通知テストのためのGuardDuty Findingsのjsonサンプル置いておきます

GuardDuty Findingsの通知で飛ぶjsonサンプルを公開します。
2020.04.24

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

こんにちは、臼田です。

みなさん、GuardDuty使ってますか?(挨拶

GuardDutyの通知は最近GAになったChatbotだったり、カスタムのLambdaでパースしたりして行いますが、テストしたくなると思います。

ただ、AWSのドキュメントに今の所内容に見受けられるので、実際の通知で使われたjsonデータを置いておきます。(主に自分用)

ご自由にお使いください。

GuardDuty Findingsのjson

{
    "version": "0",
    "id": "5eca59f3-ca22-4909-b6aa-ef50bedf9ac1",
    "detail-type": "GuardDuty Finding",
    "source": "aws.guardduty",
    "account": "999999999999",
    "time": "2020-03-13T18:07:01Z",
    "region": "ap-northeast-1",
    "resources": [],
    "detail": {
        "schemaVersion": "2.0",
        "accountId": "999999999999",
        "region": "ap-northeast-1",
        "partition": "aws",
        "id": "24b8695ad1xxxxxxxxxxxxxxxxxxxxxx",
        "arn": "arn:aws:guardduty:ap-northeast-1:999999999999:detector/b2b006376dxxxxxxxxxxxxxxxxxxxxxx/finding/24b8695ad1xxxxxxxxxxxxxxxxxxxxxx",
        "type": "Recon:IAMUser/UserPermissions",
        "resource": {
            "resourceType": "AccessKey",
            "accessKeyDetails": {
                "accessKeyId": "ASIAXXXXXXXXXXXXXXXX",
                "principalId": "AIDAXXXXXXXXXXXXXXXXX",
                "userType": "IAMUser",
                "userName": "test-user"
            }
        },
        "service": {
            "serviceName": "guardduty",
            "detectorId": "b2b006376dxxxxxxxxxxxxxxxxxxxxxx",
            "action": {
                "actionType": "AWS_API_CALL",
                "awsApiCallAction": {
                    "api": "ListAccessKeys",
                    "serviceName": "iam.amazonaws.com",
                    "callerType": "Remote IP",
                    "remoteIpDetails": {
                        "ipAddressV4": "192.0.2.1",
                        "organization": {
                            "asn": "17676",
                            "asnOrg": "Softbank BB Corp.",
                            "isp": "Softbank BB",
                            "org": "Softbank BB"
                        },
                        "country": {
                            "countryName": "Japan"
                        },
                        "city": {
                            "cityName": "Tokyo"
                        },
                        "geoLocation": {
                            "lat": 35.689506,
                            "lon": 139.6917
                        }
                    },
                    "affectedResources": {}
                }
            },
            "resourceRole": "TARGET",
            "additionalInfo": {
                "recentApiCalls": [
                    {
                        "api": "GetAccountSummary",
                        "count": 1
                    },
                    {
                        "api": "ListAccountAliases",
                        "count": 1
                    },
                    {
                        "api": "GetAccountPasswordPolicy",
                        "count": 1
                    },
                    {
                        "api": "ListAccessKeys",
                        "count": 1
                    },
                    {
                        "api": "ListUsers",
                        "count": 1
                    },
                    {
                        "api": "GetUser",
                        "count": 1
                    }
                ]
            },
            "evidence": null,
            "eventFirstSeen": "2020-03-13T06:45:51Z",
            "eventLastSeen": "2020-03-13T17:19:10Z",
            "archived": false,
            "count": 5
        },
        "severity": 5,
        "createdAt": "2020-03-13T07:04:43.913Z",
        "updatedAt": "2020-03-13T17:38:34.430Z",
        "title": "Unusual user permission reconnaissance activity by test-user.",
        "description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal test-user under unusual circumstances. Such activity is not typically seen from this principal."
    }
}

使い方

CloudWatch Events -> SNS -> Lambda or Chatbot のような使い方になるので、SNSに上記jsonを突っ込んでメッセージを発行したらうまくいきます。

まとめ

これで通知テストが捗りますね。