US75367 - filter out everything expect GD Finding cwe detail type

alertlogic · Feb 28, 2018 · 60a58ec · 60a58ec
1 parent e33585c
commit 60a58ec
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 5 deletions.
diff --git a/cfn/guardduty.template b/cfn/guardduty.template
@@ -939,6 +939,9 @@
             "EventPattern":{
                "source":[
                   "aws.guardduty"
+               ],
+               "detail-type":[
+                  "GuardDuty Finding"
                ]
             },
             "ScheduleExpression":"",
@@ -1134,7 +1137,7 @@
                                    ]
                                 },
                                 "\", \"CloudWatchEventsRule\": \"", { "Ref": "CloudWatchEventsRule" },
-                                "\", \"CweRulePattern\": \"{\\\"source\\\":[\\\"aws.guardduty\\\"]}\"",
+                                "\", \"CweRulePattern\": \"{\\\"source\\\":[\\\"aws.guardduty\\\"], \\\"detail-type\\\":[\\\"GuardDuty Finding\\\"]}\"",
                                 "}"
                             ]
                         ]

diff --git a/index.js b/index.js
@@ -74,7 +74,9 @@ function getKinesisData(event, callback) {
 function filterGDEvents(cwEvents, callback) {
     async.filter(cwEvents,
         function(cwEvent, filterCallback){
-            if (cwEvent.source && cwEvent.source === 'aws.guardduty') {
+            if ((cwEvent.source && 
+                 cwEvent.source === 'aws.guardduty' &&
+                 cwEvent['detail-type'] === 'GuardDuty Finding')) {
                 debug(`DEBUG0002: filterGDEvents - including event: ` +
                     `${JSON.stringify(cwEvent)} `);
             } else {

diff --git a/test/cwe_mock.js b/test/cwe_mock.js
@@ -25,7 +25,7 @@ const CHECKIN_TEST_EVENT = {
     'StackName' : STACK_NAME,
     'CloudWatchEventsRule' : CWE_RULE_NAME,
     'KinesisArn' : KINESIS_ARN,
-    'CweRulePattern' : '{\"source\":[\"aws.guardduty\"]}'
+    'CweRulePattern' : '{\"source\":[\"aws.guardduty\"], \"detail-type\":[\"GuardDuty Finding\"]}'
 };
 
 const DEFAULT_LAMBDA_CONTEXT = {
@@ -134,6 +134,43 @@ const GD_OTHER_KINESIS_TEST_EVENT = {
   ]
 };
 
+const NON_GD_OTHER_KINESIS_TEST_EVENT = {
+  'Records': [
+    {
+      'kinesis': {
+        'kinesisSchemaVersion': '1.0',
+        'partitionKey': '52badd7d-edd6-ac34-b543-393e309cb977_dee8b923-1314-47b0-b820-68030eaf93e3',
+        'sequenceNumber': '49577651119794799532435452775356657619317529872846290946',
+        'data': 'eyJjb2xsZWN0ZWRfYmF0Y2giOnsic291cmNlX2lkIjoidGVzdDphcm4iLCJjb2xsZWN0ZWRfbWVzc2FnZXMiOlt7InZlcnNpb24iOiIwIiwiaWQiOiI1MmJhZGQ3ZC1lZGQ2LWFjMzQtYjU0My0zOTNlMzA5Y2I5NzciLCJkZXRhaWwtdHlwZSI6Ikd1YXJkRHV0eSBGaW5kaW5nIiwic291cmNlIjoiYXdzLmd1YXJkZHV0eSIsImFjY291bnQiOiIzNTIyODM4OTQwMDgiLCJ0aW1lIjoiMTk3MC0wMS0wMVQwMDowMDowMFoiLCJyZWdpb24iOiJ1cy1lYXN0LTEiLCJyZXNvdXJjZXMiOltdLCJkZXRhaWwiOnsic2NoZW1hVmVyc2lvbiI6IjIuMCIsImFjY291bnRJZCI6IjM1MjI4Mzg5NDAwOCIsInJlZ2lvbiI6InVzLWVhc3QtMSIsInBhcnRpdGlvbiI6ImF3cyIsImlkIjoiM2FhZjgzZGRkOWMzMTQwNTI0NmZhMWM2MmUzZTAzNGQiLCJhcm4iOiJhcm46YXdzOmd1YXJkZHV0eTp1cy1lYXN0LTE6MzUyMjgzODk0MDA4OmRldGVjdG9yLzA0YWY1MWQxMDFjOGM1YmNhZTNhOTI1NjBjNzAxMGNlL2ZpbmRpbmcvM2FhZjgzZGRkOWMzMTQwNTI0NmZhMWM2MmUzZTAzNGQiLCJ0eXBlIjoiVW5hdXRob3JpemVkQWNjZXNzOkVDMi9NYWxpY2lvdXNJUENhbGxlci5DdXN0b20iLCJyZXNvdXJjZSI6eyJyZXNvdXJjZVR5cGUiOiJJbnN0YW5jZSIsImluc3RhbmNlRGV0YWlscyI6eyJpbWFnZUlkIjoiYW1pLThhMWFlMmU3IiwiaW5zdGFuY2VJZCI6ImktMDk2MWUwYjNhZjhiM2VjMzkiLCJpbnN0YW5jZVR5cGUiOiJjNC5sYXJnZSIsImxhdW5jaFRpbWUiOjE1MDc2NTYwNjMwMDAsInByb2R1Y3RDb2RlcyI6W10sIm5ldHdvcmtJbnRlcmZhY2VzIjpbeyJpcHY2QWRkcmVzc2VzIjpbXSwicHJpdmF0ZUlwQWRkcmVzcyI6IjEwLjY2LjY2LjM5IiwicHJpdmF0ZUlwQWRkcmVzc2VzIjpbeyJwcml2YXRlSXBBZGRyZXNzIjoiMTAuNjYuNjYuMzkifV0sInN1Ym5ldElkIjoic3VibmV0LWMzOTZiOGNmIiwidnBjSWQiOiJ2cGMtYjVhOTZmY2QiLCJzZWN1cml0eUdyb3VwcyI6W3siZ3JvdXBOYW1lIjoiQWxlcnQgTG9naWMgU2VjdXJpdHkgR3JvdXAgMTM0MjMyODI4XzI4RDU5QjI3LUI1NDYtNEE0OC1BQTBBLTg4RkYxMzNDODEyNiIsImdyb3VwSWQiOiJzZy0yMTcxOGY1MyJ9XSwicHVibGljRG5zTmFtZSI6IiIsInB1YmxpY0lwIjoiMzQuMjA0LjE3Mi4xNjYifV0sInRhZ3MiOlt7ImtleSI6IkFsZXJ0TG9naWMtRW52aXJvbm1lbnRJRCIsInZhbHVlIjoiMjhENTlCMjctQjU0Ni00QTQ4LUFBMEEtODhGRjEzM0M4MTI2In0seyJrZXkiOiJOYW1lIiwidmFsdWUiOiJBbGVydExvZ2ljIFNlY3VyaXR5IEFwcGxpYW5jZSJ9LHsia2V5IjoiQWxlcnRMb2dpYyIsInZhbHVlIjoiU2VjdXJpdHkifSx7ImtleSI6ImF3czphdXRvc2NhbGluZzpncm91cE5hbWUiLCJ2YWx1ZSI6IkFsZXJ0IExvZ2ljIFNlY3VyaXR5IEF1dG8gU2NhbGluZyBHcm91cF8xMzQyMzI4MjhfMjhENTlCMjctQjU0Ni00QTQ4LUFBMEEtODhGRjEzM0M4MTI2X3ZwYy1iNWE5NmZjZCJ9LHsia2V5IjoiQWxlcnRMb2dpYy1BY2NvdW50SUQiLCJ2YWx1ZSI6IjEzNDIzMjgyOCJ9XSwiaW5zdGFuY2VTdGF0ZSI6InJ1bm5pbmciLCJhdmFpbGFiaWxpdHlab25lIjoidXMtZWFzdC0xZiJ9fSwic2VydmljZSI6eyJzZXJ2aWNlTmFtZSI6Imd1YXJkZHV0eSIsImRldGVjdG9ySWQiOiIwNGFmNTFkMTAxYzhjNWJjYWUzYTkyNTYwYzcwMTBjZSIsImFjdGlvbiI6eyJhY3Rpb25UeXBlIjoiTkVUV09SS19DT05ORUNUSU9OIiwibmV0d29ya0Nvbm5lY3Rpb25BY3Rpb24iOnsiY29ubmVjdGlvbkRpcmVjdGlvbiI6IlVOS05PV04iLCJyZW1vdGVJcERldGFpbHMiOnsiaXBBZGRyZXNzVjQiOiI3Ny43Mi44Mi44MCIsIm9yZ2FuaXphdGlvbiI6eyJhc24iOjQzMzUwLCJhc25PcmciOiJORm9yY2UgRW50ZXJ0YWlubWVudCBCLlYuIiwiaXNwIjoiTmV0VVAgTHRkLiIsIm9yZyI6Ik5ldFVQIEx0ZC4ifSwiY291bnRyeSI6eyJjb3VudHJ5Q29kZSI6IkdCIiwiY291bnRyeU5hbWUiOiJVbml0ZWQgS2luZ2RvbSJ9LCJjaXR5Ijp7ImNpdHlOYW1lIjoiU3Rva2Utb24tVHJlbnQifSwiZ2VvTG9jYXRpb24iOnsibGF0Ijo1MywibG9uIjotMi4xODMzfX0sInJlbW90ZVBvcnREZXRhaWxzIjp7InBvcnQiOjQ0NzA1LCJwb3J0TmFtZSI6IlVua25vd24ifSwibG9jYWxQb3J0RGV0YWlscyI6eyJwb3J0Ijo0NDg3LCJwb3J0TmFtZSI6IlVua25vd24ifSwicHJvdG9jb2wiOiJUQ1AiLCJibG9ja2VkIjp0cnVlfX0sInJlc291cmNlUm9sZSI6IlRBUkdFVCIsImFkZGl0aW9uYWxJbmZvIjp7InRocmVhdE5hbWUiOiJDdXN0b21lciBUaHJlYXQgSW50ZWwiLCJ0aHJlYXRMaXN0TmFtZSI6InRkb3NvdWRpbC1zZXpuYW0tY3oifSwiZXZlbnRGaXJzdFNlZW4iOiIyMDE3LTEwLTEwVDE5OjE4OjIwWiIsImV2ZW50TGFzdFNlZW4iOiIyMDE3LTEwLTExVDIzOjQ5OjA5WiIsImFyY2hpdmVkIjpmYWxzZSwiY291bnQiOjIwfSwic2V2ZXJpdHkiOjUsImNyZWF0ZWRBdCI6IjIwMTctMTAtMTBUMTk6MjE6MDIuNTk4WiIsInVwZGF0ZWRBdCI6IjIwMTctMTAtMTFUMjM6NTI6MTYuOTM1WiIsInRpdGxlIjoiRUMyIEluc3RhbmNlIGktMDk2MWUwYjNhZjhiM2VjMzkgY29tbXVuaWNhdGluZyBvdXRib3VuZCB3aXRoIGRpc2FsbG93ZWQgSVAgYWRkcmVzcy4iLCJkZXNjcmlwdGlvbiI6IkVDMiBJbnN0YW5jZSBpLTA5NjFlMGIzYWY4YjNlYzM5IGhhcyBiZWVuIGZvdW5kIGNvbW11bmljYXRpbmcgb3V0Ym91bmQgd2l0aCBkaXNhbGxvd2VkIElQIGFkZHJlc3MgNzcuNzIuODIuODAgcHJlc2VudCBpbiB0aGUgbGlzdCB0ZG9zb3VkaWwtc2V6bmFtLWN6LiJ9fV19fQo=',
+        'approximateArrivalTimestamp': 1507769764.013
+      },
+      'eventSource': 'aws:kinesis',
+      'eventVersion': '1.0',
+      'eventID': 'shardId-000000000000:49577651119794799532435452775356657619317529872846290946',
+      'eventName': 'aws:kinesis:record',
+      'invokeIdentityArn': 'arn:aws:iam::352283894008:role/kkuzmin-vpc-flow-role',
+      'awsRegion': 'us-east-1',
+      'eventSourceARN': 'arn:aws:kinesis:us-east-1:352283894008:stream/kkuzmin-gd-test'
+    },
+    {
+      'kinesis': {
+        'kinesisSchemaVersion': '1.0',
+        'partitionKey': '52badd7d-edd6-ac34-b543-393e309cb977_dee8b923-1314-47b0-b820-68030eaf93e3',
+        'sequenceNumber': '49577651119794799532435452775356657619317529872846290946',
+        'data': 'eyJjb2xsZWN0ZWRfYmF0Y2giOnsic291cmNlX2lkIjoidGVzdDphcm4iLCJjb2xsZWN0ZWRfbWVzc2FnZXMiOlt7InZlcnNpb24iOiIwIiwiaWQiOiI1MmJhZGQ3ZC1lZGQ2LWFjMzQtYjU0My0zOTNlMzA5Y2I5NzciLCJkZXRhaWwtdHlwZSI6Ikd1YXJkRHV0eSBGaW5kaW5nIiwic291cmNlIjoiYXdzLmd1YXJkZHV0eSIsImFjY291bnQiOiIzNTIyODM4OTQwMDgiLCJ0aW1lIjoiMTk3MC0wMS0wMVQwMDowMDowMFoiLCJyZWdpb24iOiJ1cy1lYXN0LTEiLCJyZXNvdXJjZXMiOltdLCJkZXRhaWwiOnsic2NoZW1hVmVyc2lvbiI6IjIuMCIsImFjY291bnRJZCI6IjM1MjI4Mzg5NDAwOCIsInJlZ2lvbiI6InVzLWVhc3QtMSIsInBhcnRpdGlvbiI6ImF3cyIsImlkIjoiM2FhZjgzZGRkOWMzMTQwNTI0NmZhMWM2MmUzZTAzNGQiLCJhcm4iOiJhcm46YXdzOmd1YXJkZHV0eTp1cy1lYXN0LTE6MzUyMjgzODk0MDA4OmRldGVjdG9yLzA0YWY1MWQxMDFjOGM1YmNhZTNhOTI1NjBjNzAxMGNlL2ZpbmRpbmcvM2FhZjgzZGRkOWMzMTQwNTI0NmZhMWM2MmUzZTAzNGQiLCJ0eXBlIjoiVW5hdXRob3JpemVkQWNjZXNzOkVDMi9NYWxpY2lvdXNJUENhbGxlci5DdXN0b20iLCJyZXNvdXJjZSI6eyJyZXNvdXJjZVR5cGUiOiJJbnN0YW5jZSIsImluc3RhbmNlRGV0YWlscyI6eyJpbWFnZUlkIjoiYW1pLThhMWFlMmU3IiwiaW5zdGFuY2VJZCI6ImktMDk2MWUwYjNhZjhiM2VjMzkiLCJpbnN0YW5jZVR5cGUiOiJjNC5sYXJnZSIsImxhdW5jaFRpbWUiOjE1MDc2NTYwNjMwMDAsInByb2R1Y3RDb2RlcyI6W10sIm5ldHdvcmtJbnRlcmZhY2VzIjpbeyJpcHY2QWRkcmVzc2VzIjpbXSwicHJpdmF0ZUlwQWRkcmVzcyI6IjEwLjY2LjY2LjM5IiwicHJpdmF0ZUlwQWRkcmVzc2VzIjpbeyJwcml2YXRlSXBBZGRyZXNzIjoiMTAuNjYuNjYuMzkifV0sInN1Ym5ldElkIjoic3VibmV0LWMzOTZiOGNmIiwidnBjSWQiOiJ2cGMtYjVhOTZmY2QiLCJzZWN1cml0eUdyb3VwcyI6W3siZ3JvdXBOYW1lIjoiQWxlcnQgTG9naWMgU2VjdXJpdHkgR3JvdXAgMTM0MjMyODI4XzI4RDU5QjI3LUI1NDYtNEE0OC1BQTBBLTg4RkYxMzNDODEyNiIsImdyb3VwSWQiOiJzZy0yMTcxOGY1MyJ9XSwicHVibGljRG5zTmFtZSI6IiIsInB1YmxpY0lwIjoiMzQuMjA0LjE3Mi4xNjYifV0sInRhZ3MiOlt7ImtleSI6IkFsZXJ0TG9naWMtRW52aXJvbm1lbnRJRCIsInZhbHVlIjoiMjhENTlCMjctQjU0Ni00QTQ4LUFBMEEtODhGRjEzM0M4MTI2In0seyJrZXkiOiJOYW1lIiwidmFsdWUiOiJBbGVydExvZ2ljIFNlY3VyaXR5IEFwcGxpYW5jZSJ9LHsia2V5IjoiQWxlcnRMb2dpYyIsInZhbHVlIjoiU2VjdXJpdHkifSx7ImtleSI6ImF3czphdXRvc2NhbGluZzpncm91cE5hbWUiLCJ2YWx1ZSI6IkFsZXJ0IExvZ2ljIFNlY3VyaXR5IEF1dG8gU2NhbGluZyBHcm91cF8xMzQyMzI4MjhfMjhENTlCMjctQjU0Ni00QTQ4LUFBMEEtODhGRjEzM0M4MTI2X3ZwYy1iNWE5NmZjZCJ9LHsia2V5IjoiQWxlcnRMb2dpYy1BY2NvdW50SUQiLCJ2YWx1ZSI6IjEzNDIzMjgyOCJ9XSwiaW5zdGFuY2VTdGF0ZSI6InJ1bm5pbmciLCJhdmFpbGFiaWxpdHlab25lIjoidXMtZWFzdC0xZiJ9fSwic2VydmljZSI6eyJzZXJ2aWNlTmFtZSI6Imd1YXJkZHV0eSIsImRldGVjdG9ySWQiOiIwNGFmNTFkMTAxYzhjNWJjYWUzYTkyNTYwYzcwMTBjZSIsImFjdGlvbiI6eyJhY3Rpb25UeXBlIjoiTkVUV09SS19DT05ORUNUSU9OIiwibmV0d29ya0Nvbm5lY3Rpb25BY3Rpb24iOnsiY29ubmVjdGlvbkRpcmVjdGlvbiI6IlVOS05PV04iLCJyZW1vdGVJcERldGFpbHMiOnsiaXBBZGRyZXNzVjQiOiI3Ny43Mi44Mi44MCIsIm9yZ2FuaXphdGlvbiI6eyJhc24iOjQzMzUwLCJhc25PcmciOiJORm9yY2UgRW50ZXJ0YWlubWVudCBCLlYuIiwiaXNwIjoiTmV0VVAgTHRkLiIsIm9yZyI6Ik5ldFVQIEx0ZC4ifSwiY291bnRyeSI6eyJjb3VudHJ5Q29kZSI6IkdCIiwiY291bnRyeU5hbWUiOiJVbml0ZWQgS2luZ2RvbSJ9LCJjaXR5Ijp7ImNpdHlOYW1lIjoiU3Rva2Utb24tVHJlbnQifSwiZ2VvTG9jYXRpb24iOnsibGF0Ijo1MywibG9uIjotMi4xODMzfX0sInJlbW90ZVBvcnREZXRhaWxzIjp7InBvcnQiOjQ0NzA1LCJwb3J0TmFtZSI6IlVua25vd24ifSwibG9jYWxQb3J0RGV0YWlscyI6eyJwb3J0Ijo0NDg3LCJwb3J0TmFtZSI6IlVua25vd24ifSwicHJvdG9jb2wiOiJUQ1AiLCJibG9ja2VkIjp0cnVlfX0sInJlc291cmNlUm9sZSI6IlRBUkdFVCIsImFkZGl0aW9uYWxJbmZvIjp7InRocmVhdE5hbWUiOiJDdXN0b21lciBUaHJlYXQgSW50ZWwiLCJ0aHJlYXRMaXN0TmFtZSI6InRkb3NvdWRpbC1zZXpuYW0tY3oifSwiZXZlbnRGaXJzdFNlZW4iOiIyMDE3LTEwLTEwVDE5OjE4OjIwWiIsImV2ZW50TGFzdFNlZW4iOiIyMDE3LTEwLTExVDIzOjQ5OjA5WiIsImFyY2hpdmVkIjpmYWxzZSwiY291bnQiOjIwfSwic2V2ZXJpdHkiOjUsImNyZWF0ZWRBdCI6IjIwMTctMTAtMTBUMTk6MjE6MDIuNTk4WiIsInVwZGF0ZWRBdCI6IjIwMTctMTAtMTFUMjM6NTI6MTYuOTM1WiIsInRpdGxlIjoiRUMyIEluc3RhbmNlIGktMDk2MWUwYjNhZjhiM2VjMzkgY29tbXVuaWNhdGluZyBvdXRib3VuZCB3aXRoIGRpc2FsbG93ZWQgSVAgYWRkcmVzcy4iLCJkZXNjcmlwdGlvbiI6IkVDMiBJbnN0YW5jZSBpLTA5NjFlMGIzYWY4YjNlYzM5IGhhcyBiZWVuIGZvdW5kIGNvbW11bmljYXRpbmcgb3V0Ym91bmQgd2l0aCBkaXNhbGxvd2VkIElQIGFkZHJlc3MgNzcuNzIuODIuODAgcHJlc2VudCBpbiB0aGUgbGlzdCB0ZG9zb3VkaWwtc2V6bmFtLWN6LiJ9fV19fQo=',
+        'approximateArrivalTimestamp': 1507769764.013
+      },
+      'eventSource': 'aws:kinesis',
+      'eventVersion': '1.0',
+      'eventID': 'shardId-000000000000:49577651119794799532435452775356657619317529872846290946',
+      'eventName': 'aws:kinesis:record',
+      'invokeIdentityArn': 'arn:aws:iam::352283894008:role/kkuzmin-vpc-flow-role',
+      'awsRegion': 'us-east-1',
+      'eventSourceARN': 'arn:aws:kinesis:us-east-1:352283894008:stream/kkuzmin-gd-test'
+    }
+  ]
+};
+
 const NO_GD_KINESIS_TEST_EVENT = {
   'Records': [
     {
@@ -343,7 +380,7 @@ const CF_DESCRIBE_STACKS_RESPONSE = {
 const CWE_DESCRIBE_RULE = {
   'Name': CWE_RULE_NAME,
   'Arn': CWE_RULE_ARN,
-  'EventPattern': '{\"source\":[\"aws.guardduty\"]}',
+  'EventPattern': '{\"source\":[\"aws.guardduty\"], \"detail-type\":[\"GuardDuty Finding\"]}',
   'State': 'ENABLED',
   'Description': 'CloudWatch events rule for Guard Duty events'
 };
@@ -416,6 +453,7 @@ module.exports = {
     REGISTRATION_TEST_EVENT : REGISTRATION_TEST_EVENT,
     GD_ONLY_KINESIS_TEST_EVENT : GD_ONLY_KINESIS_TEST_EVENT,
     GD_OTHER_KINESIS_TEST_EVENT : GD_OTHER_KINESIS_TEST_EVENT,
+    NON_GD_OTHER_KINESIS_TEST_EVENT : NON_GD_OTHER_KINESIS_TEST_EVENT,
     NO_GD_KINESIS_TEST_EVENT : NO_GD_KINESIS_TEST_EVENT,
     GD_MALFORMED_KINESIS_TEST_EVENT : GD_MALFORMED_KINESIS_TEST_EVENT,
     GD_EVENT : GD_EVENT,

diff --git a/test/cwe_test.js b/test/cwe_test.js
@@ -233,7 +233,7 @@ describe('CWE Unit Tests', function() {
             };
             rewireProcessKinesisRecords(cweMock.GD_ONLY_KINESIS_TEST_EVENT, context);
         });
-        
+
         it('waterfall flow error - getDecryptedCredentials()', function(done) {
             var context = {fail : (reason) => { if (reason === 'decryption_error') done(); } };
             rewireGetDecryptedCredentials = cweRewire.__set__(
@@ -456,6 +456,19 @@ describe('CWE Unit Tests', function() {
                 done();
             });
         });
+
+        it('Non-Guard Duty events filtering', function(done) {
+            var context = {
+                invokedFunctionArn : 'test:arn'
+            };
+            rewireFormatMessages(cweMock.NON_GD_OTHER_KINESIS_TEST_EVENT, context, function(formatError, collectedData) {
+                var expected = '';
+                assert.equal(formatError, null);
+                assert.equal(collectedData, expected);
+                done();
+            });
+        });
+
 
         it('Zero Guard Duty events filtering', function(done) {
             var context = {