GuardDuty en Elastic

Gonzalo_Sandoval_A · October 25, 2022, 8:38pm

I am trying to create dashboard with information from AWS GuadDuty.

I was already able to bring data to elastic through the elastic agent by enabling SQS integration from S3.

The relevant information is in a field called error.message and I don't know how to parse that information to display it in a dashboard.

warkolm · October 26, 2022, 12:15am

Welcome to our community!

Can you please share an example of the message?

Gonzalo_Sandoval_A · October 26, 2022, 7:18pm

Of course, this is the json I see in Discover

{
  "_index": ".ds-logs-aws.s3access-default-2022.10.19-000001",
  "_type": "_doc",
  "_id": "67449bf7da-000000000000",
  "_version": 1,
  "_score": 1,
  "_ignored": [
    "event.original"
  ],
  "_source": {
    "agent": {
      "hostname": "ip-10-0-159-155",
      "name": "ip-10-0-159-155",
      "id": "22e21b30-571e-48cf-87f0-3557079a58d8",
      "type": "filebeat",
      "ephemeral_id": "8ac89105-0fea-4ba0-96c1-b0a199e0189c",
      "version": "7.17.6"
    },
    "log": {
      "file": {
        "path": "https://guarddutylogs-gonzalo.s3.us-east-1.amazonaws.com/AWSLogs/829019360850/GuardDuty/us-east-1/2022/10/24/1c15fda3-fdb2-3e7f-bb40-53b1768636c5.jsonl.gz"
      },
      "offset": 0
    },
    "elastic_agent": {
      "id": "22e21b30-571e-48cf-87f0-3557079a58d8",
      "version": "7.17.6",
      "snapshot": false
    },
    "error": {
      "message": "Provided Grok expressions do not match field value: [{\\\"schemaVersion\\\":\\\"2.0\\\",\\\"accountId\\\":\\\"829019360850\\\",\\\"region\\\":\\\"us-east-1\\\",\\\"partition\\\":\\\"aws\\\",\\\"id\\\":\\\"56c2054e6c28ac5474fb403151d0dd78\\\",\\\"arn\\\":\\\"arn:aws:guardduty:us-east-1:829019360850:detector/bac17b9d287e18ebe8941f0466c5d75e/finding/56c2054e6c28ac5474fb403151d0dd78\\\",\\\"type\\\":\\\"UnauthorizedAccess:EC2/RDPBruteForce\\\",\\\"resource\\\":{\\\"resourceType\\\":\\\"Instance\\\",\\\"instanceDetails\\\":{\\\"instanceId\\\":\\\"i-04b750fdb704eba08\\\",\\\"instanceType\\\":\\\"t2.micro\\\",\\\"launchTime\\\":\\\"2022-10-12T20:49:40.000Z\\\",\\\"platform\\\":\\\"windows\\\",\\\"productCodes\\\":[],\\\"iamInstanceProfile\\\":null,\\\"networkInterfaces\\\":[{\\\"ipv6Addresses\\\":[],\\\"networkInterfaceId\\\":\\\"eni-09c015d25471a227f\\\",\\\"privateDnsName\\\":\\\"ip-10-0-147-206.ec2.internal\\\",\\\"privateIpAddress\\\":\\\"10.0.147.206\\\",\\\"privateIpAddresses\\\":[{\\\"privateDnsName\\\":\\\"ip-10-0-147-206.ec2.internal\\\",\\\"privateIpAddress\\\":\\\"10.0.147.206\\\"}],\\\"subnetId\\\":\\\"subnet-02b677bf8fc33ce9a\\\",\\\"vpcId\\\":\\\"vpc-03369cd61e4b5ff59\\\",\\\"securityGroups\\\":[{\\\"groupName\\\":\\\"launch-wizard-5\\\",\\\"groupId\\\":\\\"sg-039fd86d95462b4aa\\\"}],\\\"publicDnsName\\\":\\\"ec2-44-204-222-50.compute-1.amazonaws.com\\\",\\\"publicIp\\\":\\\"44.204.222.50\\\"}],\\\"outpostArn\\\":null,\\\"tags\\\":[{\\\"key\\\":\\\"Name\\\",\\\"value\\\":\\\"WinServer\\\"}],\\\"instanceState\\\":\\\"running\\\",\\\"availabilityZone\\\":\\\"us-east-1b\\\",\\\"imageId\\\":\\\"ami-0f1ee03d06c4c659c\\\",\\\"imageDescription\\\":\\\"Microsoft Windows Server 2022 Full Locale English AMI provided by Amazon\\\"}},\\\"service\\\":{\\\"serviceName\\\":\\\"guardduty\\\",\\\"detectorId\\\":\\\"bac17b9d287e18ebe8941f0466c5d75e\\\",\\\"action\\\":{\\\"actionType\\\":\\\"NETWORK_CONNECTION\\\",\\\"networkConnectionAction\\\":{\\\"connectionDirection\\\":\\\"INBOUND\\\",\\\"remoteIpDetails\\\":{\\\"ipAddressV4\\\":\\\"92.255.85.168\\\",\\\"organization\\\":{\\\"asn\\\":\\\"57523\\\",\\\"asnOrg\\\":\\\"Chang Way Technologies Co. Limited\\\",\\\"isp\\\":\\\"Chang Way Technologies Co. Limited\\\",\\\"org\\\":\\\"Chang Way Technologies Co. Limited\\\"},\\\"country\\\":{\\\"countryName\\\":\\\"Hong Kong SAR China\\\"},\\\"city\\\":{\\\"cityName\\\":\\\"\\\"},\\\"geoLocation\\\":{\\\"lat\\\":22.2578,\\\"lon\\\":114.1657}},\\\"remotePortDetails\\\":{\\\"port\\\":1477,\\\"portName\\\":\\\"Unknown\\\"},\\\"localPortDetails\\\":{\\\"port\\\":3389,\\\"portName\\\":\\\"RDP\\\"},\\\"protocol\\\":\\\"TCP\\\",\\\"blocked\\\":false,\\\"localIpDetails\\\":{\\\"ipAddressV4\\\":\\\"10.0.147.206\\\"}}},\\\"resourceRole\\\":\\\"TARGET\\\",\\\"additionalInfo\\\":{\\\"value\\\":\\\"{}\\\",\\\"type\\\":\\\"default\\\"},\\\"eventFirstSeen\\\":\\\"2022-10-24T15:21:42.000Z\\\",\\\"eventLastSeen\\\":\\\"2022-10-24T15:25:42.000Z\\\",\\\"archived\\\":false,\\\"count\\\":1},\\\"severity\\\":2,\\\"createdAt\\\":\\\"2022-10-24T15:29:22.001Z\\\",\\\"updatedAt\\\":\\\"2022-10-24T15:29:22.001Z\\\",\\\"title\\\":\\\"92.255.85.168 is performing RDP brute force attacks against i-04b750fdb704eba08.\\\",\\\"description\\\":\\\"92.255.85.168 is performing RDP brute force attacks against i-04b750fdb704eba08. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password.\\\"}]"
    },`Preformatted text`

warkolm · October 30, 2022, 9:19pm

Are you using an ingest pipeline already, what does it look like?

Gonzalo_Sandoval_A · November 2, 2022, 2:11pm

I am only using the s3 integration, how can I use the ingest pipeline?

Gonzalo_Sandoval_A · November 9, 2022, 7:12pm

How could I do it by pipeline in order to bring the information to a dashboard?

jamie.hynds · November 21, 2022, 4:18pm

Worth noting that we are about to start working on a GuardDuty integration with Elastic Agent. You can follow this issue for updates on progress: AWS GuardDuty · Issue #2751 · elastic/integrations · GitHub

system · December 19, 2022, 4:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.