Skip to content

Commit

Permalink
Merge pull request #594 from 0xdabbad00/spiper-guardduty_support
Browse files Browse the repository at this point in the history
Add rule and test for GuardDuty
  • Loading branch information
jacknagz authored Feb 14, 2018
2 parents 4c2d663 + 6291359 commit 954b70b
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 0 deletions.
4 changes: 4 additions & 0 deletions matchers/matchers.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,7 @@
from stream_alert.rule_processor.rules_engine import StreamRules

matcher = StreamRules.matcher()

@matcher
def guard_duty(record):
return record['detail-type'] == 'GuardDuty Finding'
Empty file.
22 changes: 22 additions & 0 deletions rules/community/guardduty/guard_duty_all.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
"""Alert on GuardDuty"""
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule
disable = StreamRules.disable()


@rule(logs=['cloudwatch:events'],
matchers=['guard_duty'],
outputs=['slack:sample-channel'])
def guard_duty_all(*_):
"""
author: spiper
description: Alert on GuardDuty events
playbook: (a) identify the AWS account in the log
(b) identify what resource(s) are impacted
(c) contact the point-of-contact for the account
testing: From the GuardDuty AWS page (https://console.aws.amazon.com/guardduty/home)
click the button to "Generate Sample Findings"
"""

return True
24 changes: 24 additions & 0 deletions tests/integration/rules/guardduty/guard_duty_all.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"records": [
{
"data": {
"version": "0",
"id": "00000000-0000-0000-0000-000000000000",
"detail-type": "GuardDuty Finding",
"source": "aws.guardduty",
"account": "111111111111",
"time": "2018-02-13T18:25:01Z",
"region": "us-east-1",
"resources": [],
"detail": {}
},
"description": "GuardDuty",
"log": "cloudwatch:events",
"service": "kinesis",
"source": "prefix_cluster1_stream_alert_kinesis",
"trigger_rules": [
"guard_duty_all"
]
}
]
}

0 comments on commit 954b70b

Please sign in to comment.