Fix AWS macie Timestamp and recipientAccountId fields#3608
Merged
Conversation
dfa994c to
8cdfa76
Compare
8cdfa76 to
77b9ed2
Compare
Contributor
Author
|
As a result of the review of all fields under
In the case of |
davidjiglesias
approved these changes
Jul 4, 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
A new special processing has been implemented for 'macie' logs to transform
recipientAccountIdandTimestampsinto lists. Now the format is homogeneous to prevent Elasticsearch errors when loading documents in the indexes.Logs/Alerts example
{ "timestamp":"2019-07-02T15:08:29.729+0000", "rule":{ "level":12, "description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "id":"12345", "firedtimes":201, "mail":true, "groups":[ "amazon", "aws", "aws_macie" ] }, "agent":{ "id":"000", "name":"wazuh-manager" }, "manager":{ "name":"wazuh-manager" }, "id":"123412341234.12341234", "full_log":"{\"integration\": \"aws\", \"aws\": {\"log_info\": {\"aws_account_alias\": \"\", \"log_file\": \"macie/2019/07/02/00/firehose_macie-1-2019-07-02-00-27-28-1234123\", \"s3bucket\": \"wazuh-bucket\"}, \"notification-type\": \"ALERT_UPDATED\", \"tags\": {\"value\": [\"Open Permissions\", \"Basic Alert\"]}, \"name\": \"S3 Bucket IAM policy grants global read rights\", \"severity\": \"CRITICAL\", \"url\": \"https://mt.us-east-1.macie.aws.amazon.com/posts/arnfake%data2\", \"alert-arn\": \"arn:aws:macie:us-east-1:fake:data/alert/12341234\", \"risk-score\": 9, \"updated-at\": \"2019-07-02T00:27:27.577585\", \"created-at\": \"2019-07-02T00:05:37.579000+00:00\", \"actor\": \"resources.wazuh.com\", \"summary\": {\"Description\": \"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts\", \"Bucket\": {\"resources.wazuh.com\": 1}, \"Record Count\": 1, \"ACL\": {\"resources.wazuh.com\": {\"Owner\": {\"DisplayName\": \"wazuh\", \"ID\": \"1234123412341234123412341234\"}, \"Grants\": [{\"Grantee\": {\"Type\": \"CanonicalUser\", \"DisplayName\": \"wazuh\", \"ID\": \"1234123412341234123412341234\"}, \"Permission\": \"FULL_CONTROL\"}, {\"Grantee\": {\"Type\": \"Group\", \"URI\": \"http://acs.amazonaws.com/groups/global/AllUsers\"}, \"Permission\": \"READ\"}]}}, \"Event Count\": 1, \"Timestamps\": [\"2019-07-02T00:20:57.775900Z\"], \"recipientAccountId\": [\"12341234123412\"]}, \"source\": \"macie\"}}", "decoder":{ "name":"json" }, "data":{ "integration":"aws", "aws":{ "log_info":{ "log_file":"macie/2019/07/02/00/firehose_macie-1-2019-07-02-00-27-28-asdfasdf", "s3bucket":"wazuh-bucket" }, "notification-type":"ALERT_UPDATED", "tags":{ "value":"Open Permissions,Basic Alert," }, "name":"S3 Bucket IAM policy grants global read rights", "severity":"CRITICAL", "url":"https://mt.us-east-1.macie.aws.amazon.com/posts/fake%data", "alert-arn":"arn:aws:macie:us-east-1:fake:data", "risk-score":"9", "updated-at":"2019-07-02T00:27:27.577585", "created-at":"2019-07-02T00:05:37.579000+00:00", "actor":"resources.wazuh.com", "summary":{ "Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "Bucket":{ "resources":{ "wazuh":{ "com":"1" } } }, "Record Count":"1", "ACL":{ "resources":{ "wazuh":{ "com":{ "Owner":{ "DisplayName":"wazuh", "ID":"1234123412341234" } } } } }, "Event Count":"1", "Timestamps":"2019-07-02T00:20:57.775900Z,", "recipientAccountId":"123412341234," }, "source":"macie" } }, "location":"Wazuh-AWS" }Tests
ossec.log