As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
Integrando com AWS Security Hub CSPM
O AWS Security Hub CSPM fornece uma visão abrangente do estado de segurança na AWS e ajuda a verificar o ambiente em relação aos padrões e às práticas recomendadas do setor de segurança. O Security Hub CSPM coleta dados de segurança de várias AWS contas, serviços e produtos de parceiros terceirizados compatíveis e ajuda você a analisar suas tendências de segurança e identificar os problemas de segurança de maior prioridade.
A GuardDuty integração da Amazon com o Security Hub CSPM permite que você envie descobertas para o Security Hub CSPM. GuardDuty O Security Hub CSPM pode então incluir essas descobertas em sua análise de sua postura de segurança.
Sumário
Como a Amazon GuardDuty envia descobertas para AWS Security Hub CSPM
Em AWS Security Hub CSPM, os problemas de segurança são rastreados como descobertas. Algumas descobertas vêm de problemas detectados por outros AWS serviços ou por parceiros terceirizados. O CSPM do Security Hub também tem um conjunto de regras que ele usa para detectar problemas de segurança e gerar descobertas.
O CSPM do Security Hub fornece ferramentas para gerenciar descobertas em todas essas origens. É possível exibir e filtrar listas de descobertas e exibir detalhes de uma descoberta. Para obter mais informações, consulte Visualizar descobertas no Guia do usuário do AWS Security Hub . Também é possível rastrear o status de uma investigação em uma descoberta. Para obter mais informações, consulte Tomar medidas sobre descobertas no Manual do usuário do AWS Security Hub .
Todas as descobertas no Security Hub CSPM usam um formato JSON padrão chamado AWS Security Finding Format (ASFF). O ASFF inclui detalhes sobre a origem do problema, os recursos afetados e o status atual da descoberta. Consulte ASFF (Formato de Descoberta de Segurança) da AWS no Guia do usuário do AWS Security Hub .
A Amazon GuardDuty é um dos AWS serviços que envia descobertas para o Security Hub CSPM.
Tipos de descobertas que o GuardDuty envia ao CSPM do Security Hub
Depois de habilitar o GuardDuty Security Hub CSPM na mesma conta dentro da mesma Região da AWS, GuardDuty começa a enviar todas as descobertas geradas para o Security Hub CSPM. Essas descobertas são enviadas ao Security Hub CSPM usando o AWS
Security Finding Format (ASFF). No ASFF, o campo Types fornece o tipo de descoberta.
Latência para enviar descobertas
Quando GuardDuty cria uma nova descoberta, ela geralmente é enviada ao CSPM do Security Hub em cinco minutos.
Nova tentativa quando o CSPM do Security Hub não está disponível
Se o CSPM do Security Hub não estiver disponível, GuardDuty tente enviar novamente as descobertas até que elas sejam recebidas.
Atualização das descobertas existentes no CSPM do Security Hub
Depois de enviar uma descoberta para o CSPM do Security Hub, GuardDuty envia atualizações para refletir observações adicionais da atividade de descoberta para o CSPM do Security Hub. As novas observações dessas descobertas são enviadas ao Security Hub CSPM com base nas Etapa 5 — Frequência de exportação de descobertas configurações do seu. Conta da AWS
Quando você arquiva ou desarquiva uma descoberta, GuardDuty não a envia para o CSPM do Security Hub. Qualquer descoberta desarquivada manualmente que posteriormente se torne ativa não GuardDuty é enviada ao CSPM do Security Hub.
Visualizando GuardDuty as descobertas em AWS Security Hub CSPM
Faça login no Console de gerenciamento da AWS e abra o AWS Security Hub CSPM console em https://console.aws.amazon.com/securityhub/
Agora você pode usar qualquer uma das seguintes formas de visualizar as GuardDuty descobertas no console CSPM do Security Hub:
- Opção 1: Usando integrações no CSPM do Security Hub
-
No painel de navegação à esquerda, selecione Integrações.
-
Na página de integrações, verifique o status da Amazon: GuardDuty.
-
Se o Status for Aceitando descobertas, escolha Ver descobertas ao lado de Aceitar descobertas.
-
Caso contrário, para obter mais informações sobre como as integrações funcionam, consulte Integrações CSPM do Security Hub no Guia do Usuário.AWS Security Hub
-
- Opção 2: Usando descobertas no CSPM do Security Hub
-
No painel de navegação à esquerda, escolha Descobertas.
-
Na página Descobertas, adicione o filtro Nome do produto e insira
GuardDutypara ver somente GuardDuty as descobertas.
Interpretando GuardDuty encontrar nomes em AWS Security Hub CSPM
GuardDuty envia as descobertas para o Security Hub CSPM usando o AWS
Security Finding Format (ASFF). No ASFF, o campo Types fornece o tipo de descoberta. Os tipos ASFF usam um esquema de nomenclatura diferente dos tipos. GuardDuty A tabela abaixo detalha todos os tipos de GuardDuty descobertas com seus equivalentes do ASFF conforme aparecem no CSPM do Security Hub.
nota
Para alguns tipos de GuardDuty descoberta, o Security Hub CSPM atribui nomes de descoberta ASFF diferentes, dependendo se a função de recurso do detalhe da descoberta era ACTOR ou TARGET. Para obter mais informações, consulte Detalhes da descoberta.
|
GuardDuty tipo de descoberta |
Tipo de descoberta do ASFF |
|---|---|
|
TTPs/AttackSequence:IAM/CompromisedCredentials |
|
|
TTPs/AttackSequence:S3/CompromisedData |
|
|
TTPs/Command and Control/Backdoor:EC2-C&CActivity.B |
|
|
TTPs/Command and Control/Backdoor:EC2-C&CActivity.B!DNS |
|
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Dns |
|
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Tcp |
|
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Udp |
|
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.UdpOnTcpPorts |
|
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.UnusualProtocol |
|
|
TTPs/Command and Control/Backdoor:EC2-Spambot |
|
|
Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual |
|
|
Unusual Behaviors/VM/Behavior:EC2-TrafficVolumeUnusual |
|
|
TTPs/Command and Control/Backdoor:Lambda-C&CActivity.B |
|
|
TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B |
|
|
TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B!DNS |
|
|
TTPs/Credential Access/IAMUser-AnomalousBehavior |
|
|
CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed |
TTPs/AnomalousBehavior/CredentialAccess:Kubernetes-SecretsAccessed |
| CredentialAccess:Kubernetes/MaliciousIPCaller |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller |
| CredentialAccess:Kubernetes/MaliciousIPCaller.Custom |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller.Custom |
| CredentialAccess:Kubernetes/SuccessfulAnonymousAccess |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-SuccessfulAnonymousAccess |
| CredentialAccess:Kubernetes/TorIPCaller |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-TorIPCaller |
|
TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.FailedLogin |
|
|
TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.SuccessfulBruteForce |
|
|
TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.SuccessfulLogin |
|
|
TTPs/Credential Access/CredentialAccess:RDS-MaliciousIPCaller.FailedLogin |
|
|
TTPs/Credential Access/CredentialAccess:RDS-MaliciousIPCaller.SuccessfulLogin |
|
|
TTPs/Credential Access/CredentialAccess:RDS-TorIPCaller.FailedLogin |
|
|
TTPs/Credential Access/CredentialAccess:RDS-TorIPCaller.SuccessfulLogin |
|
|
TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B |
|
|
TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS |
|
|
TTPs/Command and Control/CryptoCurrency:Lambda-BitcoinTool.B Effects/Resource Consumption/CryptoCurrency:Lambda-BitcoinTool.B |
|
|
TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B |
|
|
TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B!DNS |
|
|
TTPs/DefenseEvasion/EC2:Unusual-DNS-Resolver |
|
|
TTPs/DefenseEvasion/EC2:Unusual-DoH-Activity |
|
|
TTPs/DefenseEvasion/EC2:Unusual-DoT-Activity |
|
|
TTPs/Defense Evasion/IAMUser-AnomalousBehavior |
|
|
TTPs/Defense Evasion/DefenseEvasion:IAMUser-BedrockLoggingDisabled |
|
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller |
|
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller.Custom |
|
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-SuccessfulAnonymousAccess |
|
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-TorIPCaller |
|
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-FilelessExecution |
|
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-KernelModuleLoaded |
|
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Proc |
|
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Ptrace |
|
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.VirtualMemoryWrite |
|
|
TTPs/DefenseEvasion/DefenseEvasion:Runtime-PtraceAntiDebugging |
|
|
TTPs/DefenseEvasion/DefenseEvasion:Runtime-SuspiciousCommand |
|
|
TTPs/Discovery/IAMUser-AnomalousBehavior |
|
|
TTPs/AnomalousBehavior/Discovery:Kubernetes-PermissionChecked |
|
|
TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller |
|
|
TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller.Custom |
|
|
TTPs/Discovery/Discovery:Kubernetes-SuccessfulAnonymousAccess |
|
|
TTPs/Discovery/Discovery:Kubernetes-TorIPCaller |
|
|
TTPs/Discovery/RDS-MaliciousIPCaller |
|
|
TTPs/Discovery/RDS-TorIPCaller |
|
|
TTPs/Discovery/Discovery:Runtime-SuspiciousCommand |
|
|
TTPs/Discovery:S3-AnomalousBehavior |
|
|
TTPs/Discovery:S3-BucketEnumeration.Unusual |
|
|
TTPs/Discovery:S3-MaliciousIPCaller.Custom |
|
|
TTPs/Discovery:S3-TorIPCaller |
|
|
TTPs/Discovery:S3-MaliciousIPCaller |
|
| Exfiltration:IAMUser/AnomalousBehavior |
TTPs/Exfiltration/IAMUser-AnomalousBehavior |
| Execution:Kubernetes/ExecInKubeSystemPod |
TTPs/Execution/Execution:Kubernetes-ExecInKubeSystemPod |
|
TTPs/AnomalousBehavior/Execution:Kubernetes-ExecInPod |
|
|
TTPs/AnomalousBehavior/Execution:Kubernetes-WorkloadDeployed |
|
| TTPs/Impact/Impact:EC2-MaliciousDomainRequest.Custom | |
|
TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller |
|
|
TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller.Custom |
|
|
TTPs/Impact/Impact:Kubernetes-SuccessfulAnonymousAccess |
|
|
TTPs/Impact/Impact:Kubernetes-TorIPCaller |
|
TTPs/Persistence/Persistence:Kubernetes-ContainerWithSensitiveMount |
|
|
Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount |
TTPs/AnomalousBehavior/Persistence:Kubernetes-WorkloadDeployed!ContainerWithSensitiveMount |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-WorkloadDeployed!PrivilegedContainer |
|
TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller |
|
|
TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller.Custom |
|
|
TTPs/Persistence/Persistence:Kubernetes-SuccessfulAnonymousAccess |
|
|
TTPs/Persistence/Persistence:Kubernetes-TorIPCaller |
|
|
TTPs/Execution/Execution:EC2-MaliciousFile |
|
|
TTPs/Execution/Execution:ECS-MaliciousFile |
|
|
TTPs/Execution/Execution:Kubernetes-MaliciousFile |
|
|
TTPs/Execution/Execution:Container-MaliciousFile |
|
|
TTPs/Execution/Execution:EC2-SuspiciousFile |
|
|
TTPs/Execution/Execution:ECS-SuspiciousFile |
|
|
TTPs/Execution/Execution:Kubernetes-SuspiciousFile |
|
|
TTPs/Execution/Execution:Container-SuspiciousFile |
|
|
TTPs/Execution/Execution:EC2-MaliciousFile!Snapshot |
|
|
TTPs/Execution/Execution:EC2-MaliciousFile!AMI |
|
|
TTPs/Execution/Execution:EC2-MaliciousFile!RecoveryPoint |
|
|
TTPs/Execution/Execution:S3-MaliciousFile!RecoveryPoint |
|
|
TTPs/Execution/Execution:Runtime-MaliciousFileExecuted |
|
|
TTPs/Execution/Execution:Runtime-NewBinaryExecuted |
|
|
TTPs/Execution/Execution:Runtime-NewLibraryLoaded |
|
|
TTPs/Execution/Execution:Runtime-ReverseShell |
|
|
TTPs/Execution/Execution:Runtime-SuspiciousCommand |
|
|
TTPs/Execution/Execution:Runtime-SuspiciousShellCreated |
|
|
TTPs/Execution/Execution:Runtime-SuspiciousTool |
|
|
TTPs/Exfiltration:S3-AnomalousBehavior |
|
|
TTPs/Exfiltration:S3-ObjectRead.Unusual |
|
|
TTPs/Exfiltration:S3-MaliciousIPCaller |
|
|
TTPs/Impact:EC2-AbusedDomainRequest.Reputation |
|
|
TTPs/Impact:EC2-BitcoinDomainRequest.Reputation |
|
|
TTPs/Impact:EC2-MaliciousDomainRequest.Reputation |
|
|
TTPs/Impact/Impact:EC2-PortSweep |
|
|
TTPs/Impact:EC2-SuspiciousDomainRequest.Reputation |
|
|
TTPs/Impact/Impact:EC2-WinRMBruteForce |
|
|
TTPs/Impact/IAMUser-AnomalousBehavior |
|
|
TTPs/Impact/Impact:Runtime-AbusedDomainRequest.Reputation |
|
|
TTPs/Impact/Impact:Runtime-BitcoinDomainRequest.Reputation |
|
|
TTPs/Impact/Impact:Runtime-CryptoMinerExecuted |
|
|
TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation |
|
|
TTPs/Impact/Impact:Runtime-SuspiciousDomainRequest.Reputatio |
|
|
TTPs/Impact:S3-AnomalousBehavior.Delete |
|
|
TTPs/Impact:S3-AnomalousBehavior.Permission |
|
|
TTPs/Impact:S3-AnomalousBehavior.Write |
|
|
TTPs/Impact:S3-ObjectDelete.Unusual |
|
|
TTPs/Impact:S3-PermissionsModification.Unusual |
|
|
TTPs/Impact:S3-MaliciousIPCaller |
|
|
TTPs/Initial Access/IAMUser-AnomalousBehavior |
|
|
TTPs/Object/Object:S3-MaliciousFile |
|
|
TTPs/PenTest:IAMUser/KaliLinux |
|
|
TTPs/PenTest:IAMUser/ParrotLinux |
|
|
TTPs/PenTest:IAMUser/PentooLinux |
|
|
TTPs/PenTest:S3-KaliLinux |
|
|
TTPs/PenTest:S3-ParrotLinux |
|
|
TTPs/PenTest:S3-PentooLinux |
|
| TTPs/Persistence/IAMUser-AnomalousBehavior | |
|
TTPs/Persistence/Persistence:IAMUser-NetworkPermissions |
|
|
TTPs/Persistence/Persistence:IAMUser-ResourcePermissions |
|
|
TTPs/Persistence/Persistence:IAMUser-UserPermissions |
|
|
TTPs/Persistence/Persistence:Runtime-SuspiciousCommand |
|
|
TTPs/Policy:IAMUser-RootCredentialUsage |
|
|
TTPs/Policy:IAMUser-ShortTermRootCredentialUsage |
|
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AdminAccessToDefaultServiceAccount |
|
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AnonymousAccessGranted |
|
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-ExposedDashboard |
|
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-KubeflowDashboardExposed |
|
|
TTPs/Policy:S3-AccountBlockPublicAccessDisabled |
|
|
TTPs/Policy:S3-BucketAnonymousAccessGranted |
|
|
Effects/Data Exposure/Policy:S3-BucketBlockPublicAccessDisabled |
|
|
TTPs/Policy:S3-BucketPublicAccessGranted |
|
| TTPs/Privilege Escalation/IAMUser-AnomalousBehavior | |
|
TTPs/Privilege Escalation/PrivilegeEscalation:IAMUser-AdministrativePermissions |
|
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleBindingCreated |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleCreated |
|
TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer |
|
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ContainerMountsHostDirectory |
|
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-CGroupsReleaseAgentModified |
|
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-DockerSocketAccessed |
|
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ElevationToRoot |
|
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-RuncContainerEscape |
|
|
Software and Configuration Checks/PrivilegeEscalation:Runtime-SuspiciousCommand |
|
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-UserfaultfdUsage |
|
|
TTPs/Discovery/Recon:EC2-PortProbeEMRUnprotectedPort |
|
|
TTPs/Discovery/Recon:EC2-PortProbeUnprotectedPort |
|
|
TTPs/Discovery/Recon:EC2-Portscan |
|
|
TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller |
|
|
TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller.Custom |
|
|
TTPs/Discovery/Recon:IAMUser-NetworkPermissions |
|
|
TTPs/Discovery/Recon:IAMUser-ResourcePermissions |
|
|
TTPs/Discovery/Recon:IAMUser-TorIPCaller |
|
|
TTPs/Discovery/Recon:IAMUser-UserPermissions |
|
|
Unusual Behaviors/User/ResourceConsumption:IAMUser-ComputeResources |
|
|
TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled |
|
|
TTPs/Defense Evasion/Stealth:IAMUser-LoggingConfigurationModified |
|
|
TTPs/Defense Evasion/Stealth:IAMUser-PasswordPolicyChange |
|
|
TTPs/Defense Evasion/Stealth:S3-ServerAccessLoggingDisabled |
|
|
TTPs/Command and Control/Trojan:EC2-BlackholeTraffic |
|
|
TTPs/Command and Control/Trojan:EC2-BlackholeTraffic!DNS |
|
|
TTPs/Command and Control/Trojan:EC2-DGADomainRequest.B |
|
|
TTPs/Command and Control/Trojan:EC2-DGADomainRequest.C!DNS |
|
|
TTPs/Command and Control/Trojan:EC2-DNSDataExfiltration |
|
|
TTPs/Initial Access/Trojan:EC2-DriveBySourceTraffic!DNS |
|
|
Effects/Data Exfiltration/Trojan:EC2-DropPoint |
|
|
Effects/Data Exfiltration/Trojan:EC2-DropPoint!DNS |
|
|
TTPs/Command and Control/Trojan:EC2-PhishingDomainRequest!DNS |
|
|
TTPs/Command and Control/Trojan:Lambda-BlackholeTraffic |
|
|
Effects/Data Exfiltration/Trojan:Lambda-DropPoint |
|
|
TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic |
|
|
TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic!DNS |
|
|
TTPs/Command and Control/Trojan:Runtime-DGADomainRequest.C!DNS |
|
|
TTPs/Initial Access/Trojan:Runtime-DriveBySourceTraffic!DNS |
|
|
Effects/Data Exfiltration/Trojan:Runtime-DropPoint |
|
|
Effects/Data Exfiltration/Trojan:Runtime-DropPoint!DNS |
|
|
TTPs/Command and Control/Trojan:Runtime-PhishingDomainRequest!DNS |
|
|
TTPs/Command and Control/UnauthorizedAccess:EC2-MaliciousIPCaller.Custom |
|
|
TTPs/UnauthorizedAccess:EC2-MetadataDNSRebind |
|
|
TTPs/Initial Access/UnauthorizedAccess:EC2-RDPBruteForce |
|
|
TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce |
|
|
Effects/Resource Consumption/UnauthorizedAccess:EC2-TorClient |
|
|
Effects/Resource Consumption/UnauthorizedAccess:EC2-TorRelay |
|
|
Unusual Behaviors/User/UnauthorizedAccess:IAMUser-ConsoleLogin |
|
|
TTPs/UnauthorizedAccess:IAMUser-ConsoleLoginSuccess.B |
|
|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS |
Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.InsideAWS |
|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS |
Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.OutsideAWS |
|
TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller |
|
|
TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller.Custom |
|
|
UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS |
Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-ResourceCredentialExfiltration.OutsideAWS |
|
TTPs/Command and Control/UnauthorizedAccess:IAMUser-TorIPCaller |
|
|
TTPs/Command and Control/UnauthorizedAccess:Lambda-MaliciousIPCaller.Custom |
|
|
Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorClient |
|
|
Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorRelay |
|
|
TTPs/UnauthorizedAccess:Runtime-MetadataDNSRebind |
|
|
Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorRelay |
|
|
Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorClient |
|
|
TTPs/UnauthorizedAccess:S3-MaliciousIPCaller.Custom |
|
|
TTPs/UnauthorizedAccess:S3-TorIPCaller |
Descoberta típica do GuardDuty
GuardDuty envia descobertas para o Security Hub CSPM usando o AWS Security Finding Format (ASFF).
Aqui está um exemplo de uma descoberta típica de GuardDuty.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea", "ProductArn": "arn:aws:securityhub:us-east-1:product/aws/guardduty", "GeneratorId": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64", "AwsAccountId": "193043430472", "Types": [ "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" ], "FirstObservedAt": "2020-08-22T09:15:57Z", "LastObservedAt": "2020-09-30T11:56:49Z", "CreatedAt": "2020-08-22T09:34:34.146Z", "UpdatedAt": "2020-09-30T12:14:00.206Z", "Severity": { "Product": 2, "Label": "MEDIUM", "Normalized": 40 }, "Title": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356.", "Description": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=46ba0ac2845071e23ccdeb2ae03bfdea", "ProductFields": { "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown", "aws/guardduty/service/archived": "false", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "CENTURYLINK-US-LEGACY-QWEST", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "42.5122", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "199.241.229.197", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "-90.7384", "aws/guardduty/service/action/networkConnectionAction/blocked": "false", "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "46717", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "United States", "aws/guardduty/service/serviceName": "guardduty", "aws/guardduty/service/evidence": "", "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "172.31.43.6", "aws/guardduty/service/detectorId": "d4b040365221be2b54a6264dc9a4bc64", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "CenturyLink", "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND", "aws/guardduty/service/eventFirstSeen": "2020-08-22T09:15:57Z", "aws/guardduty/service/eventLastSeen": "2020-09-30T11:56:49Z", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH", "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Dubuque", "aws/guardduty/service/additionalInfo": "", "aws/guardduty/service/resourceRole": "TARGET", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22", "aws/guardduty/service/action/networkConnectionAction/protocol": "TCP", "aws/guardduty/service/count": "74", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "209", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "CenturyLink", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "AwsEc2Instance", "Id": "arn:aws:ec2:us-east-1:193043430472:instance/i-0c10c2c7863d1a356", "Partition": "aws", "Region": "us-east-1", "Tags": { "Name": "kubectl" }, "Details": { "AwsEc2Instance": { "Type": "t2.micro", "ImageId": "ami-02354e95b39ca8dec", "IpV4Addresses": [ "18.234.130.16", "172.31.43.6" ], "VpcId": "vpc-a0c2d7c7", "SubnetId": "subnet-4975b475", "LaunchedAt": "2020-08-03T23:21:57Z" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE" }
Habilitar e configurar a integração
Para usar a integração com AWS Security Hub CSPM, você deve habilitar o CSPM do Security Hub. Para obter informações sobre como habilitar o CSPM do Security Hub, consulte Configurando o Security Hub no Guia do AWS Security Hub Usuário.
Quando você ativa o CSPM do Security Hub GuardDuty e o Security Hub, a integração é ativada automaticamente. GuardDutyimediatamente começa a enviar as descobertas para o Security Hub CSPM.
Usando GuardDuty controles no Security Hub CSPM
AWS Security Hub CSPM usa controles de segurança para avaliar seus AWS recursos e verificar sua conformidade com os padrões e as melhores práticas do setor de segurança. Você pode usar os controles relacionados aos GuardDuty recursos e aos planos de proteção selecionados. Para obter mais informações, consulte GuardDutyos controles da Amazon no Guia AWS Security Hub do usuário.
Para obter uma lista de todos os controles entre AWS serviços e recursos, consulte a referência de controles CSPM do Security Hub no Guia do AWS Security Hub Usuário.
Interrupção da publicação de descobertas no CSPM do Security Hub
Para interromper o envio de descobertas ao CSPM do Security Hub, você poderá usar o console ou a API do CSPM do Security Hub.
Consulte Desabilitar e habilitar o fluxo de descobertas de uma integração (console) ou Desabilitar o fluxo de descobertas de uma integração (API do Security Hub, AWS CLI) no Guia do Usuário.AWS Security Hub
