feat: Add account ID to GuardDuty event notification (#187)

bruno · web-flow · commit e3452b424a0e · 2023-01-26T07:55:13.000-05:00
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -8,6 +8,7 @@ on:
 
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
+  TFLINT_VERSION: v0.44.1
 
 jobs:
   collectInputs:
@@ -21,7 +22,7 @@ jobs:
 
       - name: Get root directories
         id: dirs
-        uses: clowdhaus/terraform-composite-actions/directories@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/directories@v1.8.3
 
   preCommitMinVersions:
     name: Min TF pre-commit
@@ -36,24 +37,26 @@ jobs:
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.2.0
+        uses: clowdhaus/terraform-min-max@v1.2.4
         with:
           directory: ${{ matrix.directory }}
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
           args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
           args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
 
   preCommitMaxVersion:
@@ -69,10 +72,12 @@ jobs:
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.2.0
+        uses: clowdhaus/terraform-min-max@v1.2.4
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
         with:
           terraform-version: ${{ steps.minMax.outputs.maxVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
           terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
+          install-hcledit: true
diff --git a/functions/events/guardduty_finding_high.json b/functions/events/guardduty_finding_high.json
@@ -5,6 +5,7 @@
     "id": "sample-id-2",
     "title": "SAMPLE Unprotected port on EC2 instance i-123123123 is being probed",
     "severity": 9,
+    "accountId": "123456789",
     "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.",
     "type": "Recon:EC2 PortProbeUnprotectedPort",
     "service": {
diff --git a/functions/events/guardduty_finding_low.json b/functions/events/guardduty_finding_low.json
@@ -5,6 +5,7 @@
     "id": "sample-id-2",
     "title": "SAMPLE Unprotected port on EC2 instance i-123123123 is being probed",
     "severity": 2,
+    "accountId": "123456789",
     "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.",
     "type": "Recon:EC2 PortProbeUnprotectedPort",
     "service": {
diff --git a/functions/events/guardduty_finding_medium.json b/functions/events/guardduty_finding_medium.json
@@ -5,6 +5,7 @@
     "id": "sample-id-2",
     "title": "SAMPLE Unprotected port on EC2 instance i-123123123 is being probed",
     "severity": 5,
+    "accountId": "123456789",
     "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.",
     "type": "Recon:EC2 PortProbeUnprotectedPort",
     "service": {
diff --git a/functions/messages/guardduty_finding.json b/functions/messages/guardduty_finding.json
@@ -8,7 +8,7 @@
       "MessageId": "95df01b4-ee98-5cb9-9903-4c221d41eb5e",
       "TopicArn": "arn:aws:sns:us-gov-east-1:123456789012:ExampleTopic",
       "Subject": "GuardDuty Finding",
-      "Message": "{\"detail-type\": \"GuardDuty Finding\",\"region\": \"us-gov-east-1\",\"detail\": {\"id\": \"sample-id-2\",\"title\": \"SAMPLE Unprotected port on EC2 instance i-123123123 is being probed\",\"severity\": 9,\"description\": \"EC2 instance has an unprotected port which is being probed by a known malicious host.\",\"type\": \"Recon:EC2 PortProbeUnprotectedPort\",\"service\": {\"eventFirstSeen\": \"2020-01-02T01:02:03Z\",\"eventLastSeen\": \"2020-01-03T01:02:03Z\",\"count\": 1234}}}",
+      "Message": "{\"detail-type\": \"GuardDuty Finding\",\"region\": \"us-gov-east-1\",\"detail\": {\"id\": \"sample-id-2\",\"title\": \"SAMPLE Unprotected port on EC2 instance i-123123123 is being probed\",\"severity\": 9,\"accountId\":\"123456789\",\"description\": \"EC2 instance has an unprotected port which is being probed by a known malicious host.\",\"type\": \"Recon:EC2 PortProbeUnprotectedPort\",\"service\": {\"eventFirstSeen\": \"2020-01-02T01:02:03Z\",\"eventLastSeen\": \"2020-01-03T01:02:03Z\",\"count\": 1234}}}",
       "Timestamp": "1970-01-01T00:00:00.000Z",
       "SignatureVersion": "1",
       "Signature": "EXAMPLE",
diff --git a/functions/mylambda.py b/functions/mylambda.py
@@ -1,9 +1,11 @@
 #!/usr/bin/python3.6
 # CUSTOM LAMBDA FUNCTION
 
-import urllib3
 import json
 import os
+
+import urllib3
+
 http = urllib3.PoolManager()
 
 
@@ -12,14 +14,16 @@ def lambda_handler(event, context):
     msg = {
         "channel": "#channel-name",
         "username": "Prometheus",
-        "text": event['Records'][0]['Sns']['Message'],
-        "icon_emoji": ""
+        "text": event["Records"][0]["Sns"]["Message"],
+        "icon_emoji": "",
     }
 
-    encoded_msg = json.dumps(msg).encode('utf-8')
-    resp = http.request('POST', url, body=encoded_msg)
-    print({
-        "message": event['Records'][0]['Sns']['Message'],
-        "status_code": resp.status,
-        "response": resp.data
-    })
+    encoded_msg = json.dumps(msg).encode("utf-8")
+    resp = http.request("POST", url, body=encoded_msg)
+    print(
+        {
+            "message": event["Records"][0]["Sns"]["Message"],
+            "status_code": resp.status,
+            "response": resp.data,
+        }
+    )
diff --git a/functions/notify_slack.py b/functions/notify_slack.py
@@ -176,6 +176,7 @@ def format_guardduty_finding(message: Dict[str, Any], region: str) -> Dict[str,
                 "short": True,
             },
             {"title": "Severity", "value": f"`{severity}`", "short": True},
+            {"title": "Account ID", "value": f"`{detail['accountId']}`", "short": True},
             {
                 "title": "Count",
                 "value": f"`{service['count']}`",
diff --git a/functions/snapshots/snap_notify_slack_test.py b/functions/snapshots/snap_notify_slack_test.py
@@ -4,7 +4,6 @@
 
 from snapshottest import Snapshot
 
-
 snapshots = Snapshot()
 
 snapshots[
@@ -121,6 +120,7 @@
                         "value": "`2020-01-03T01:02:03Z`",
                     },
                     {"short": True, "title": "Severity", "value": "`High`"},
+                    {"short": True, "title": "Account ID", "value": "`123456789`"},
                     {"short": True, "title": "Count", "value": "`1234`"},
                     {
                         "short": False,
@@ -167,6 +167,7 @@
                         "value": "`2020-01-03T01:02:03Z`",
                     },
                     {"short": True, "title": "Severity", "value": "`Low`"},
+                    {"short": True, "title": "Account ID", "value": "`123456789`"},
                     {"short": True, "title": "Count", "value": "`1234`"},
                     {
                         "short": False,
@@ -213,6 +214,7 @@
                         "value": "`2020-01-03T01:02:03Z`",
                     },
                     {"short": True, "title": "Severity", "value": "`Medium`"},
+                    {"short": True, "title": "Account ID", "value": "`123456789`"},
                     {"short": True, "title": "Count", "value": "`1234`"},
                     {
                         "short": False,
@@ -387,6 +389,7 @@
                         "value": "`2020-01-03T01:02:03Z`",
                     },
                     {"short": True, "title": "Severity", "value": "`High`"},
+                    {"short": True, "title": "Account ID", "value": "`123456789`"},
                     {"short": True, "title": "Count", "value": "`1234`"},
                     {
                         "short": False,

Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,7 @@ def format_guardduty_finding(message: Dict[str, Any], region: str) -> Dict[str,`
`176`	`176`	`"short": True,`
`177`	`177`	`},`
`178`	`178`	{"title": "Severity", "value": f"`{severity}`", "short": True},
	`179`	+ {"title": "Account ID", "value": f"`{detail['accountId']}`", "short": True},
`179`	`180`	`{`
`180`	`181`	`"title": "Count",`
`181`	`182`	"value": f"`{service['count']}`",