maishsk/gist:3e44a17be2134df0ba8aefc7f4682d09

## gistfile1.txt
{
    "version": "0",
    "id": "xxxxxxxxxxxx-7288-8259-a251d0d4f872",
    "detail-type": "GuardDuty Finding",
    "source": "aws.guardduty",
    "account": "xxxxxxxxxxxx",
    "time": "2019-03-04T08:55:11Z",
    "region": "us-east-1",
    "resources": [],
    "detail": {
      "schemaVersion": "2.0",
      "accountId": "xxxxxxxxxxxx",
      "region": "us-east-1",
      "partition": "aws",
      "id": "xxxxxxxxxxxx30a8541009abcebe",
      "arn": "arn:aws:guardduty:us-east-1:xxxxxxxxxxxx:some_account/xxxxxxxxxxxxc4ebf37dc5a558f/finding/xxxxxxxxxxxx30a8541009abcebe",
      "type": "Recon:IAMUser/UserPermissions",
      "resource": {
        "resourceType": "AccessKey",
        "accessKeyDetails": {
          "accessKeyId": "AKIAJTMN5LKN3KSNDOPA",
          "principalId": "AIDAxxxxxxxxxxxx",
          "userType": "IAMUser",
          "userName": "some_user"
        }
      },
      "service": {
        "serviceName": "guardduty",
        "detectorId": "xxxxxxxxxxxxebf37dc5a558f",
        "action": {
          "actionType": "AWS_API_CALL",
          "awsApiCallAction": {
            "api": "ListAccessKeys",
            "serviceName": "iam.amazonaws.com",
            "callerType": "Remote IP",
            "remoteIpDetails": {
              "ipAddressV4": "85.216.144.55",
              "organization": {
                "asn": "6830",
                "asnOrg": "Liberty Global B.V.",
                "isp": "UPC Slovensko s.r.o",
                "org": "UPC Slovakia"
              },
              "country": {
                "countryName": "Slovakia"
              },
              "city": {
                "cityName": "Bratislava"
              },
              "geoLocation": {
                "lat": 48.1482,
                "lon": 17.1067
              }
            },
            "affectedResources": {}
          }
        },
        "resourceRole": "TARGET",
        "additionalInfo": {
          "recentApiCalls": [
            {
              "api": "ListAccessKeys",
              "count": 1
            }
          ]
        },
        "eventFirstSeen": "2019-03-04T08:33:06Z",
        "eventLastSeen": "2019-03-04T08:33:06Z",
        "archived": false,
        "count": 1
      },
      "severity": 5,
      "createdAt": "2019-03-04T08:54:10.114Z",
      "updatedAt": "2019-03-04T08:54:10.114Z",
      "title": "Unusual user permission reconnaissance activity by some_user.",
      "description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal some_user under unusual circumstances. Such activity is not typically seen from this principal."
   }
  }
	{
	"version": "0",
	"id": "xxxxxxxxxxxx-7288-8259-a251d0d4f872",
	"detail-type": "GuardDuty Finding",
	"source": "aws.guardduty",
	"account": "xxxxxxxxxxxx",
	"time": "2019-03-04T08:55:11Z",
	"region": "us-east-1",
	"resources": [],
	"detail": {
	"schemaVersion": "2.0",
	"accountId": "xxxxxxxxxxxx",
	"region": "us-east-1",
	"partition": "aws",
	"id": "xxxxxxxxxxxx30a8541009abcebe",
	"arn": "arn:aws:guardduty:us-east-1:xxxxxxxxxxxx:some_account/xxxxxxxxxxxxc4ebf37dc5a558f/finding/xxxxxxxxxxxx30a8541009abcebe",
	"type": "Recon:IAMUser/UserPermissions",
	"resource": {
	"resourceType": "AccessKey",
	"accessKeyDetails": {
	"accessKeyId": "AKIAJTMN5LKN3KSNDOPA",
	"principalId": "AIDAxxxxxxxxxxxx",
	"userType": "IAMUser",
	"userName": "some_user"
	}
	},
	"service": {
	"serviceName": "guardduty",
	"detectorId": "xxxxxxxxxxxxebf37dc5a558f",
	"action": {
	"actionType": "AWS_API_CALL",
	"awsApiCallAction": {
	"api": "ListAccessKeys",
	"serviceName": "iam.amazonaws.com",
	"callerType": "Remote IP",
	"remoteIpDetails": {
	"ipAddressV4": "85.216.144.55",
	"organization": {
	"asn": "6830",
	"asnOrg": "Liberty Global B.V.",
	"isp": "UPC Slovensko s.r.o",
	"org": "UPC Slovakia"
	},
	"country": {
	"countryName": "Slovakia"
	},
	"city": {
	"cityName": "Bratislava"
	},
	"geoLocation": {
	"lat": 48.1482,
	"lon": 17.1067
	}
	},
	"affectedResources": {}
	}
	},
	"resourceRole": "TARGET",
	"additionalInfo": {
	"recentApiCalls": [
	{
	"api": "ListAccessKeys",
	"count": 1
	}
	]
	},
	"eventFirstSeen": "2019-03-04T08:33:06Z",
	"eventLastSeen": "2019-03-04T08:33:06Z",
	"archived": false,
	"count": 1
	},
	"severity": 5,
	"createdAt": "2019-03-04T08:54:10.114Z",
	"updatedAt": "2019-03-04T08:54:10.114Z",
	"title": "Unusual user permission reconnaissance activity by some_user.",
	"description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal some_user under unusual circumstances. Such activity is not typically seen from this principal."
	}
	}