 'Start/Stop time should not be in the future UTC timestamp' in result['error']
+
+ def test_stop_time_lesser_than_start_time(self):
+ stix_pattern = "[network-traffic:src_port >= 32794]START t'2023-01-19T11:00:00.000Z' " \
+ "STOP t'2022-02-07T11:00:00.003Z'"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "translation_error" == result['code']
+ assert 'Start time should be lesser than Stop time' in result['error']
+
+ def test_invalid_value_for_integer_based_field(self):
+ stix_pattern = "[autonomous-system:number = 'guardduty']"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "not_implemented" == result['code']
+ assert 'wrong parameter' in result['error']
+
+ def test_invalid_operator_for_guardduty(self):
+ stix_pattern = "[autonomous-system:number LIKE 50]"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "mapping_error" == result['code']
+ assert 'data mapping error : Unable to map the following STIX Operators: [Like] to data source fields' in \
+ result['error']
+
+ def test_invalid_operator_for_enum_fields(self):
+ stix_pattern = "[network-traffic:protocols[*] > 'TCP']"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "not_implemented" == result['code']
+ assert 'wrong parameter : GreaterThan operator is not supported for Enum type field ' \
+ 'network-traffic:protocols[*]. Possible supported operators are =, !=, IN, NOT IN ' in \
+ result['error']
+
+ def test_invalid_operator_for_string_fields(self):
+ stix_pattern = "[x-aws-instance:image_id <= 'ami-99999999']"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "not_implemented" == result['code']
+ assert 'LessThanOrEqual operator is not supported for string type field ' in result['error']
+
+ def test_invalid_value_enum_type_field(self):
+ stix_pattern = "[network-traffic:protocols[*] = 'tcp']"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "not_implemented" == result['code']
+ assert "wrong parameter : The input value provided for the field network-traffic:protocols[*] is " \
+ "not among the possible values of the field.Suggested values are ['GRE', 'ICMP', 'TCP', 'UDP']" in \
+ result['error']
+
+ def test_invalid_value_for_boolean_type_field(self):
+ stix_pattern = "[x-ibm-finding:x_archived = 'aws']"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "not_implemented" == result['code']
+ assert ' Invalid boolean type input' in result['error']
+
+ def test_invalid_operator_for_boolean_field(self):
+ stix_pattern = "[x-ibm-finding:x_archived NOT IN (false,true)]"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "not_implemented" == result['code']
+ assert 'NOT In operator is not supported for Boolean type' in result['error']
+
+ def test_similar_stix_attributes_for_and_operator(self):
+ stix_pattern = "[x-aws-finding-service:action.action_type='NETWORK_CONNECTION' " \
+ "AND x-aws-finding-service:action.action_type='DNS_REQUEST']"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "translation_error" == result['code']
+ assert 'expression is used in the pattern which has only AND comparison operator. Recommended to Use ' \
+ 'OR operator for similar STIX attributes' in result['error']
+
+ def test_similar_mapping_fields_in_different_attributes_for_and_operator(self):
+ stix_pattern = "[ipv4-addr:value = '1.1.1.1' AND network-traffic:src_ref.value = '2.2.2.2']"
+ result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+ assert result['success'] is False
+ assert "translation_error" == result['code']
+ assert 'same data source field mapping with another expression in the pattern which has ' \
+ 'only AND comparison operator' in result['error']
diff --git a/stix_shifter_modules/aws_guardduty/tests/stix_transmission/test_aws_guardduty.py b/stix_shifter_modules/aws_guardduty/tests/stix_transmission/test_aws_guardduty.py
new file mode 100644
index 000000000..cd42b3f26
--- /dev/null
+++ b/stix_shifter_modules/aws_guardduty/tests/stix_transmission/test_aws_guardduty.py
@@ -0,0 +1,743 @@
+from stix_shifter_modules.aws_guardduty.entry_point import EntryPoint
+from unittest.mock import patch
+import unittest
+from stix_shifter.stix_transmission import stix_transmission
+from stix_shifter_utils.utils.async_utils import run_in_thread
+from tests.utils.async_utils import get_aws_mock_response
+from botocore.exceptions import EndpointConnectionError, ParamValidationError, ClientError, InvalidRegionError, \
+ ReadTimeoutError, ConnectTimeoutError
+
+
+class TestAWSConnection(unittest.TestCase, object):
+ detector_response = {
+ 'ResponseMetadata': {
+ 'RequestId': 'e1a0bc13-24fe-4494-8022-dc9d45d41fda',
+ 'HTTPStatusCode': 200,
+ 'RetryAttempts': 0
+ },
+ 'data': ['6ab6e6dd780ed494f3b7ca50acdc04tg']
+ }
+
+ findings_response = {
+ 'ResponseMetadata': {
+ 'RequestId': '09a1e4a4-b6b9-4e60-8f4b-6bfac2a829b3',
+ 'HTTPStatusCode': 200,
+ 'RetryAttempts': 0
+ },
+ 'data': ['sss3f545573182s44d6442s7s7s2s420'], 'next_token': ''
+ }
+
+ results_response = {
+
+ 'ResponseMetadata': {
+ 'RequestId': 'af993b02-dc27-4c2c-8ea0-8d4ca80f1985',
+ 'HTTPStatusCode': 200,
+ },
+ "Findings": [{
+ "AccountId": "9799797979797",
+ "Arn": "arn:aws:guardduty:us-east-1:979326520502:detector/6ab6e6dd780ed494f3b7ca50acdc04tg/"
+ "finding/c2c40bf921b79794d9bd0f4559ec6ace",
+ "CreatedAt": "2023-05-14T01:48:52.975Z",
+ "Description": "10.11.111.112 is performing RDP brute force attacks against i-0999999999999999. "
+ "Brute force attacks are used to gain unauthorized access to your instance "
+ "by guessing the RDP password.",
+ "Id": "c2c40bf921b79794d9bd0f4559ec6ace",
+ "Partition": "aws",
+ "Region": "us-east-1",
+ "Resource": {
+ "InstanceDetails": {
+ "AvailabilityZone": "us-east-1c",
+ "ImageDescription": "Microsoft Windows Server 2022 Full Locale English AMI provided by Amazon",
+ "ImageId": "ami-1c2b0h3fa02924d63",
+ "InstanceId": "i-0999999999999999",
+ "InstanceState": "running",
+ "InstanceType": "t2.large",
+ "LaunchTime": "2023-05-11T07:47:06.000Z",
+ "NetworkInterfaces": [
+ {
+ "Ipv6Addresses": [],
+ "NetworkInterfaceId": "eni-013b37911da60cc09",
+ "PrivateDnsName": "ip-111-11-11-11.ec2.internal",
+ "PrivateIpAddress": "111.11.11.11",
+ "PrivateIpAddresses": [
+ {
+ "PrivateDnsName": "ip-111-11-11-11.ec2.internal",
+ "PrivateIpAddress": "111.11.11.11"
+ }
+ ],
+ "PublicDnsName": "ec2-12-12-112-112.compute-1.amazonaws.com",
+ "PublicIp": "12.12.112.112",
+ "SecurityGroups": [
+ {
+ "GroupId": "aw-0000d71d3c30933f",
+ "GroupName": "launch-wizard-180"
+ }
+ ],
+ "SubnetId": "subnet-ooss011f",
+ "VpcId": "vpc-10ss926a"
+ }
+ ],
+ "Platform": "windows",
+ "ProductCodes": [],
+ "Tags": [
+ {
+ "Key": "Name",
+ "Value": "cp4s-splunk-enterprise-large-2"
+ }
+ ]
+ },
+ "ResourceType": "Instance"
+ },
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Action": {
+ "ActionType": "NETWORK_CONNECTION",
+ "NetworkConnectionAction": {
+ "Blocked": 'false',
+ "ConnectionDirection": "INBOUND",
+ "LocalPortDetails": {
+ "Port": 3389,
+ "PortName": "RDP"
+ },
+ "Protocol": "TCP",
+ "LocalIpDetails": {
+ "IpAddressV4": "111.11.11.11"
+ },
+ "RemoteIpDetails": {
+ "City": {
+ "CityName": "Berlin"
+ },
+ "Country": {
+ "CountryName": "Germany"
+ },
+ "GeoLocation": {
+ "Lat": 52.5196,
+ "Lon": 13.4069
+ },
+ "IpAddressV4": "10.11.111.112",
+ "Organization": {
+ "Asn": "174",
+ "AsnOrg": "COGENT-174",
+ "Isp": "Cogent Communications",
+ "Org": "Cogent Communications"
+ }
+ },
+ "RemotePortDetails": {
+ "Port": 49222,
+ "PortName": "Unknown"
+ }
+ }
+ },
+ "Archived": 'false',
+ "Count": 21,
+ "DetectorId": "6db6d6dd780dd494f3b7dd56ddddd74df",
+ "EventFirstSeen": "2023-05-14T01:34:39.000Z",
+ "EventLastSeen": "2023-05-14T05:44:35.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{}",
+ "Type": "default"
+ }
+ },
+ "Severity": 2,
+ "Title": "10.11.111.112 is performing RDP brute force attacks against i-0999999999999999.",
+ "Type": "UnauthorizedAccess:EC2/RDPBruteForce",
+ "UpdatedAt": "2023-05-14T05:48:48.485Z"
+ }
+ ],
+ "metadata": {
+ "result_count": 1,
+ "next_page_token": "",
+ "detector_ids": []
+ }
+ }
+
+ @staticmethod
+ def connection():
+ """format for connection"""
+ return {
+ "region": "us-east-1"
+ }
+
+ @staticmethod
+ def configuration():
+ """format for configuration"""
+ return {
+ "auth": {
+ "aws_access_key_id": "abc",
+ "aws_secret_access_key": "xyx"
+ }
+ }
+
+ @staticmethod
+ def iam_config():
+ return {
+ "auth": {
+ "aws_access_key_id": "abc",
+ "aws_secret_access_key": "xyz",
+ "aws_iam_role": "ABC"
+ }
+ }
+
+ @staticmethod
+ def get_client_error():
+ response = {'Error': {'Message': 'The request was rejected because the parameter findingCriteria has '
+ 'an invalid value.', 'Code': 'BadRequestException'},
+ 'ResponseMetadata': {'HTTPStatusCode': 400}}
+ return ClientError(error_response=response, operation_name='ListFindings')
+
+ @staticmethod
+ def get_client_error_for_invalid_credentials():
+ response = {'Error': {'Message': 'The security token included in the request is invalid',
+ 'Code': 'UnrecognizedClientException'},
+ 'ResponseMetadata': {'HTTPStatusCode': 403}}
+ return ClientError(error_response=response, operation_name='ListFindings')
+
+ @staticmethod
+ def get_invalid_region_error():
+ return InvalidRegionError(region_name='us-east-')
+
+ @staticmethod
+ def get_read_timeout_error():
+ return ReadTimeoutError(endpoint_url='https://guardduty.us-eaat-1.amazonaws.com/detector')
+
+ @staticmethod
+ def get_connect_timeout_error():
+ return ConnectTimeoutError(endpoint_url='https://guardduty.us-east-1.amazonaws.com/detector')
+
+ @staticmethod
+ def get_parameter_validations_error():
+ return ParamValidationError(report='Parameter validation failed:Unknown parameter in FindingCriteria')
+
+ @staticmethod
+ def get_endpoint_connection_error():
+ return EndpointConnectionError(endpoint_url='https://guardduty.us-eaat-1.amazonaws.com/detector')
+
+ def test_is_async(self):
+ """check for synchronous or asynchronous"""
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.configuration())
+ check_async = entry_point.is_async()
+ assert check_async is False
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_connection(self, mock_results):
+ """test ping connection"""
+ mock_results.return_value = get_aws_mock_response(TestAWSConnection.detector_response)
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.configuration())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is True
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections(self, mock_results_2, mock_results_1):
+ """test success result response"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ get_aws_mock_response(TestAWSConnection.findings_response)]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ connection_with_limit = {
+ "region": "us-east-1",
+ "options": {"result_limit": 3}
+ }
+ transmission = stix_transmission.StixTransmission('aws_guardduty', connection_with_limit,
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is True
+ assert results_response['data'] is not None
+ assert 'PrivateIpAddress' not in \
+ results_response['data'][0]['Resource']['InstanceDetails']['NetworkInterfaces'][0]['PrivateIpAddresses'][
+ 0]
+ assert 'metadata' in results_response
+ assert results_response['metadata']['result_count'] == 1
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_with_detector_id(self, mock_results_2, mock_results_1):
+ """test success result response with detector id as input"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ get_aws_mock_response(TestAWSConnection.findings_response)]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ connection_with_detector_id = {
+ "region": "us-east-1",
+ "detector_ids": "6ab6e6dd780ed494f3b7ca50acdc04tg"
+ }
+ transmission = stix_transmission.StixTransmission('aws_guardduty', connection_with_detector_id,
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is True
+ assert results_response['data'] is not None
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_to_test_kubernetes_api_call(self, mock_results_2, mock_results_1):
+ """test success result response to test the protocol value in kubernetes api call"""
+ response = {
+ 'ResponseMetadata': {
+ 'RequestId': 'af993b02-dc27-4c2c-8ea0-8d4ca80f1985',
+ 'HTTPStatusCode': 200,
+ },
+ "Findings": [{
+ "Service": {
+ "Action": {
+ "ActionType": "KUBERNETES_API_CALL",
+ "KubernetesApiCallAction": {
+ "RequestUri": "GeneratedFindingRequestURI",
+ "Verb": "create",
+ "UserAgent": "",
+ "StatusCode": 201,
+ "Parameters": "GeneratedFindingActionParameters"
+ }
+ },
+ "Archived": 'false',
+ "Count": 6,
+ "DetectorId": "abcdefghijklmn",
+ "EventFirstSeen": "2023-03-29T07:26:01.000Z",
+ "EventLastSeen": "2023-06-30T11:54:18.000Z",
+ "ResourceRole": "TARGET",
+ "ServiceName": "guardduty",
+ "AdditionalInfo": {
+ "Value": "{\"sample\":true}",
+ "Type": "default"
+ }
+ }
+ }]
+ }
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ get_aws_mock_response(TestAWSConnection.findings_response)]
+ mock_results_2.return_value = get_aws_mock_response(response)
+
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is True
+ assert results_response['data'] is not None
+ assert results_response['data'][0]['Service']['Action']['KubernetesApiCallAction']['Protocol'] == 'http'
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_to_test_ebs_volume_hash_format(self, mock_results_2, mock_results_1):
+ """test success result response with ebs volume"""
+ results_response = {
+
+ 'ResponseMetadata': {
+ 'RequestId': 'af993b02-dc27-4c2c-8ea0-8d4ca80f1985',
+ 'HTTPStatusCode': 200,
+ },
+ "Findings": [
+ {
+ "SchemaVersion": "2.0",
+ "Service": {
+ "Archived": 'false',
+ "FeatureName": "EbsVolumeScan",
+ "EbsVolumeScanDetails": {
+ "ScanId": "12345",
+ "ScanStartedAt": "2021-12-09T00:45:03.000Z",
+ "ScanCompletedAt": "2021-12-09T00:53:46.000Z",
+ "TriggerFindingId": "xyz",
+ "Sources": [
+ "Bitdefender"
+ ],
+ "ScanDetections": {
+ "ThreatDetectedByName": {
+ "ItemCount": 2,
+ "UniqueThreatNameCount": 1,
+ "Shortened": 'false',
+ "ThreatNames": [
+ {
+ "Name": "EICAR-Test-File",
+ "Severity": "HIGH",
+ "ItemCount": 2,
+ "FilePaths": [
+ {
+ "FilePath": "tmp/eicar.com",
+ "VolumeArn": "arn:aws:ec2:us-west-2:12345678910:"
+ "volume/vol-09d5050dea915943d",
+ "Hash": "a021bbfb6489e54d471899f7dbaaa9d1663fc345ec2fe2a2c4538aab"
+ "f651fd0f",
+ "FileName": "eicar.com"
+ },
+ {
+ "FilePath": "tmp/eicar-2.txt",
+ "VolumeArn": "arn:aws:ec2:us-west-2:12345678910:volume/"
+ "vol-09d5050dea915943d",
+ "Hash": "a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf"
+ "651ad0x",
+ "FileName": "eicar-2.txt"
+ },
+ {
+ "FilePath": "tmp/eicar-2.txt",
+ "VolumeArn": "arn:aws:ec2:us-west-2:12345678910:volume/"
+ "vol-09d5050dea915943d",
+ "Hash": "202cb962ac59075b964b07152d234b70",
+ "FileName": "eicar-3.txt"
+ },
+ {
+ "FilePath": "tmp/eicar-2.txt",
+ "VolumeArn": "arn:aws:ec2:us-west-2:12345678910:volume/"
+ "vol-09d5050dea915943d",
+ "Hash": "40bd001563085fc35165329ea1ff5c5ecbdbbeef",
+ "FileName": "eicar-4.txt"
+ },
+ ]
+ }
+ ]
+ }
+ },
+ "ScanType": "ON_DEMAND"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "result_count": 1,
+ "next_page_token": "",
+ "detector_ids": []
+ }
+ }
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ get_aws_mock_response(TestAWSConnection.findings_response)]
+ mock_results_2.return_value = get_aws_mock_response(results_response)
+
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is True
+ assert results_response['data'] is not None
+ assert results_response['data'][0]['Service']['EbsVolumeScanDetails']['ScanDetections'][
+ 'ThreatDetectedByName']['ThreatNames'][0]['FilePaths'][0]['FileSha256'] == \
+ "a021bbfb6489e54d471899f7dbaaa9d1663fc345ec2fe2a2c4538aabf651fd0f"
+ assert results_response['data'][0]['Service']['EbsVolumeScanDetails']['ScanDetections'][
+ 'ThreatDetectedByName']['ThreatNames'][0]['FilePaths'][1][
+ 'UnknownHash'] == "a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651ad0x"
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_using_metadata(self, mock_results_2, mock_results_1):
+ """test success result response with metadata"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ get_aws_mock_response(TestAWSConnection.findings_response)]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+ metadata = {"result_count": 2, "next_page_token": '123', "detector_ids": ['1234abc']}
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ connection_with_limit = {
+ "region": "us-east-1",
+ "options": {"result_limit": 3}
+ }
+ transmission = stix_transmission.StixTransmission('aws_guardduty', connection_with_limit,
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length, metadata)
+ assert results_response is not None
+ assert results_response['success'] is True
+ assert results_response['data'] is not None
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_client_error(self, mock_results_2, mock_results_1):
+ """test Bad Request in result response"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ TestAWSConnection.get_client_error()]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceTyp\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'invalid_parameter'
+ assert 'An error occurred (BadRequestException) when calling the ListFindings operation' in \
+ results_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_connection_with_client_error(self, mock_results):
+ """test ping connection with invalid credentials"""
+ mock_results.side_effect = TestAWSConnection.get_client_error_for_invalid_credentials()
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.configuration())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is False
+ assert ping_response['code'] == 'authentication_fail'
+ assert 'The security token included in the request is invalid' in \
+ ping_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_parameter_validations_error(self, mock_results_2, mock_results_1):
+ """test results with invalid parameter"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ TestAWSConnection.get_parameter_validations_error()]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourcetype\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'invalid_parameter'
+ assert 'Parameter validation failed:Unknown parameter in FindingCriteria' in \
+ results_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_connection_with_invalid_region_error(self, mock_results):
+ """test ping connection with invalid region"""
+ mock_results.side_effect = TestAWSConnection.get_invalid_region_error()
+ connection_with_invalid_region = {
+ "region": "us-east-"
+ }
+ entry_point = EntryPoint(connection_with_invalid_region, TestAWSConnection.configuration())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is False
+ assert ping_response['code'] == 'authentication_fail'
+ assert "Provided region_name 'us-east-' doesn't match a supported format." in \
+ ping_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ def test_results_connections_with_invalid_region(self, mock_results_1):
+ """test results with invalid region"""
+ mock_results_1.side_effect = [TestAWSConnection.get_invalid_region_error()]
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ connection_with_invalid_region = {
+ "region": "us-east-"
+ }
+ transmission = stix_transmission.StixTransmission('aws_guardduty', connection_with_invalid_region,
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'authentication_fail'
+ assert "Provided region_name 'us-east-' doesn't match a supported format." in \
+ results_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_endpoint_connection_error(self, mock_results_2, mock_results_1):
+ """test endpoint connection error for results"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ TestAWSConnection.get_endpoint_connection_error()]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'service_unavailable'
+ assert 'Could not connect to the endpoint URL: ' \
+ '"https://guardduty.us-eaat-1.amazonaws.com/detector"' in results_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_connection_with_endpoint_connection_error(self, mock_results):
+ """test endpoint connection error for ping"""
+ mock_results.side_effect = TestAWSConnection.get_endpoint_connection_error()
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.configuration())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is False
+ assert ping_response['code'] == 'service_unavailable'
+ assert 'Could not connect to the endpoint URL: "https://guardduty.us-eaat-1.amazonaws.com/detector"' in \
+ ping_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ def test_results_key_error_with_invalid_token(self, mock_results_1):
+ """test results with invalid token in IAM type config"""
+ mock_results_1.side_effect = [KeyError('An error occurred (InvalidClientTokenId) when calling the AssumeRole '
+ 'operation: The security token included in the request is invalid')]
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.iam_config())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'authentication_fail'
+ assert 'InvalidClientTokenId' in results_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_key_error_with_invalid_token(self, mock_results_1):
+ """test ping with invalid token in IAM type config"""
+ mock_results_1.side_effect = [KeyError('An error occurred (InvalidClientTokenId) when calling the AssumeRole '
+ 'operation: The security token included in the request is invalid')]
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.iam_config())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is False
+ assert ping_response['code'] == 'authentication_fail'
+ assert 'InvalidClientTokenId' in ping_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ def test_results_with_endpoint_connection_using_key_error(self, mock_results_1):
+ """test results with endpoint connection from key error"""
+ mock_results_1.side_effect = [KeyError('Could not connect to endpoint URL')]
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'service_unavailable'
+ assert 'Could not connect to endpoint URL' in results_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_key_error_with_endpoint_connection(self, mock_results_1):
+ """test ping with endpoint connection from Key Error"""
+ mock_results_1.side_effect = [KeyError('Could not connect to endpoint URL')]
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.configuration())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is False
+ assert ping_response['code'] == 'service_unavailable'
+ assert 'Could not connect to endpoint URL' in ping_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ def test_results_Parameter_key_error(self, mock_results_1):
+ """test endpoint connection error for results"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response)]
+ query = "{\"findingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'invalid_parameter'
+ assert 'FindingCriteria' in results_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_using_invalid_metadata(self, mock_results_2, mock_results_1):
+ """test result response with invalid metadata"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ get_aws_mock_response(TestAWSConnection.findings_response)]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+ metadata = {"result_count": 2, "next_page_token": '123'}
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length, metadata)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert 'Invalid Metadata' in results_response['error']
+ assert results_response['code'] == 'invalid_parameter'
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_with_connect_timeout(self, mock_results_2, mock_results_1):
+ """test connect timeout for results"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ TestAWSConnection.get_connect_timeout_error()]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert 'Connect timeout on endpoint URL' in results_response['error']
+ assert results_response['code'] == 'service_unavailable'
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.get_paginated_result')
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_results_connections_with_read_timeout(self, mock_results_2, mock_results_1):
+ """test read timeout for results"""
+ mock_results_1.side_effect = [get_aws_mock_response(TestAWSConnection.detector_response),
+ TestAWSConnection.get_read_timeout_error()]
+ mock_results_2.return_value = get_aws_mock_response(TestAWSConnection.results_response)
+ query = "{\"FindingCriteria\":{\"Criterion\":{\"resource.resourceType\":" \
+ "{\"Equals\":[\"Instance\"]},\"updatedAt\":{\"GreaterThanOrEqual\":1676460035000," \
+ "\"LessThanOrEqual\":1686394800003}}}}"
+ offset = 0
+ length = 4
+ transmission = stix_transmission.StixTransmission('aws_guardduty', TestAWSConnection.connection(),
+ TestAWSConnection.configuration())
+ results_response = transmission.results(query, offset, length)
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert 'Read timeout' in results_response['error']
+ assert results_response['code'] == 'service_unavailable'
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_with_read_timeout_error(self, mock_results_1):
+ """test read timeout for ping"""
+ mock_results_1.side_effect = [TestAWSConnection.get_read_timeout_error()]
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.configuration())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is False
+ assert ping_response['code'] == 'service_unavailable'
+ assert 'Read timeout' in ping_response['error']
+
+ @patch('stix_shifter_modules.aws_guardduty.stix_transmission.boto3_client.BOTO3Client.make_request')
+ def test_ping_with_connect_timeout_error(self, mock_results_1):
+ """test connect timeout for ping"""
+ mock_results_1.side_effect = [TestAWSConnection.get_connect_timeout_error()]
+ entry_point = EntryPoint(TestAWSConnection.connection(), TestAWSConnection.configuration())
+ ping_response = run_in_thread(entry_point.ping_connection)
+ assert ping_response is not None
+ assert ping_response['success'] is False
+ assert ping_response['code'] == 'service_unavailable'
+ assert 'Connect timeout on endpoint URL' in ping_response['error']