本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
在 GuardDuty 中篩選問題清單
調查結果篩選條件可讓您檢視符合您指定準則的調查結果,並篩選出任何不相符的調查結果。您可以使用 Amazon GuardDuty 主控台輕鬆建立調查結果篩選條件,也可以使用 JSON,以 CreateFilter API 建立調查結果篩選條件。請檢閱下列各節,以了解如何在主控台中建立篩選條件。若要使用這些篩選條件自動封存傳入的調查結果,請參閱 GuardDuty 中的隱藏規則。
當您建立篩選條件時,請考量下列清單:
-
您可以指定最少一個屬性或最多 50 個屬性,作為特定篩選條件的準則。
-
當您使用等於或不等於運算子來篩選屬性值時,例如帳戶 ID,您可以指定最多 50 個值。
-
每個篩選條件準則屬性都會作為
AND運算子予以評估。相同屬性的多個值會作為AND/OR予以評估。 -
如需您可以在每個 AWS 帳戶 中建立的已儲存篩選條件數量上限的相關資訊 AWS 區域,請參閱 GuardDuty 配額。
-
下的欄位會使用其完整的 JSON 路徑來
service.additionalInfo指定,與任何其他欄位相同。例如:{ "service.additionalInfo.sample": { "Equals": ["true"] } }。 -
時間戳記欄位接受 Unix Epoch 毫秒格式的值 (例如
1486685375000)。如需時間戳記欄位的完整清單,請參閱以下備註。
下列各節提供如何使用 GuardDuty 主控台以及 API 和 CLI 命令建立和儲存篩選條件的指示。選擇您偏好的存取方法以繼續。
在 GuardDuty 主控台中建立和儲存篩選條件集
可透過 GuardDuty 主控台建立及測試調查結果篩選條件。您可儲存透過主控台建立的篩選條件,以便用於抑制規則或未來的篩選條件操作。篩選條件由至少一個篩選條件準則組成,其中包含一個與至少一個值配對的篩選條件屬性。
建立和儲存篩選條件 (主控台)
登入 AWS 管理主控台 ,並在 https://console.aws.amazon.com/guardduty/
:// 開啟 GuardDuty 主控台。 -
在左側導覽窗格中,選擇問題清單。
-
在問題清單頁面上,選取已儲存規則功能表旁的篩選問題清單列。這會顯示展開的屬性篩選條件清單。
-
從展開的篩選條件清單中,選取您要篩選問題清單資料表的屬性。
例如,若要檢視可能受影響的資源是 S3Bucket 的問題清單,請選擇資源類型。
-
對於運算子,請選擇可協助您篩選問題清單以取得所需結果的項目。若要繼續上一個步驟的範例,請選擇資源類型 =。這會顯示 GuardDuty 中的資源類型清單。
如果您的使用案例需要排除特定問題清單,您可以選擇不等於 或 != 運算子。
-
指定所選屬性篩選條件的值。如有需要,請選擇套用。若要繼續上一個步驟的範例,您可以選擇 S3Bucket。
這會顯示與套用的篩選條件相符的問題清單。
-
若要新增多個篩選條件,請重複步驟 3-6。
如需屬性的完整清單,請參閱 GuardDuty 中的屬性篩選條件。
-
(選用) 將指定的屬性和值儲存為篩選條件
若要在未來再次套用此篩選條件組合,您可以將指定的屬性及其值儲存為篩選條件集。
-
使用一或多個屬性篩選條件建立篩選條件之後,請選取清除篩選條件功能表中的箭頭。
-
輸入篩選條件集名稱。名稱必須為 3-64 個字元。有效字元為 a-z、A-Z、0-9、句號 (.)、連字號 (-) 和底線 (_)。
-
描述是選用的。如果您輸入描述,最多可以有 512 個字元。
-
選擇建立。
-
使用 GuardDuty API 和 CLI 建立和儲存篩選條件集
您可以使用 API 或 CLI 命令來建立和測試調查結果篩選條件。篩選條件由至少一個篩選條件準則組成,其中包含一個與至少一個值配對的篩選條件屬性。您可以儲存篩選條件以建立隱藏規則或稍後執行其他篩選條件操作。
使用 API/CLI 建立問題清單篩選條件
-
使用 AWS 帳戶 您要建立篩選條件之 的區域偵測器 ID 來執行 CreateFilter API。
若要尋找
detectorId您帳戶和目前區域的 ,請參閱 https://console.aws.amazon.com/guardduty/主控台中的設定頁面,或執行 ListDetectors API。 -
或者,您可以使用 create-filter
CLI 來建立和儲存篩選條件。您可以從 使用一或多個篩選條件GuardDuty 中的屬性篩選條件。 取代以紅色顯示的預留位置值,以使用下列範例。
- 範例 1:建立新的篩選條件,以檢視符合特定問題清單類型的所有問題清單
-
下列範例會建立篩選條件,以符合從特定映像建立之執行個體的所有
PortScan問題清單。預留位置值會以紅色顯示。將這些值取代為您帳戶的適當值。例如,將12abc34d567e8fa901bc2d34EXAMPLE取代為您的區域偵測器 ID。aws guardduty create-filter \ --detector-id12abc34d567e8fa901bc2d34EXAMPLE\ --nameFilterExampleName\ --finding-criteria '{"Criterion": {"type": {"Equals": ["}, "Recon:EC2/Portscan"]resource.instanceDetails.imageId": {"Equals":["ami-0a7a207083example"]}} }' - 範例 2:建立新的篩選條件,以檢視符合嚴重性等級的所有調查結果
-
下列範例會建立符合與
HIGH嚴重性等級關聯之所有調查結果的篩選條件。預留位置值會以紅色顯示。將這些值取代為您帳戶的適當值。例如,將12abc34d567e8fa901bc2d34EXAMPLE取代為您的區域偵測器 ID。aws guardduty create-filter \ --detector-id12abc34d567e8fa901bc2d34EXAMPLE\ --nameFilterExampleName\ --finding-criteria '{"Criterion": {"severity": {"Equals": ["}} }'7", "8"]
-
對於 API/CLI, 問題清單嚴重性等級以數字表示。若要根據嚴重性等級篩選問題清單,請使用下列值:
-
對於
LOW嚴重性等級,請使用{ "severity": { "Equals": ["1", "2", "3"] } } -
對於
MEDIUM嚴重性等級,請使用{ "severity": { "Equals": ["4", "5", "6"] } } -
對於
HIGH嚴重性等級,請使用{ "severity": { "Equals": ["7", "8"] } } -
對於
CRITICAL嚴重性等級,請使用{ "severity": { "Equals": ["9", "10"] } } -
對於具有多個嚴重性層級的問題清單,請使用類似下列範例的預留位置值:
{ "severity": { "Equals": ["7", "8", "9", "10"] } }此範例會顯示具有
HIGH或CRITICAL嚴重性層級的問題清單。注意
如果您只指定一個數值而非與嚴重性等級關聯的所有數值的範例,API 和 CLI 可能會顯示篩選的問題清單。當您在 GuardDuty 主控台中使用此儲存的篩選條件集時,它將無法如預期般運作。這是因為 GuardDuty 主控台會將篩選條件值視為
CRITICAL、HIGH、MEDIUM和LOW。例如,使用包含 的 CLI 命令建立的篩選條件{ "severity": { "Equals": ["9"] } }預期會在 API/CLI 中顯示適當的輸出。不過,此儲存的篩選條件包含在 GuardDuty 主控台中使用的部分嚴重性等級,不會顯示預期的輸出。這使得 API 和 CLI 需要指定與每個嚴重性等級相關聯的所有值。
-
GuardDuty 中的屬性篩選條件
當您使用 API 操作建立篩選條件或排序調查結果時,您必須在 JSON 中指定篩選條件準則。這些篩選條件準則與調查結果的詳細資訊 JSON 相關聯。下表包含篩選條件屬性及其對等 JSON 欄位名稱的主控台顯示名稱清單。
主控台欄位名稱 |
JSON 欄位名稱 |
|---|---|
帳戶 ID |
accountId |
問題清單 ID |
id |
區域 |
region |
嚴重性 |
severity 您可以根據調查結果類型的嚴重性等級來篩選調查結果類型。如需嚴重性值的詳細資訊,請參閱 GuardDuty 調查結果的嚴重性等級。如果您 |
調查結果類型 |
type |
更新時間 |
updatedAt |
存取金鑰 ID |
resource.accessKeyDetails.accessKeyId |
委託人 ID |
resource.accessKeyDetails.principalId |
使用者名稱 |
resource.accessKeyDetails.userName |
使用者類型 |
resource.accessKeyDetails.userType |
IAM 執行個體描述檔 ID |
resource.instanceDetails.iamInstanceProfile.id |
執行個體 ID |
resource.instanceDetails.instanceId |
執行個體影像 ID |
resource.instanceDetails.imageId |
執行個體標籤索引鍵 |
resource.instanceDetails.tags.key |
執行個體標籤值 |
resource.instanceDetails.tags.value |
IPv6 地址 |
resource.instanceDetails.networkInterfaces.ipv6Addresses |
私有 IPv4 地址 |
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress |
公有 DNS 名稱 |
resource.instanceDetails.networkInterfaces.publicDnsName |
公有 IP |
resource.instanceDetails.networkInterfaces.publicIp |
安全群組 ID |
resource.instanceDetails.networkInterfaces.securityGroups.groupId |
安全群組名稱 |
resource.instanceDetails.networkInterfaces.securityGroups.groupName |
子網路 ID |
resource.instanceDetails.networkInterfaces.subnetId |
VPC ID |
resource.instanceDetails.networkInterfaces.vpcId |
Outpost ARN |
resource.instanceDetails.outpostARN |
Resource Type (資源類型) |
resource.resourceType |
儲存貯體許可 |
resource.s3BucketDetails.publicAccess.effectivePermission |
儲存貯體名稱 |
resource.s3BucketDetails.name |
儲存貯體標籤金鑰 |
resource.s3BucketDetails.tags.key |
儲存貯體標籤值 |
resource.s3BucketDetails.tags.value |
儲存貯體類型 |
resource.s3BucketDetails.type |
動作類型 |
service.action.actionType |
已發出 API 呼叫 |
service.action.awsApiCallAction.api |
API 發起人類型 |
service.action.awsApiCallAction.callerType |
API 錯誤碼 |
service.action.awsApiCallAction.errorCode |
API 發起人城市 |
service.action.awsApiCallAction.remoteIpDetails.city.cityName |
API 發起人國家/地區 |
service.action.awsApiCallAction.remoteIpDetails.country.countryName |
API 發起人 IPv4 地址 |
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 |
API 呼叫者 IPv6 地址 |
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6 |
API 發起人 ASN ID |
service.action.awsApiCallAction.remoteIpDetails.organization.asn |
API 發起人 ASN 名稱 |
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg |
API 發起人服務名稱 |
service.action.awsApiCallAction.serviceName |
DNS 請求網域 |
service.action.dnsRequestAction.domain |
DNS 要求網域尾碼 |
service.action.dnsRequestAction.domainWithSuffix |
已封鎖網路連線 |
service.action.networkConnectionAction.blocked |
網路連線方向 |
service.action.networkConnectionAction.connectionDirection |
網路連線本機連接埠 |
service.action.networkConnectionAction.localPortDetails.port |
網路連線通訊協定 |
service.action.networkConnectionAction.protocol |
網路連線城市 |
service.action.networkConnectionAction.remoteIpDetails.city.cityName |
網路連線國家/地區 |
service.action.networkConnectionAction.remoteIpDetails.country.countryName |
網路連線遠端 IPv4 地址 |
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 |
網路連線遠端 IPv6 地址 |
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6 |
網路連線遠端 IP ASN ID |
service.action.networkConnectionAction.remoteIpDetails.organization.asn |
網路連線遠端 IP ASN 名稱 |
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg |
網路連線遠端連接埠 |
service.action.networkConnectionAction.remotePortDetails.port |
附屬的遠端帳戶 |
service.action.awsApiCallAction.remoteAccountDetails.affiliated |
Kubernetes API 呼叫者 IPv4 地址 |
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 |
Kubernetes API 呼叫者 IPv6 地址 |
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6 |
Kubernetes 命名空間 |
service.action.kubernetesApiCallAction.namespace |
Kubernetes API 呼叫者 ASN ID |
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn |
Kubernetes API 呼叫請求 URI |
service.action.kubernetesApiCallAction.requestUri |
Kubernetes API 狀態碼 |
service.action.kubernetesApiCallAction.statusCode |
網路連線本機 IPv4 地址 |
service.action.networkConnectionAction.localIpDetails.ipAddressV4 |
網路連線本機 IPv6 地址 |
service.action.networkConnectionAction.localIpDetails.ipAddressV6 |
通訊協定 |
service.action.networkConnectionAction.protocol |
API 呼叫服務名稱 |
service.action.awsApiCallAction.serviceName |
API 呼叫者帳戶 ID |
service.action.awsApiCallAction.remoteAccountDetails.accountId |
威脅清單名稱 |
service.additionalInfo.threatListName |
資源角色 |
service.resourceRole |
EKS 叢集名稱 |
resource.eksClusterDetails.name |
Kubernetes 工作負載名稱 |
resource.kubernetesDetails.kubernetesWorkloadDetails.name |
Kubernetes 工作負載命名空間 |
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace |
Kubernetes 使用者名稱 |
resource.kubernetesDetails.kubernetesUserDetails.username |
Kubernetes 容器映像 |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image |
Kubernetes 容器映像前綴 |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix |
掃描 ID |
service.ebsVolumeScanDetails.scanId |
EBS 磁碟區掃描威脅名稱 |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name |
S3 物件掃描威脅名稱 |
service.malwareScanDetails.threats.name |
威脅嚴重性 |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity |
SHA 檔案 |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
ECS 叢集名稱 |
resource.ecsClusterDetails.name |
ECS 容器映像 |
resource.ecsClusterDetails.taskDetails.containers.image |
ECS 任務定義 ARN |
resource.ecsClusterDetails.taskDetails.definitionArn |
獨立容器映像 |
resource.containerDetails.image |
資料庫執行個體 ID |
resource.rdsDbInstanceDetails.dbInstanceIdentifier |
資料庫叢集 ID |
resource.rdsDbInstanceDetails.dbClusterIdentifier |
資料庫引擎 |
resource.rdsDbInstanceDetails.engine |
資料庫使用者 |
resource.rdsDbUserDetails.user |
可執行 SHA-256 |
service.runtimeDetails.process.executableSha256 |
程序名稱 |
service.runtimeDetails.process.name |
可執行路徑 |
service.runtimeDetails.process.executablePath |
Lambda 功能名稱 |
resource.lambdaDetails.functionName |
Lambda 函數 ARN |
resource.lambdaDetails.functionArn |
Lambda 函數標籤索引鍵 |
resource.lambdaDetails.tags.key |
Lambda 函數標籤值 |
resource.lambdaDetails.tags.value |
DNS 請求網域 |
service.action.dnsRequestAction.domainWithSuffix |
所有其他問題清單欄位 (如下所示) 僅供做為隱藏規則篩選條件 (使用 CreateFilter 和 UpdateFilter)。其他 API 操作不支援這些欄位。使用這些欄位的隱藏規則必須透過 API 建立或更新。這些欄位只能套用至具有 ARCHIVE動作的篩選條件。
注意
下列欄位接受 Unix Epoch 毫秒格式的時間戳記值 (例如, 1262309025000代表格林威治標準時間 2010 年 1 月 1 日星期五上午 1:23:45):
createdAt
updatedAt
service.eventFirstSeen
service.eventLastSeen
resource.instanceDetails.launchTime
resource.lambdaDetails.lastModifiedAt
resource.s3BucketDetails.createdAt
resource.eksClusterDetails.createdAt
resource.ecsClusterDetails.taskDetails.createdAt
resource.ecsClusterDetails.taskDetails.startedAt
service.ebsVolumeScanDetails.scanStartedAt
service.ebsVolumeScanDetails.scanCompletedAt
service.runtimeDetails.context.modifiedAt
service.runtimeDetails.context.modifyingProcess.startTime
service.runtimeDetails.context.modifyingProcess.lineage.startTime
service.runtimeDetails.context.targetProcess.startTime
service.runtimeDetails.context.targetProcess.lineage.startTime
service.runtimeDetails.process.startTime
service.runtimeDetails.process.lineage.startTime
service.detection.sequence.actors.session.createdTime
service.detection.sequence.signals.createdAt
service.detection.sequence.signals.updatedAt
service.detection.sequence.signals.firstSeenAt
service.detection.sequence.signals.lastSeenAt
service.detection.sequence.resources.data.s3Bucket.createdAt
service.detection.sequence.resources.data.ecsTask.createdAt
service.detection.sequence.resources.data.eksCluster.createdAt
JSON 欄位名稱 |
|---|
arn |
associatedAttackSequenceArn |
createdAt |
分割區 |
resource.accessKeyDetails.userIdentity.accessKeyId |
resource.accessKeyDetails.userIdentity.accountId |
resource.accessKeyDetails.userIdentity.arn |
resource.accessKeyDetails.userIdentity.principalId |
resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated |
resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery |
resource.accessKeyDetails.userIdentity.sessionContext.invokedBy |
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId |
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn |
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId |
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type |
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName |
resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity |
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes |
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider |
resource.accessKeyDetails.userIdentity.type |
resource.accessKeyDetails.userIdentity.userName |
resource.bedrockGuardrailDetails.guardrailArn |
resource.bedrockGuardrailDetails.guardrailVersion |
resource.containerDetails.containerRuntime |
resource.containerDetails.imagePrefix |
resource.containerDetails.securityContext.allowPrivilegeEscalation |
resource.containerDetails.securityContext.privileged |
resource.containerDetails.volumeMounts.mountPath |
resource.containerDetails.volumeMounts.name |
resource.ebsVolumeDetails.scannedVolumeDetails.deviceName |
resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType |
resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn |
resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn |
resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn |
resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB |
resource.ebsVolumeDetails.scannedVolumeDetails.volumeType |
resource.ebsVolumeDetails.skippedVolumeDetails.deviceName |
resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType |
resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn |
resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn |
resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn |
resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB |
resource.ebsVolumeDetails.skippedVolumeDetails.volumeType |
resource.ecsClusterDetails.activeServicesCount |
resource.ecsClusterDetails.arn |
resource.ecsClusterDetails.registeredContainerInstancesCount |
resource.ecsClusterDetails.runningTasksCount |
resource.ecsClusterDetails.status |
resource.ecsClusterDetails.tags.key |
resource.ecsClusterDetails.tags.value |
resource.ecsClusterDetails.taskDetails.arn |
resource.ecsClusterDetails.taskDetails.containers.containerRuntime |
resource.ecsClusterDetails.taskDetails.containers.id |
resource.ecsClusterDetails.taskDetails.containers.imagePrefix |
resource.ecsClusterDetails.taskDetails.containers.name |
resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation |
resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged |
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath |
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name |
resource.ecsClusterDetails.taskDetails.createdAt |
resource.ecsClusterDetails.taskDetails.group |
resource.ecsClusterDetails.taskDetails.launchType |
resource.ecsClusterDetails.taskDetails.startedAt |
resource.ecsClusterDetails.taskDetails.startedBy |
resource.ecsClusterDetails.taskDetails.tags.key |
resource.ecsClusterDetails.taskDetails.tags.value |
resource.ecsClusterDetails.taskDetails.version |
resource.ecsClusterDetails.taskDetails.volumes.hostPath.path |
resource.ecsClusterDetails.taskDetails.volumes.name |
resource.eksClusterDetails.arn |
resource.eksClusterDetails.createdAt |
resource.eksClusterDetails.status |
resource.eksClusterDetails.tags.key |
resource.eksClusterDetails.tags.value |
resource.eksClusterDetails.vpcId |
resource.instanceDetails.iamInstanceProfile.arn |
resource.instanceDetails.instanceState |
resource.instanceDetails.instanceType |
resource.instanceDetails.launchTime |
resource.instanceDetails.networkInterfaces.networkInterfaceId |
resource.instanceDetails.networkInterfaces.privateDnsName |
resource.instanceDetails.networkInterfaces.privateIpAddress |
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName |
resource.instanceDetails.platform |
resource.instanceDetails.productCodes.productCodeId |
resource.instanceDetails.productCodes.productCodeType |
resource.kubernetesDetails.kubernetesUserDetails.groups |
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups |
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username |
resource.kubernetesDetails.kubernetesUserDetails.sessionName |
resource.kubernetesDetails.kubernetesUserDetails.uid |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name |
resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc |
resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork |
resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid |
resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName |
resource.kubernetesDetails.kubernetesWorkloadDetails.type |
resource.kubernetesDetails.kubernetesWorkloadDetails.uid |
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path |
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name |
resource.lambdaDetails.description |
resource.lambdaDetails.lastModifiedAt |
resource.lambdaDetails.revisionId |
resource.lambdaDetails.vpcConfig.securityGroups.groupId |
resource.lambdaDetails.vpcConfig.securityGroups.groupName |
resource.lambdaDetails.vpcConfig.subnetIds |
resource.lambdaDetails.vpcConfig.vpcId |
resource.rdsDbInstanceDetails.dbInstanceArn |
resource.rdsDbInstanceDetails.dbiResourceId |
resource.rdsDbInstanceDetails.dbSecurityGroups.name |
resource.rdsDbInstanceDetails.dbSecurityGroups.status |
resource.rdsDbInstanceDetails.engineVersion |
resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled |
resource.rdsDbInstanceDetails.publiclyAccessible |
resource.rdsDbInstanceDetails.vpcId |
resource.rdsDbInstanceDetails.vpcSecurityGroups.status |
resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId |
resource.rdsDbUserDetails.application |
resource.rdsDbUserDetails.authMethod |
resource.rdsDbUserDetails.database |
resource.rdsDbUserDetails.ssl |
resource.rdsLimitlessDbDetails.dbClusterIdentifier |
resource.rdsLimitlessDbDetails.dbShardGroupArn |
resource.rdsLimitlessDbDetails.dbShardGroupIdentifier |
resource.rdsLimitlessDbDetails.dbShardGroupResourceId |
resource.rdsLimitlessDbDetails.engine |
resource.rdsLimitlessDbDetails.engineVersion |
resource.rdsLimitlessDbDetails.tags.key |
resource.rdsLimitlessDbDetails.tags.value |
resource.s3BucketDetails.arn |
resource.s3BucketDetails.createdAt |
resource.s3BucketDetails.defaultServerSideEncryption.encryptionType |
resource.s3BucketDetails.defaultServerSideEncryption.kmsMasterKeyArn |
resource.s3BucketDetails.owner.id |
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicAcls |
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicPolicy |
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.ignorePublicAcls |
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.restrictPublicBuckets |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicReadAccess |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicWriteAccess |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicAcls |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicPolicy |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.ignorePublicAcls |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess |
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess |
resource.s3BucketDetails.s3ObjectDetails.eTag |
resource.s3BucketDetails.s3ObjectDetails.hash |
resource.s3BucketDetails.s3ObjectDetails.key |
resource.s3BucketDetails.s3ObjectDetails.objectArn |
resource.s3BucketDetails.s3ObjectDetails.versionId |
schemaVersion |
service.action.awsApiCallAction.domainDetails.domain |
service.action.awsApiCallAction.remoteIpDetails.country.countryCode |
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat |
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon |
service.action.awsApiCallAction.remoteIpDetails.organization.isp |
service.action.awsApiCallAction.remoteIpDetails.organization.org |
service.action.awsApiCallAction.userAgent |
service.action.dnsRequestAction.blocked |
service.action.dnsRequestAction.protocol |
service.action.kubernetesApiCallAction.parameters |
service.action.kubernetesApiCallAction.remoteIpDetails.country.countryCode |
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lat |
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lon |
service.action.kubernetesApiCallAction.resource |
service.action.kubernetesApiCallAction.resourceName |
service.action.kubernetesApiCallAction.sourceIPs |
service.action.kubernetesApiCallAction.subresource |
service.action.kubernetesApiCallAction.userAgent |
service.action.kubernetesApiCallAction.verb |
service.action.kubernetesPermissionCheckedDetails.allowed |
service.action.kubernetesPermissionCheckedDetails.namespace |
service.action.kubernetesPermissionCheckedDetails.resource |
service.action.kubernetesPermissionCheckedDetails.verb |
service.action.kubernetesRoleBindingDetails.kind |
service.action.kubernetesRoleBindingDetails.name |
service.action.kubernetesRoleBindingDetails.roleRefKind |
service.action.kubernetesRoleBindingDetails.roleRefName |
service.action.kubernetesRoleBindingDetails.uid |
service.action.kubernetesRoleDetails.kind |
service.action.kubernetesRoleDetails.name |
service.action.kubernetesRoleDetails.uid |
service.action.networkConnectionAction.localNetworkInterface |
service.action.networkConnectionAction.localPortDetails.portName |
service.action.networkConnectionAction.remoteIpDetails.country.countryCode |
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat |
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon |
service.action.networkConnectionAction.remoteIpDetails.organization.isp |
service.action.networkConnectionAction.remoteIpDetails.organization.org |
service.action.networkConnectionAction.remotePortDetails.portName |
service.action.portProbeAction.blocked |
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4 |
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV6 |
service.action.portProbeAction.portProbeDetails.localPortDetails.port |
service.action.portProbeAction.portProbeDetails.localPortDetails.portName |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryCode |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4 |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV6 |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp |
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org |
service.action.rdsLoginAttemptAction.loginAttributes.application |
service.action.rdsLoginAttemptAction.loginAttributes.failedLoginAttempts |
service.action.rdsLoginAttemptAction.loginAttributes.successfulLoginAttempts |
service.action.rdsLoginAttemptAction.loginAttributes.user |
service.action.rdsLoginAttemptAction.remoteIpDetails.city.cityName |
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryCode |
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryName |
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lat |
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lon |
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4 |
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV6 |
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asn |
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asnOrg |
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.isp |
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.org |
service.additionalInfo.agentDetails.agentId |
service.additionalInfo.agentDetails.agentVersion |
service.additionalInfo.anomalies.anomalousAPIs |
service.additionalInfo.authenticationMethod |
service.additionalInfo.averagePacketSizeIn |
service.additionalInfo.averagePacketSizeOut |
service.additionalInfo.context |
service.additionalInfo.domain |
service.additionalInfo.inBytes |
service.additionalInfo.localNetworkInterfaceOwner |
service.additionalInfo.localPort |
service.additionalInfo.outBytes |
service.additionalInfo.packetsIn |
service.additionalInfo.packetsOut |
service.additionalInfo.policyArn |
service.additionalInfo.policyName |
service.additionalInfo.remotePort |
service.additionalInfo.sample |
service.additionalInfo.scannedPort |
service.additionalInfo.threatFileSha256 |
service.additionalInfo.threatName |
service.additionalInfo.totalBytesIn |
service.additionalInfo.totalBytesOut |
service.additionalInfo.type |
service.additionalInfo.unusual.asnOrg |
service.additionalInfo.unusual.port |
service.additionalInfo.unusualProtocol |
service.additionalInfo.userAgent.fullUserAgent |
service.additionalInfo.userAgent.userAgentCategory |
service.additionalInfo.value |
service.additionalInfo.vpcOwnerAccountId |
service.count |
service.detection.sequence.actors.id |
service.detection.sequence.actors.process.name |
service.detection.sequence.actors.process.path |
service.detection.sequence.actors.process.sha256 |
service.detection.sequence.actors.session.createdTime |
service.detection.sequence.actors.session.issuer |
service.detection.sequence.actors.session.mfaStatus |
service.detection.sequence.actors.session.uid |
service.detection.sequence.actors.user.account.account |
service.detection.sequence.actors.user.account.uid |
service.detection.sequence.actors.user.credentialUid |
service.detection.sequence.actors.user.name |
service.detection.sequence.actors.user.type |
service.detection.sequence.actors.user.uid |
service.detection.sequence.additionalSequenceTypes |
service.detection.sequence.description |
service.detection.sequence.endpoints.autonomousSystem.name |
service.detection.sequence.endpoints.autonomousSystem.number |
service.detection.sequence.endpoints.connection.direction |
service.detection.sequence.endpoints.domain |
service.detection.sequence.endpoints.id |
service.detection.sequence.endpoints.ip |
service.detection.sequence.endpoints.location.city |
service.detection.sequence.endpoints.location.country |
service.detection.sequence.endpoints.location.lat |
service.detection.sequence.endpoints.location.lon |
service.detection.sequence.endpoints.port |
service.detection.sequence.resources.accountId |
service.detection.sequence.resources.cloudPartition |
service.detection.sequence.resources.data.accessKey.principalId |
service.detection.sequence.resources.data.accessKey.userName |
service.detection.sequence.resources.data.accessKey.userType |
service.detection.sequence.resources.data.autoscalingAutoScalingGroup.ec2InstanceUids |
service.detection.sequence.resources.data.cloudformationStack.ec2InstanceUids |
service.detection.sequence.resources.data.container.image |
service.detection.sequence.resources.data.container.imageUid |
service.detection.sequence.resources.data.ec2Image.ec2InstanceUids |
service.detection.sequence.resources.data.ec2Instance.availabilityZone |
service.detection.sequence.resources.data.ec2Instance.ec2NetworkInterfaceUids |
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.arn |
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.id |
service.detection.sequence.resources.data.ec2Instance.imageDescription |
service.detection.sequence.resources.data.ec2Instance.instanceState |
service.detection.sequence.resources.data.ec2Instance.instanceType |
service.detection.sequence.resources.data.ec2Instance.outpostArn |
service.detection.sequence.resources.data.ec2Instance.platform |
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeId |
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeType |
service.detection.sequence.resources.data.ec2LaunchTemplate.ec2InstanceUids |
service.detection.sequence.resources.data.ec2LaunchTemplate.version |
service.detection.sequence.resources.data.ec2NetworkInterface.ipv6Addresses |
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateDnsName |
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateIpAddress |
service.detection.sequence.resources.data.ec2NetworkInterface.publicIp |
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupId |
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupName |
service.detection.sequence.resources.data.ec2NetworkInterface.subNetId |
service.detection.sequence.resources.data.ec2NetworkInterface.vpcId |
service.detection.sequence.resources.data.ec2Vpc.ec2InstanceUids |
service.detection.sequence.resources.data.ecsCluster.ec2InstanceUids |
service.detection.sequence.resources.data.ecsCluster.status |
service.detection.sequence.resources.data.ecsTask.containerUids |
service.detection.sequence.resources.data.ecsTask.createdAt |
service.detection.sequence.resources.data.ecsTask.launchType |
service.detection.sequence.resources.data.ecsTask.taskDefinitionArn |
service.detection.sequence.resources.data.eksCluster.arn |
service.detection.sequence.resources.data.eksCluster.createdAt |
service.detection.sequence.resources.data.eksCluster.ec2InstanceUids |
service.detection.sequence.resources.data.eksCluster.status |
service.detection.sequence.resources.data.eksCluster.vpcId |
service.detection.sequence.resources.data.iamInstanceProfile.ec2InstanceUids |
service.detection.sequence.resources.data.iamInstanceProfile.id |
service.detection.sequence.resources.data.kubernetesWorkload.containerUids |
service.detection.sequence.resources.data.kubernetesWorkload.namespace |
service.detection.sequence.resources.data.kubernetesWorkload.type |
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclAccess |
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclIgnoreBehavior |
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicBucketRestrictBehavior |
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicPolicyAccess |
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclAccess |
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclIgnoreBehavior |
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicBucketRestrictBehavior |
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicPolicyAccess |
service.detection.sequence.resources.data.s3Bucket.createdAt |
service.detection.sequence.resources.data.s3Bucket.effectivePermission |
service.detection.sequence.resources.data.s3Bucket.encryptionKeyArn |
service.detection.sequence.resources.data.s3Bucket.encryptionType |
service.detection.sequence.resources.data.s3Bucket.ownerId |
service.detection.sequence.resources.data.s3Bucket.publicReadAccess |
service.detection.sequence.resources.data.s3Bucket.publicWriteAccess |
service.detection.sequence.resources.data.s3Bucket.s3ObjectUids |
service.detection.sequence.resources.data.s3Object.eTag |
service.detection.sequence.resources.data.s3Object.key |
service.detection.sequence.resources.data.s3Object.versionId |
service.detection.sequence.resources.name |
service.detection.sequence.resources.region |
service.detection.sequence.resources.resourceType |
service.detection.sequence.resources.service |
service.detection.sequence.resources.tags.key |
service.detection.sequence.resources.tags.value |
service.detection.sequence.resources.uid |
service.detection.sequence.sequenceIndicators.key |
service.detection.sequence.sequenceIndicators.title |
service.detection.sequence.sequenceIndicators.values |
service.detection.sequence.signals.actorIds |
service.detection.sequence.signals.count |
service.detection.sequence.signals.createdAt |
service.detection.sequence.signals.description |
service.detection.sequence.signals.endpointIds |
service.detection.sequence.signals.firstSeenAt |
service.detection.sequence.signals.lastSeenAt |
service.detection.sequence.signals.name |
service.detection.sequence.signals.resourceUids |
service.detection.sequence.signals.severity |
service.detection.sequence.signals.signalIndicators.key |
service.detection.sequence.signals.signalIndicators.title |
service.detection.sequence.signals.signalIndicators.values |
service.detection.sequence.signals.type |
service.detection.sequence.signals.uid |
service.detection.sequence.signals.updatedAt |
service.detection.sequence.uid |
service.detectorId |
service.ebsVolumeScanDetails.scanCompletedAt |
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.count |
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity |
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName |
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.files |
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.totalGb |
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.volumes |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.itemCount |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.shortened |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.fileName |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.volumeArn |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.itemCount |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.uniqueThreatNameCount |
service.ebsVolumeScanDetails.scanDetections.threatsDetectedItemCount.files |
service.ebsVolumeScanDetails.scanStartedAt |
service.ebsVolumeScanDetails.scanType |
service.ebsVolumeScanDetails.sources |
service.eventFirstSeen |
service.eventLastSeen |
service.malwareScanDetails.scanCategory |
service.malwareScanDetails.scanConfiguration.incrementalScanDetails.baselineResourceArn |
service.malwareScanDetails.scanConfiguration.triggerType |
service.malwareScanDetails.threats.count |
service.malwareScanDetails.threats.hash |
service.malwareScanDetails.threats.itemDetails.additionalInfo.deviceName |
service.malwareScanDetails.threats.itemDetails.additionalInfo.versionId |
service.malwareScanDetails.threats.itemDetails.hash |
service.malwareScanDetails.threats.itemDetails.itemPath |
service.malwareScanDetails.threats.itemDetails.resourceArn |
service.malwareScanDetails.threats.itemPaths.hash |
service.malwareScanDetails.threats.itemPaths.nestedItemPath |
service.malwareScanDetails.threats.source |
service.malwareScanDetails.uniqueThreatCount |
service.runtimeDetails.context.addressFamily |
service.runtimeDetails.context.commandLineExample |
service.runtimeDetails.context.fileSystemType |
service.runtimeDetails.context.flags |
service.runtimeDetails.context.ianaProtocolNumber |
service.runtimeDetails.context.ldPreloadValue |
service.runtimeDetails.context.libraryPath |
service.runtimeDetails.context.memoryRegions |
service.runtimeDetails.context.modifiedAt |
service.runtimeDetails.context.modifyingProcess.euid |
service.runtimeDetails.context.modifyingProcess.executablePath |
service.runtimeDetails.context.modifyingProcess.executableSha256 |
service.runtimeDetails.context.modifyingProcess.lineage.euid |
service.runtimeDetails.context.modifyingProcess.lineage.executablePath |
service.runtimeDetails.context.modifyingProcess.lineage.name |
service.runtimeDetails.context.modifyingProcess.lineage.namespacePid |
service.runtimeDetails.context.modifyingProcess.lineage.parentUuid |
service.runtimeDetails.context.modifyingProcess.lineage.pid |
service.runtimeDetails.context.modifyingProcess.lineage.startTime |
service.runtimeDetails.context.modifyingProcess.lineage.userId |
service.runtimeDetails.context.modifyingProcess.lineage.uuid |
service.runtimeDetails.context.modifyingProcess.name |
service.runtimeDetails.context.modifyingProcess.namespacePid |
service.runtimeDetails.context.modifyingProcess.parentUuid |
service.runtimeDetails.context.modifyingProcess.pid |
service.runtimeDetails.context.modifyingProcess.pwd |
service.runtimeDetails.context.modifyingProcess.startTime |
service.runtimeDetails.context.modifyingProcess.user |
service.runtimeDetails.context.modifyingProcess.userId |
service.runtimeDetails.context.modifyingProcess.uuid |
service.runtimeDetails.context.mountSource |
service.runtimeDetails.context.mountTarget |
service.runtimeDetails.context.relatedFilePaths |
service.runtimeDetails.context.releaseAgentPath |
service.runtimeDetails.context.runcBinaryPath |
service.runtimeDetails.context.scriptPath |
service.runtimeDetails.context.serviceName |
service.runtimeDetails.context.shellHistoryFilePath |
service.runtimeDetails.context.socketPath |
service.runtimeDetails.context.targetProcess.euid |
service.runtimeDetails.context.targetProcess.executablePath |
service.runtimeDetails.context.targetProcess.executableSha256 |
service.runtimeDetails.context.targetProcess.lineage.euid |
service.runtimeDetails.context.targetProcess.lineage.executablePath |
service.runtimeDetails.context.targetProcess.lineage.name |
service.runtimeDetails.context.targetProcess.lineage.namespacePid |
service.runtimeDetails.context.targetProcess.lineage.parentUuid |
service.runtimeDetails.context.targetProcess.lineage.pid |
service.runtimeDetails.context.targetProcess.lineage.startTime |
service.runtimeDetails.context.targetProcess.lineage.userId |
service.runtimeDetails.context.targetProcess.lineage.uuid |
service.runtimeDetails.context.targetProcess.name |
service.runtimeDetails.context.targetProcess.namespacePid |
service.runtimeDetails.context.targetProcess.parentUuid |
service.runtimeDetails.context.targetProcess.pid |
service.runtimeDetails.context.targetProcess.pwd |
service.runtimeDetails.context.targetProcess.startTime |
service.runtimeDetails.context.targetProcess.user |
service.runtimeDetails.context.targetProcess.userId |
service.runtimeDetails.context.targetProcess.uuid |
service.runtimeDetails.context.threatFilePath |
service.runtimeDetails.context.toolCategory |
service.runtimeDetails.context.toolName |
service.runtimeDetails.process.euid |
service.runtimeDetails.process.lineage.euid |
service.runtimeDetails.process.lineage.executablePath |
service.runtimeDetails.process.lineage.name |
service.runtimeDetails.process.lineage.namespacePid |
service.runtimeDetails.process.lineage.parentUuid |
service.runtimeDetails.process.lineage.pid |
service.runtimeDetails.process.lineage.startTime |
service.runtimeDetails.process.lineage.userId |
service.runtimeDetails.process.lineage.uuid |
service.runtimeDetails.process.namespacePid |
service.runtimeDetails.process.parentUuid |
service.runtimeDetails.process.pid |
service.runtimeDetails.process.pwd |
service.runtimeDetails.process.startTime |
service.runtimeDetails.process.user |
service.runtimeDetails.process.userId |
service.runtimeDetails.process.uuid |
service.userFeedback |
