AWS Guard Duty Alert
| Id | bf0cde21-0c41-48f6-a40c-6b5bd71fa106 |
| Rulename | AWS Guard Duty Alert |
| Description | Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding. |
| Severity | Medium |
| Required data connectors | AWSS3 |
| Kind | Scheduled |
| Query frequency | 5h |
| Query period | 5h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml |
| Version | 1.0.2 |
| Arm template | bf0cde21-0c41-48f6-a40c-6b5bd71fa106.json |
AWSGuardDuty | extend tokens = split(ActivityType,":") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],"/") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),"High",iff(Severity between (4.0..6.9), "Medium", iff(Severity between (1.0..3.9),"Low","Unknown")))
queryFrequency: 5h
entityMappings:
- entityType: Account
fieldMappings:
- columnName: Arn
identifier: Name
- columnName: AWSAcoundId
identifier: ObjectGuid
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml
relevantTechniques: []
query: AWSGuardDuty | extend tokens = split(ActivityType,":") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],"/") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),"High",iff(Severity between (4.0..6.9), "Medium", iff(Severity between (1.0..3.9),"Low","Unknown")))
id: bf0cde21-0c41-48f6-a40c-6b5bd71fa106
triggerOperator: gt
version: 1.0.2
requiredDataConnectors:
- connectorId: AWSS3
dataTypes:
- AWSGuardDuty
customDetails:
ResourceTypeAffected: ResourceTypeAffected
ThreatPurpose: ThreatPurpose
UniqueFindingId: UniqueFindingId
description: Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.
queryPeriod: 5h
alertDetailsOverride:
alertSeverityColumnName: Severity
alertDescriptionFormat: '{{Description}}'
alertTacticsColumnName: ThreatPurpose
alertDisplayNameFormat: '{{Title}}'
status: Available
name: AWS Guard Duty Alert
tactics: []
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf0cde21-0c41-48f6-a40c-6b5bd71fa106')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf0cde21-0c41-48f6-a40c-6b5bd71fa106')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "AWS Guard Duty Alert",
"description": "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.",
"severity": "Medium",
"enabled": true,
"query": "AWSGuardDuty | extend tokens = split(ActivityType,\":\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\"High\",iff(Severity between (4.0..6.9), \"Medium\", iff(Severity between (1.0..3.9),\"Low\",\"Unknown\")))",
"queryFrequency": "PT5H",
"queryPeriod": "PT5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [],
"techniques": [],
"alertRuleTemplateName": "bf0cde21-0c41-48f6-a40c-6b5bd71fa106",
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
"alertDisplayNameFormat": "{{Title}}",
"alertTacticsColumnName": "ThreatPurpose",
"alertDescriptionFormat": "{{Description}}"
},
"customDetails": {
"ResourceTypeAffected": "ResourceTypeAffected",
"ThreatPurpose": "ThreatPurpose",
"UniqueFindingId": "UniqueFindingId"
},
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "Arn"
},
{
"identifier": "ObjectGuid",
"columnName": "AWSAcoundId"
}
]
}
],
"templateVersion": "1.0.2",
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml"
}
}
]
}