Created
March 4, 2019 15:10
-
-
Save maishsk/3e44a17be2134df0ba8aefc7f4682d09 to your computer and use it in GitHub Desktop.
guardduty_report
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"version": "0", | |
"id": "xxxxxxxxxxxx-7288-8259-a251d0d4f872", | |
"detail-type": "GuardDuty Finding", | |
"source": "aws.guardduty", | |
"account": "xxxxxxxxxxxx", | |
"time": "2019-03-04T08:55:11Z", | |
"region": "us-east-1", | |
"resources": [], | |
"detail": { | |
"schemaVersion": "2.0", | |
"accountId": "xxxxxxxxxxxx", | |
"region": "us-east-1", | |
"partition": "aws", | |
"id": "xxxxxxxxxxxx30a8541009abcebe", | |
"arn": "arn:aws:guardduty:us-east-1:xxxxxxxxxxxx:some_account/xxxxxxxxxxxxc4ebf37dc5a558f/finding/xxxxxxxxxxxx30a8541009abcebe", | |
"type": "Recon:IAMUser/UserPermissions", | |
"resource": { | |
"resourceType": "AccessKey", | |
"accessKeyDetails": { | |
"accessKeyId": "AKIAJTMN5LKN3KSNDOPA", | |
"principalId": "AIDAxxxxxxxxxxxx", | |
"userType": "IAMUser", | |
"userName": "some_user" | |
} | |
}, | |
"service": { | |
"serviceName": "guardduty", | |
"detectorId": "xxxxxxxxxxxxebf37dc5a558f", | |
"action": { | |
"actionType": "AWS_API_CALL", | |
"awsApiCallAction": { | |
"api": "ListAccessKeys", | |
"serviceName": "iam.amazonaws.com", | |
"callerType": "Remote IP", | |
"remoteIpDetails": { | |
"ipAddressV4": "85.216.144.55", | |
"organization": { | |
"asn": "6830", | |
"asnOrg": "Liberty Global B.V.", | |
"isp": "UPC Slovensko s.r.o", | |
"org": "UPC Slovakia" | |
}, | |
"country": { | |
"countryName": "Slovakia" | |
}, | |
"city": { | |
"cityName": "Bratislava" | |
}, | |
"geoLocation": { | |
"lat": 48.1482, | |
"lon": 17.1067 | |
} | |
}, | |
"affectedResources": {} | |
} | |
}, | |
"resourceRole": "TARGET", | |
"additionalInfo": { | |
"recentApiCalls": [ | |
{ | |
"api": "ListAccessKeys", | |
"count": 1 | |
} | |
] | |
}, | |
"eventFirstSeen": "2019-03-04T08:33:06Z", | |
"eventLastSeen": "2019-03-04T08:33:06Z", | |
"archived": false, | |
"count": 1 | |
}, | |
"severity": 5, | |
"createdAt": "2019-03-04T08:54:10.114Z", | |
"updatedAt": "2019-03-04T08:54:10.114Z", | |
"title": "Unusual user permission reconnaissance activity by some_user.", | |
"description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal some_user under unusual circumstances. Such activity is not typically seen from this principal." | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment