この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。
こんにちは、臼田です。
みなさん、GuardDuty使ってますか?(挨拶
GuardDutyの通知は最近GAになったChatbotだったり、カスタムのLambdaでパースしたりして行いますが、テストしたくなると思います。
ただ、AWSのドキュメントに今の所内容に見受けられるので、実際の通知で使われたjsonデータを置いておきます。(主に自分用)
ご自由にお使いください。
GuardDuty Findingsのjson
{
"version": "0",
"id": "5eca59f3-ca22-4909-b6aa-ef50bedf9ac1",
"detail-type": "GuardDuty Finding",
"source": "aws.guardduty",
"account": "999999999999",
"time": "2020-03-13T18:07:01Z",
"region": "ap-northeast-1",
"resources": [],
"detail": {
"schemaVersion": "2.0",
"accountId": "999999999999",
"region": "ap-northeast-1",
"partition": "aws",
"id": "24b8695ad1xxxxxxxxxxxxxxxxxxxxxx",
"arn": "arn:aws:guardduty:ap-northeast-1:999999999999:detector/b2b006376dxxxxxxxxxxxxxxxxxxxxxx/finding/24b8695ad1xxxxxxxxxxxxxxxxxxxxxx",
"type": "Recon:IAMUser/UserPermissions",
"resource": {
"resourceType": "AccessKey",
"accessKeyDetails": {
"accessKeyId": "ASIAXXXXXXXXXXXXXXXX",
"principalId": "AIDAXXXXXXXXXXXXXXXXX",
"userType": "IAMUser",
"userName": "test-user"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "b2b006376dxxxxxxxxxxxxxxxxxxxxxx",
"action": {
"actionType": "AWS_API_CALL",
"awsApiCallAction": {
"api": "ListAccessKeys",
"serviceName": "iam.amazonaws.com",
"callerType": "Remote IP",
"remoteIpDetails": {
"ipAddressV4": "192.0.2.1",
"organization": {
"asn": "17676",
"asnOrg": "Softbank BB Corp.",
"isp": "Softbank BB",
"org": "Softbank BB"
},
"country": {
"countryName": "Japan"
},
"city": {
"cityName": "Tokyo"
},
"geoLocation": {
"lat": 35.689506,
"lon": 139.6917
}
},
"affectedResources": {}
}
},
"resourceRole": "TARGET",
"additionalInfo": {
"recentApiCalls": [
{
"api": "GetAccountSummary",
"count": 1
},
{
"api": "ListAccountAliases",
"count": 1
},
{
"api": "GetAccountPasswordPolicy",
"count": 1
},
{
"api": "ListAccessKeys",
"count": 1
},
{
"api": "ListUsers",
"count": 1
},
{
"api": "GetUser",
"count": 1
}
]
},
"evidence": null,
"eventFirstSeen": "2020-03-13T06:45:51Z",
"eventLastSeen": "2020-03-13T17:19:10Z",
"archived": false,
"count": 5
},
"severity": 5,
"createdAt": "2020-03-13T07:04:43.913Z",
"updatedAt": "2020-03-13T17:38:34.430Z",
"title": "Unusual user permission reconnaissance activity by test-user.",
"description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal test-user under unusual circumstances. Such activity is not typically seen from this principal."
}
}
使い方
CloudWatch Events -> SNS -> Lambda or Chatbot のような使い方になるので、SNSに上記jsonを突っ込んでメッセージを発行したらうまくいきます。
まとめ
これで通知テストが捗りますね。