Merge pull request #11037 from projectdiscovery/guardduty-aws

AWS - GuardDuty (4 Templates)
2024-10-28 15:47:01 +07:00 · 2024-10-28 15:47:01 +07:00 · 6efe57830a
parent 2a76e7f04e 27c306cd0d
commit 6efe57830a
4 changed files with 211 additions and 0 deletions
--- a/cloud/aws/guardduty/guardduty-findings.yaml
+++ b/cloud/aws/guardduty/guardduty-findings.yaml
@ -0,0 +1,57 @@
+id: guardduty-findings
+
+info:
+  name: Open GuardDuty Findings
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Check for AWS GuardDuty findings and resolve them step by step to ensure that your AWS infrastructure is protected against security threats.
+  impact: |
+    GuardDuty findings indicate potential security threats, such as compromised instances, unauthorized access, or malicious activities within your AWS environment, requiring immediate investigation.
+  remediation: |
+    Investigate and respond to GuardDuty findings by analyzing the threat details and taking corrective actions, such as blocking malicious IPs, revoking compromised credentials, or isolating affected instances. Use AWS Security Hub or AWS Config for automated remediation where applicable.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/findings.html
+    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
+  tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+flow: |
+  code(1)
+  for(let DetectorIds of iterate(template.detectors)){
+    set("detector", DetectorIds)
+    code(2)}
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
+
+    extractors:
+      - type: json
+        name: detectors
+        internal: true
+        json:
+          - '.[]'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+        aws guardduty list-findings --region $region --detector-id $detector --query 'FindingIds' --output json
+
+    matchers:
+      - type: regex
+        regex:
+          - '\"(.*)\"'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"The AWS account has open GuardDuty Findings"'
--- a/cloud/aws/guardduty/guardduty-not-enabled.yaml
+++ b/cloud/aws/guardduty/guardduty-not-enabled.yaml
@ -0,0 +1,38 @@
+id: guardduty-not-enabled
+
+info:
+  name: GuardDuty Not Enabled
+  author: DhiyaneshDK
+  severity: info
+  description: |
+    Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats.
+  impact: |
+    GuardDuty disabled leaves your AWS environment vulnerable to undetected threats, such as unauthorized access, anomalous activities, and potential security breaches, compromising the overall security posture.
+  remediation: |
+    Enable GuardDuty to continuously monitor and detect security threats in your AWS environment.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/guardduty-enabled.html
+    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
+  tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
+
+    matchers:
+      - type: word
+        words:
+          - "[]"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"GuardDuty Is Not Enabled"'
--- a/cloud/aws/guardduty/malware-protection-disabled.yaml
+++ b/cloud/aws/guardduty/malware-protection-disabled.yaml
@ -0,0 +1,58 @@
+id: malware-protection-disabled
+
+info:
+  name: GuardDuty Malware Protection - Disabled
+  author: DhiyaneshDK
+  severity: info
+  description: |
+    Ensure that the Malware Protection feature is enabled for your Amazon GuardDuty detectors.
+  impact: |
+    GuardDuty Malware Protection disabled increases the risk of undetected malware threats on EBS volumes, potentially leading to data compromise or system breaches.
+  remediation: |
+    Enable GuardDuty Malware Protection by configuring the feature in the GuardDuty console or using the AWS CLI, to scan EBS volumes for malware and ensure proactive threat detection.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-malware-protection.html
+    - https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html
+  tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+flow: |
+  code(1)
+  for(let DetectorIds of iterate(template.detectors)){
+    set("detector", DetectorIds)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
+
+    extractors:
+      - type: json
+        name: detectors
+        internal: true
+        json:
+          - '.[]'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+        aws guardduty get-detector --region $region --detector-id "$detector" --query 'DataSources.MalwareProtection.ScanEc2InstanceWithFindings.EbsVolumes.Status' --output json
+
+    matchers:
+      - type: word
+        words:
+          - "DISABLED"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"GuardDuty Malware Protection " + detector + " is Disabled"'
--- a/cloud/aws/guardduty/s3-protection-disabled.yaml
+++ b/cloud/aws/guardduty/s3-protection-disabled.yaml
@ -0,0 +1,58 @@
+id: s3-protection-disabled
+
+info:
+  name: GuardDuty S3 Protection - Disabled
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Ensure that the S3 Protection feature is enabled for your Amazon GuardDuty detectors.
+  impact: |
+    GuardDuty S3 Protection disabled increases the risk of undetected malicious activities, such as unauthorized access or data exfiltration, within S3 buckets.
+  remediation: |
+    Enable GuardDuty S3 Protection by configuring it in the GuardDuty console or via AWS CLI to monitor S3 buckets for unauthorized access and malicious activities.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-s3-protection.html
+    - https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html
+  tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+flow: |
+  code(1)
+  for(let DetectorIds of iterate(template.detectors)){
+    set("detector", DetectorIds)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
+
+    extractors:
+      - type: json
+        name: detectors
+        internal: true
+        json:
+          - '.[]'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+        aws guardduty get-detector --region $region --detector-id "$detector" --query 'DataSources.S3Logs.Status' --output json
+
+    matchers:
+      - type: word
+        words:
+          - "DISABLED"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"GuardDuty S3 Protection " + detector + " is Disabled"'