style fixups

2019-11-11 16:16:39 -08:00 · 2019-11-11 16:16:39 -08:00 · e15d4afb1f
--- a/mq/esworker_guardduty.py
+++ b/mq/esworker_guardduty.py
@ -11,24 +11,16 @@ import json
 import sys
 import os
 import socket
-import time
 from configlib import getConfig, OptionParser
 from datetime import datetime
-import pytz
-
 from mozdef_util.utilities.toUTC import toUTC
 from mozdef_util.utilities.logger import logger, initLogger
-from mozdef_util.elasticsearch_client import (
-    ElasticsearchClient,
-    ElasticsearchBadServer,
-    ElasticsearchInvalidIndex,
-    ElasticsearchException,
-)

 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../"))
-from mq.lib.plugins import sendEventToPlugins, registerPlugins
-from mq.lib.sqs import connect_sqs
 from esworker_sns_sqs import taskConsumer
+from mq.lib.plugins import sendEventToPlugins
+from mq.lib.sqs import connect_sqs
+from mozdef_util.elasticsearch_client import ElasticsearchClient


 # running under uwsgi?
@ -79,7 +71,6 @@ class GDtaskConsumer(taskConsumer):

    def on_message(self, message_raw):
        if "Message" in message_raw:
-            event = {}
            message = json.loads(message_raw["Message"])
            if "details" in message:
                if "finding" in message["details"]:
--- a/mq/esworker_sns_sqs.py
+++ b/mq/esworker_sns_sqs.py
@ -53,7 +53,7 @@ class taskConsumer(object):
    def run(self):
        while True:
            try:
-                records = self.sqs_queue.receive_messages(MaxNumberOfMessages=options.prefetch)
+                records = self.sqs_queue.receive_messages(MaxNumberOfMessages=self.options.prefetch)
                for msg in records:
                    msg_body = msg.body
                    try:
@ -66,7 +66,7 @@ class taskConsumer(object):
                        logger.error("Invalid message, not JSON <dropping message and continuing>: %r" % msg_body)
                        msg.delete()
                        continue
-                time.sleep(options.sleep_time)
+                time.sleep(self.options.sleep_time)
            except (SSLEOFError, SSLError, socket.error):
                logger.info("Received network related error...reconnecting")
                time.sleep(5)
--- a/mq/plugins/guardDuty.py
+++ b/mq/plugins/guardDuty.py
@ -3,12 +3,11 @@
 # file, You can obtain one at https://mozilla.org/MPL/2.0/.
 # Copyright (c) 2017 Mozilla Corporation

-from mozdef_util.utilities.key_exists import key_exists
-from mozdef_util.utilities.toUTC import toUTC
-from mozdef_util.utilities.dot_dict import DotDict
 import os
 import yaml
 import jmespath
+from mozdef_util.utilities.toUTC import toUTC
+from platform import node


 class message(object):
@ -82,10 +81,12 @@ class message(object):
                newmessage["details"][date_key] = toUTC(newmessage["details"][date_key]).isoformat()

        # Handle some special cases
+
        # Propagate domain
        if "miscinfo" in newmessage["details"]:
            if "domain" in newmessage["details"]["miscinfo"]:
                newmessage["details"]["query"] = newmessage["details"]["miscinfo"]["domain"]
+
        # Flatten tags
        if "tags" in newmessage["details"]:
            newmessage["details"]["awstags"] = []
@ -93,16 +94,15 @@ class message(object):
                for k, v in tagkve.items():
                    newmessage["details"]["awstags"].append(v.lower())
            del newmessage["details"]["tags"]
+
        # Find something that remotely resembles an FQDN
        if "publicdnsname" in newmessage["details"]:
            newmessage["hostname"] = newmessage["details"]["publicdnsname"]
        elif "privatednsname" in newmessage["details"]:
            newmessage["hostname"] = newmessage["details"]["privatednsname"]
+
        # Flip IP addresses in we are the source of attacks
-        if (
-            newmessage["details"]["finding"] == "UnauthorizedAccess:EC2/RDPBruteForce"
-            or newmessage["details"]["finding"] == "UnauthorizedAccess:EC2/SSHBruteForce"
-        ):
+        if (newmessage["details"]["finding"] == "UnauthorizedAccess:EC2/RDPBruteForce" or newmessage["details"]["finding"] == "UnauthorizedAccess:EC2/SSHBruteForce"):
            if newmessage["details"]["direction"] == "OUTBOUND":
                # could be more optimized here but need to be careful
                truedstip = "0.0.0.0"
--- a/tests/mq/plugins/test_guardduty.py
+++ b/tests/mq/plugins/test_guardduty.py
@ -1,7 +1,4 @@
-import mock
-
 from mozdef_util.utilities.toUTC import toUTC
-
 from mq.plugins.guardDuty import message


@ -39,25 +36,6 @@ class TestGuardDuty(object):
        # in = out - plugin didn't touch it
        assert result == event

-    # @mock.patch("mq.plugins.guardDuty.node")
-    # def test_mozdefhostname_mock_string(self, mock_path):
-    #    mock_path.return_value = "samplehostname"
-    #    event = {"tags": ["pubsub"]}
-    #    event = {
-    #        "tags": ["pubsub"],
-    #        "receivedtimestamp": "2019-09-25T23:51:33.962907335Z",
-    #        "mozdefhostname": "samplehostname",
-    #    }
-    #    event["details"] = {
-    #        "logName": "projects/mcd-001-252615/logs/cloudaudit.googleapis.com%2Fdata_access",
-    #        "protoPayload": {"@type": "type.googleapis.com/google.cloud.audit.AuditLog"},
-    #        "timestamp": "2019-09-25T23:51:33.962907335Z",
-    #        "utctimestamp": "2019-09-25T23:51:33.962907335Z",
-    #    }
-    #    plugin = message()
-    #    result, metadata = plugin.onMessage(event, self.metadata)
-    #    assert result["mozdefhostname"] == "samplehostname"
-
    def verify_metadata(self, metadata):
        assert metadata["index"] == "events"

@ -409,10 +387,7 @@ class TestGuardDuty(object):
        assert result["category"] == "guardduty"
        assert result["source"] == "guardduty"
        assert result["details"]["findingid"] == "46b6ffa3921756ee908fc9f5e0d2ce9a"
-        assert (
-            result["details"]["arn"]
-            == "arn:aws:guardduty:us-west-2:692406183521:detector/90b4e5d7bef5a2adc076a62bd3d88c78/finding/46b6ffa3921756ee908fc9f5e0d2ce9a"
-        )
+        assert (result["details"]["arn"] == "arn:aws:guardduty:us-west-2:692406183521:detector/90b4e5d7bef5a2adc076a62bd3d88c78/finding/46b6ffa3921756ee908fc9f5e0d2ce9a")
        assert result["details"]["awsaccountid"] == "692406183521"
        assert result["details"]["awsregion"] == "us-west-2"
        assert result["details"]["resourcetype"] == "Instance"
@ -422,10 +397,7 @@ class TestGuardDuty(object):
        assert result["details"]["state"] == "running"
        assert result["details"]["az"] == "us-west-2a"
        assert result["details"]["imageid"] == "ami-036f90c73e6fd5387"
-        assert (
-            result["details"]["imagedesc"]
-            == "Gecko tester for Windows 10 64 bit; worker-type: gecko-t-win10-64-gpu-s, source: https://github.com/mozilla-releng/OpenCloudConfig/commit/c78696d, deploy: https://tools.taskcluster.net/tasks/RCdbVWvgR42rSHZIjzlL4A"
-        )
+        assert (result["details"]["imagedesc"] == "Gecko tester for Windows 10 64 bit; worker-type: gecko-t-win10-64-gpu-s, source: https://github.com/mozilla-releng/OpenCloudConfig/commit/c78696d, deploy: https://tools.taskcluster.net/tasks/RCdbVWvgR42rSHZIjzlL4A")
        assert result["details"]["detectorid"] == "90b4e5d7bef5a2adc076a62bd3d88c78"
        assert result["details"]["sourceipaddress"] == "185.209.0.81"
        assert result["details"]["sourceport"] == 1239
@ -434,16 +406,13 @@ class TestGuardDuty(object):

    def test_torinbound(self):
        event = {'receivedtimestamp': '2019-10-25T00:26:17.948332+00:00', 'mozdefhostname': 'mozdefqa2.private.mdc1.mozilla.com', 'tags': ['gd2md-GuardDutyEventNormalization-5HTB8BEL5Y1Q-SqsOutput-1D5MQWALTYJ8P'], 'severity': 'INFO', 'source': 'guardduty', 'details': {'schemaVersion': '2.0', 'accountId': '371522382791', 'region': 'us-west-2', 'partition': 'aws', 'id': 'eeb6396cc2ac43cef0d3e77204f202ce', 'arn': 'arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/eeb6396cc2ac43cef0d3e77204f202ce', 'type': 'UnauthorizedAccess:EC2/TorIPCaller', 'resource': {'resourceType': 'Instance', 'instanceDetails': {'instanceId': 'i-99999999', 'instanceType': 'm3.xlarge', 'launchTime': '2016-08-02T02:05:06Z', 'platform': None, 'productCodes': [{'productCodeId':'GeneratedFindingProductCodeId', 'productCodeType':'GeneratedFindingProductCodeType'}], 'iamInstanceProfile': {'arn': 'GeneratedFindingInstanceProfileArn', 'id': 'GeneratedFindingInstanceProfileId'}, 'networkInterfaces': [{'networkInterfaceId':'eni-bfcffe88', 'privateIpAddresses':[{'privateDnsName':'GeneratedFindingPrivateName', 'privateIpAddress':'10.0.0.1'}], 'subnetId':'GeneratedFindingSubnetId', 'vpcId':'GeneratedFindingVPCId', 'privateDnsName':'GeneratedFindingPrivateDnsName', 'securityGroups':[{'groupName':'GeneratedFindingSecurityGroupName', 'groupId':'GeneratedFindingSecurityId'}], 'publicIp':'198.51.100.0', 'ipv6Addresses':[], 'publicDnsName':'GeneratedFindingPublicDNSName', 'privateIpAddress':'10.0.0.1'}], 'tags': [{'value':'GeneratedFindingInstaceValue1', 'key':'GeneratedFindingInstaceTag1'}, {'value':'GeneratedFindingInstaceTagValue2', 'key':'GeneratedFindingInstaceTag2'}, {'value':'GeneratedFindingInstaceTagValue3', 'key':'GeneratedFindingInstaceTag3'}, {'value':'GeneratedFindingInstaceTagValue4', 'key':'GeneratedFindingInstaceTag4'}, {'value':'GeneratedFindingInstaceTagValue5', 'key':'GeneratedFindingInstaceTag5'}, {'value':'GeneratedFindingInstaceTagValue6', 'key':'GeneratedFindingInstaceTag6'}, {'value':'GeneratedFindingInstaceTagValue7', 'key':'GeneratedFindingInstaceTag7'}, {'value':'GeneratedFindingInstaceTagValue8', 'key':'GeneratedFindingInstaceTag8'}, {'value':'GeneratedFindingInstaceTagValue9', 'key':'GeneratedFindingInstaceTag9'}], 'instanceState': 'running', 'availabilityZone': 'GeneratedFindingInstaceAvailabilityZone', 'imageId': 'ami-99999999', 'imageDescription': 'GeneratedFindingInstaceImageDescription'}}, 'severity': 5, 'createdAt': '2019-08-08T20:09:13.816Z', 'updatedAt': '2019-10-25T00:24:41.104Z', 'title': 'Tor Exit node is communicating with EC2 instance i-99999999.', 'description': 'IP address 198.51.100.0 on the Tor Anonymizing Proxy network is communicating with EC2 instance i-99999999.', 'finding': {'serviceName': 'guardduty', 'detectorId': '7ab01139c0b81403b3c8ec8e08cf939c', 'action': {'actionType': 'NETWORK_CONNECTION', 'networkConnectionAction': {'connectionDirection': 'INBOUND', 'remoteIpDetails': {'ipAddressV4': '198.51.100.0', 'organization': {'asn': '-1', 'asnOrg': 'GeneratedFindingASNOrg', 'isp': 'GeneratedFindingISP', 'org': 'GeneratedFindingORG'}, 'country': {'countryName': 'GeneratedFindingCountryName'}, 'city': {'cityName': 'GeneratedFindingCityName'}, 'geoLocation': {'lat': 0, 'lon': 0}}, 'remotePortDetails': {'port': 39677, 'portName': 'Unknown'}, 'localPortDetails': {'port': 80, 'portName': 'HTTP'}, 'protocol': 'TCP', 'blocked': False}}, 'resourceRole': 'TARGET', 'additionalInfo': {'sample': True}, 'evidence': {'threatIntelligenceDetails': [{'threatNames':['GeneratedFindingThreatName'], 'threatListName':'GeneratedFindingThreatListName'}]}, 'eventFirstSeen': '2019-08-08T20:09:13.816Z', 'eventLastSeen': '2019-10-25T00:24:41.104Z', 'archived': False, 'count': 21}, 'category': 'UnauthorizedAccess:EC2/TorIPCaller', 'tags': ['NETWORK_CONNECTION']}, 'hostname': 'i-99999999', 'summary': 'IP address 198.51.100.0 on the Tor Anonymizing Proxy network is communicating with EC2 instance i-99999999.', 'utctimestamp': '2019-10-25T00:26:17.227000+00:00', 'timestamp': '2019-10-25T00:26:17.227000+00:00'}
-        
+
        result, metadata = self.plugin.onMessage(event, self.metadata)

        assert result["category"] == "guardduty"
        assert result["source"] == "guardduty"
        assert result["details"]["findingid"] == "eeb6396cc2ac43cef0d3e77204f202ce"
-        assert (
-            result["details"]["arn"]
-            == "arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/eeb6396cc2ac43cef0d3e77204f202ce"
-        )
+        assert result["details"]["arn"] == "arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/eeb6396cc2ac43cef0d3e77204f202ce"
        assert result["details"]["awsaccountid"] == "371522382791"
        assert result["details"]["awsregion"] == "us-west-2"
        assert result["details"]["resourcetype"] == "Instance"
@ -457,7 +426,7 @@ class TestGuardDuty(object):
        assert result["details"]["sourceport"] == 39677
        assert result["details"]["destinationport"] == 80
        assert result["details"]["proto"] == "TCP"
-    
+
    def test_toroutbound(self):
        event = {'receivedtimestamp': '2019-10-25T00:26:19.073561+00:00', 'mozdefhostname': 'mozdefqa2.private.mdc1.mozilla.com', 'tags': ['gd2md-GuardDutyEventNormalization-5HTB8BEL5Y1Q-SqsOutput-1D5MQWALTYJ8P'], 'severity': 'INFO', 'source': 'guardduty', 'details': {'schemaVersion': '2.0', 'accountId': '371522382791', 'region': 'us-west-2', 'partition': 'aws', 'id': '02b6396cc2a94636186a4edd8defbca7', 'arn': 'arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/02b6396cc2a94636186a4edd8defbca7', 'type': 'UnauthorizedAccess:EC2/TorClient', 'resource': {'resourceType': 'Instance', 'instanceDetails': {'instanceId': 'i-99999999', 'instanceType': 'm3.xlarge', 'launchTime': '2016-08-02T02:05:06Z', 'platform': None, 'productCodes': [{'productCodeId': 'GeneratedFindingProductCodeId', 'productCodeType': 'GeneratedFindingProductCodeType'}], 'iamInstanceProfile': {'arn': 'GeneratedFindingInstanceProfileArn', 'id': 'GeneratedFindingInstanceProfileId'}, 'networkInterfaces': [{'networkInterfaceId': 'eni-bfcffe88', 'privateIpAddresses': [{'privateDnsName': 'GeneratedFindingPrivateName', 'privateIpAddress': '10.0.0.1'}], 'subnetId': 'GeneratedFindingSubnetId', 'vpcId': 'GeneratedFindingVPCId', 'privateDnsName': 'GeneratedFindingPrivateDnsName', 'securityGroups': [{'groupName': 'GeneratedFindingSecurityGroupName', 'groupId': 'GeneratedFindingSecurityId'}], 'publicIp': '198.51.100.0', 'ipv6Addresses': [], 'publicDnsName': 'GeneratedFindingPublicDNSName', 'privateIpAddress': '10.0.0.1'}], 'tags': [{'value': 'GeneratedFindingInstaceValue1', 'key': 'GeneratedFindingInstaceTag1'}, {'value': 'GeneratedFindingInstaceTagValue2', 'key': 'GeneratedFindingInstaceTag2'}, {'value': 'GeneratedFindingInstaceTagValue3', 'key': 'GeneratedFindingInstaceTag3'}, {'value': 'GeneratedFindingInstaceTagValue4', 'key': 'GeneratedFindingInstaceTag4'}, {'value': 'GeneratedFindingInstaceTagValue5', 'key': 'GeneratedFindingInstaceTag5'}, {'value': 'GeneratedFindingInstaceTagValue6', 'key': 'GeneratedFindingInstaceTag6'}, {'value': 'GeneratedFindingInstaceTagValue7', 'key': 'GeneratedFindingInstaceTag7'}, {'value': 'GeneratedFindingInstaceTagValue8', 'key': 'GeneratedFindingInstaceTag8'}, {'value': 'GeneratedFindingInstaceTagValue9', 'key': 'GeneratedFindingInstaceTag9'}], 'instanceState': 'running', 'availabilityZone': 'GeneratedFindingInstaceAvailabilityZone', 'imageId': 'ami-99999999', 'imageDescription': 'GeneratedFindingInstaceImageDescription'}}, 'severity': 8, 'createdAt': '2019-08-08T20:09:13.810Z', 'updatedAt': '2019-10-25T00:24:41.100Z', 'title': 'EC2 instance i-99999999 is communicating with Tor Entry node.', 'description': 'EC2 instance i-99999999 is communicating with IP address 198.51.100.0 on the Tor Anonymizing Proxy network marked as an Entry node.', 'finding': {'serviceName': 'guardduty', 'detectorId': '7ab01139c0b81403b3c8ec8e08cf939c', 'action': {'actionType': 'NETWORK_CONNECTION', 'networkConnectionAction': {'connectionDirection': 'OUTBOUND', 'remoteIpDetails': {'ipAddressV4': '198.51.100.0', 'organization': {'asn': '-1', 'asnOrg': 'GeneratedFindingASNOrg', 'isp': 'GeneratedFindingISP', 'org': 'GeneratedFindingORG'}, 'country': {'countryName': 'GeneratedFindingCountryName'}, 'city': {'cityName': 'GeneratedFindingCityName'}, 'geoLocation': {'lat': 0, 'lon': 0}}, 'remotePortDetails': {'port': 80, 'portName': 'HTTP'}, 'localPortDetails': {'port': 39677, 'portName': 'Unknown'}, 'protocol': 'TCP', 'blocked': False}}, 'resourceRole': 'TARGET', 'additionalInfo': {'sample': True}, 'evidence': {'threatIntelligenceDetails': [{'threatNames': ['GeneratedFindingThreatName'], 'threatListName': 'GeneratedFindingThreatListName'}]}, 'eventFirstSeen': '2019-08-08T20:09:13.810Z', 'eventLastSeen': '2019-10-25T00:24:41.100Z', 'archived': False, 'count': 21}, 'category': 'UnauthorizedAccess:EC2/TorClient', 'tags': ['NETWORK_CONNECTION']}, 'hostname': 'i-99999999', 'summary': 'EC2 instance i-99999999 is communicating with IP address 198.51.100.0 on the Tor Anonymizing Proxy network marked as an Entry node.', 'utctimestamp': '2019-10-25T00:26:17.833000+00:00', 'timestamp': '2019-10-25T00:26:17.833000+00:00'}

@ -480,7 +449,7 @@ class TestGuardDuty(object):
        assert result["details"]["sourceport"] == 39677
        assert result["details"]["destinationport"] == 80
        assert result["details"]["proto"] == "TCP"
-    
+
    def test_ddossourcetcp(self):
        event = {'receivedtimestamp': '2019-10-25T00:26:18.060811+00:00', 'mozdefhostname': 'mozdefqa2.private.mdc1.mozilla.com', 'tags': ['gd2md-GuardDutyEventNormalization-5HTB8BEL5Y1Q-SqsOutput-1D5MQWALTYJ8P'], 'severity': 'INFO', 'source': 'guardduty', 'details': {'schemaVersion': '2.0', 'accountId': '371522382791', 'region': 'us-west-2', 'partition': 'aws', 'id': 'aab6396cc2a592e634158c66b12fd416', 'arn': 'arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/aab6396cc2a592e634158c66b12fd416', 'type': 'Backdoor:EC2/DenialOfService.Tcp', 'resource': {'resourceType': 'Instance', 'instanceDetails': {'instanceId': 'i-99999999', 'instanceType': 'm3.xlarge', 'launchTime': '2016-08-02T02:05:06Z', 'platform': None, 'productCodes': [{'productCodeId': 'GeneratedFindingProductCodeId', 'productCodeType': 'GeneratedFindingProductCodeType'}], 'iamInstanceProfile': {'arn': 'GeneratedFindingInstanceProfileArn', 'id': 'GeneratedFindingInstanceProfileId'}, 'networkInterfaces': [{'networkInterfaceId': 'eni-bfcffe88', 'privateIpAddresses': [{'privateDnsName': 'GeneratedFindingPrivateName', 'privateIpAddress': '10.0.0.1'}], 'subnetId': 'GeneratedFindingSubnetId', 'vpcId': 'GeneratedFindingVPCId', 'privateDnsName': 'GeneratedFindingPrivateDnsName', 'securityGroups': [{'groupName': 'GeneratedFindingSecurityGroupName', 'groupId': 'GeneratedFindingSecurityId'}], 'publicIp': '198.51.100.0', 'ipv6Addresses': [], 'publicDnsName': 'GeneratedFindingPublicDNSName', 'privateIpAddress': '10.0.0.1'}], 'tags': [{'value': 'GeneratedFindingInstaceValue1', 'key': 'GeneratedFindingInstaceTag1'}, {'value': 'GeneratedFindingInstaceTagValue2', 'key': 'GeneratedFindingInstaceTag2'}, {'value': 'GeneratedFindingInstaceTagValue3', 'key': 'GeneratedFindingInstaceTag3'}, {'value': 'GeneratedFindingInstaceTagValue4', 'key': 'GeneratedFindingInstaceTag4'}, {'value': 'GeneratedFindingInstaceTagValue5', 'key': 'GeneratedFindingInstaceTag5'}, {'value': 'GeneratedFindingInstaceTagValue6', 'key': 'GeneratedFindingInstaceTag6'}, {'value': 'GeneratedFindingInstaceTagValue7', 'key': 'GeneratedFindingInstaceTag7'}, {'value': 'GeneratedFindingInstaceTagValue8', 'key': 'GeneratedFindingInstaceTag8'}, {'value': 'GeneratedFindingInstaceTagValue9', 'key': 'GeneratedFindingInstaceTag9'}], 'instanceState': 'running', 'availabilityZone': 'GeneratedFindingInstaceAvailabilityZone', 'imageId': 'ami-99999999', 'imageDescription': 'GeneratedFindingInstaceImageDescription'}}, 'severity': 8, 'createdAt': '2019-08-08T20:09:13.803Z', 'updatedAt': '2019-10-25T00:24:41.102Z', 'title': 'EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using TCP protocol.', 'description': 'EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using TCP protocol.', 'finding': {'serviceName': 'guardduty', 'detectorId': '7ab01139c0b81403b3c8ec8e08cf939c', 'action': {'actionType': 'NETWORK_CONNECTION', 'networkConnectionAction': {'connectionDirection': 'OUTBOUND', 'remoteIpDetails': {'ipAddressV4': '198.51.100.0', 'organization': {'asn': '-1', 'asnOrg': 'GeneratedFindingASNOrg', 'isp': 'GeneratedFindingISP', 'org': 'GeneratedFindingORG'}, 'country': {'countryName': 'GeneratedFindingCountryName'}, 'city': {'cityName': 'GeneratedFindingCityName'}, 'geoLocation': {'lat': 0, 'lon': 0}}, 'remotePortDetails': {'port': 80, 'portName': 'HTTP'}, 'localPortDetails': {'port': 24198, 'portName': 'Unknown'}, 'protocol': 'TCP', 'blocked': False}}, 'resourceRole': 'ACTOR', 'additionalInfo': {'sample': True}, 'eventFirstSeen': '2019-08-08T20:09:13.803Z', 'eventLastSeen': '2019-10-25T00:24:41.102Z', 'archived': False, 'count': 21}, 'category': 'Backdoor:EC2/DenialOfService.Tcp', 'tags': ['NETWORK_CONNECTION']}, 'hostname': 'i-99999999', 'summary': 'EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using TCP protocol.', 'utctimestamp': '2019-10-25T00:26:17.373000+00:00', 'timestamp': '2019-10-25T00:26:17.373000+00:00'}

@ -489,10 +458,7 @@ class TestGuardDuty(object):
        assert result["category"] == "guardduty"
        assert result["source"] == "guardduty"
        assert result["details"]["findingid"] == "aab6396cc2a592e634158c66b12fd416"
-        assert (
-            result["details"]["arn"]
-            == "arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/aab6396cc2a592e634158c66b12fd416"
-        )
+        assert result["details"]["arn"] == "arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/aab6396cc2a592e634158c66b12fd416"
        assert result["details"]["awsaccountid"] == "371522382791"
        assert result["details"]["awsregion"] == "us-west-2"
        assert result["details"]["resourcetype"] == "Instance"
@ -509,7 +475,7 @@ class TestGuardDuty(object):

    def test_ddossourceudp(self):
        event = {'receivedtimestamp': '2019-10-25T00:26:18.969774+00:00', 'mozdefhostname': 'mozdefqa2.private.mdc1.mozilla.com', 'tags': ['gd2md-GuardDutyEventNormalization-5HTB8BEL5Y1Q-SqsOutput-1D5MQWALTYJ8P'], 'severity': 'INFO', 'source': 'guardduty', 'details': {'schemaVersion': '2.0', 'accountId': '371522382791', 'region': 'us-west-2', 'partition': 'aws', 'id': '48b6396cc2a76dae622f5666274b6961', 'arn': 'arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/48b6396cc2a76dae622f5666274b6961', 'type': 'Backdoor:EC2/DenialOfService.Udp', 'resource': {'resourceType': 'Instance', 'instanceDetails': {'instanceId': 'i-99999999', 'instanceType': 'm3.xlarge', 'launchTime': '2016-08-02T02:05:06Z', 'platform': None, 'productCodes': [{'productCodeId':'GeneratedFindingProductCodeId', 'productCodeType':'GeneratedFindingProductCodeType'}], 'iamInstanceProfile': {'arn': 'GeneratedFindingInstanceProfileArn', 'id': 'GeneratedFindingInstanceProfileId'}, 'networkInterfaces': [{'networkInterfaceId':'eni-bfcffe88', 'privateIpAddresses':[{'privateDnsName':'GeneratedFindingPrivateName', 'privateIpAddress':'10.0.0.1'}], 'subnetId':'GeneratedFindingSubnetId', 'vpcId':'GeneratedFindingVPCId', 'privateDnsName':'GeneratedFindingPrivateDnsName', 'securityGroups':[{'groupName':'GeneratedFindingSecurityGroupName', 'groupId':'GeneratedFindingSecurityId'}], 'publicIp':'198.51.100.0', 'ipv6Addresses':[], 'publicDnsName':'GeneratedFindingPublicDNSName', 'privateIpAddress':'10.0.0.1'}], 'tags': [{'value':'GeneratedFindingInstaceValue1', 'key':'GeneratedFindingInstaceTag1'}, {'value':'GeneratedFindingInstaceTagValue2', 'key':'GeneratedFindingInstaceTag2'}, {'value':'GeneratedFindingInstaceTagValue3', 'key':'GeneratedFindingInstaceTag3'}, {'value':'GeneratedFindingInstaceTagValue4', 'key':'GeneratedFindingInstaceTag4'}, {'value':'GeneratedFindingInstaceTagValue5', 'key':'GeneratedFindingInstaceTag5'}, {'value':'GeneratedFindingInstaceTagValue6', 'key':'GeneratedFindingInstaceTag6'}, {'value':'GeneratedFindingInstaceTagValue7', 'key':'GeneratedFindingInstaceTag7'}, {'value':'GeneratedFindingInstaceTagValue8', 'key':'GeneratedFindingInstaceTag8'}, {'value':'GeneratedFindingInstaceTagValue9', 'key':'GeneratedFindingInstaceTag9'}], 'instanceState': 'running', 'availabilityZone': 'GeneratedFindingInstaceAvailabilityZone', 'imageId': 'ami-99999999', 'imageDescription': 'GeneratedFindingInstaceImageDescription'}}, 'severity': 8, 'createdAt': '2019-08-08T20:09:13.806Z', 'updatedAt': '2019-10-25T00:24:41.103Z', 'title': 'EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using UDP protocol.', 'description': 'EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using UDP protocol.', 'finding': {'serviceName': 'guardduty', 'detectorId': '7ab01139c0b81403b3c8ec8e08cf939c', 'action': {'actionType': 'NETWORK_CONNECTION', 'networkConnectionAction': {'connectionDirection': 'OUTBOUND', 'remoteIpDetails': {'ipAddressV4': '198.51.100.0', 'organization': {'asn': '-1', 'asnOrg': 'GeneratedFindingASNOrg', 'isp': 'GeneratedFindingISP', 'org': 'GeneratedFindingORG'}, 'country': {'countryName': 'GeneratedFindingCountryName'}, 'city': {'cityName': 'GeneratedFindingCityName'}, 'geoLocation': {'lat': 0, 'lon': 0}}, 'remotePortDetails': {'port': 80, 'portName': 'HTTP'}, 'localPortDetails': {'port': 24198, 'portName': 'Unknown'}, 'protocol': 'UDP', 'blocked': False}}, 'resourceRole': 'ACTOR', 'additionalInfo': {'sample': True}, 'eventFirstSeen': '2019-08-08T20:09:13.806Z', 'eventLastSeen': '2019-10-25T00:24:41.103Z', 'archived': False, 'count': 21}, 'category': 'Backdoor:EC2/DenialOfService.Udp', 'tags': ['NETWORK_CONNECTION']}, 'hostname': 'i-99999999', 'summary': 'EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using UDP protocol.', 'utctimestamp': '2019-10-25T00:26:17.439000+00:00', 'timestamp': '2019-10-25T00:26:17.439000+00:00'}
-        
+
        result, metadata = self.plugin.onMessage(event, self.metadata)

        assert result["category"] == "guardduty"
@ -529,10 +495,10 @@ class TestGuardDuty(object):
        assert result["details"]["sourceport"] == 24198
        assert result["details"]["destinationport"] == 80
        assert result["details"]["proto"] == "UDP"
-    
+
    def test_trojandgadomainrequestb(self):
        event = {'receivedtimestamp': '2019-10-25T00:26:18.340607+00:00', 'mozdefhostname': 'mozdefqa2.private.mdc1.mozilla.com', 'tags': ['gd2md-GuardDutyEventNormalization-5HTB8BEL5Y1Q-SqsOutput-1D5MQWALTYJ8P'], 'severity': 'INFO', 'source': 'guardduty', 'details': {'schemaVersion': '2.0', 'accountId': '371522382791', 'region': 'us-west-2', 'partition': 'aws', 'id': '20b6396cc2a6fff7160ac4be960df500', 'arn': 'arn:aws:guardduty:us-west-2:371522382791:detector/7ab01139c0b81403b3c8ec8e08cf939c/finding/20b6396cc2a6fff7160ac4be960df500', 'type': 'Trojan:EC2/DGADomainRequest.B', 'resource': {'resourceType': 'Instance', 'instanceDetails': {'instanceId': 'i-99999999', 'instanceType': 'm3.xlarge', 'launchTime': '2016-03-11T21:23:34Z', 'platform': None, 'productCodes': [{'productCodeId':'GeneratedFindingProductCodeId', 'productCodeType':'GeneratedFindingProductCodeType'}], 'iamInstanceProfile': {'arn': 'GeneratedFindingInstanceProfileArn', 'id': 'GeneratedFindingInstanceProfileId'}, 'networkInterfaces': [{'networkInterfaceId':'eni-bfcffe88', 'privateIpAddresses':[{'privateDnsName':'GeneratedFindingPrivateName', 'privateIpAddress':'10.0.0.1'}], 'subnetId':'GeneratedFindingSubnetId', 'vpcId':'GeneratedFindingVPCId', 'privateDnsName':'GeneratedFindingPrivateDnsName', 'securityGroups':[{'groupName':'GeneratedFindingSecurityGroupName', 'groupId':'GeneratedFindingSecurityId'}], 'publicIp':'198.51.100.0', 'ipv6Addresses':[], 'publicDnsName':'GeneratedFindingPublicDNSName', 'privateIpAddress':'10.0.0.1'}], 'tags': [{'value':'GeneratedFindingInstaceValue1', 'key':'GeneratedFindingInstaceTag1'}, {'value':'GeneratedFindingInstaceTagValue2', 'key':'GeneratedFindingInstaceTag2'}, {'value':'GeneratedFindingInstaceTagValue3', 'key':'GeneratedFindingInstaceTag3'}, {'value':'GeneratedFindingInstaceTagValue4', 'key':'GeneratedFindingInstaceTag4'}, {'value':'GeneratedFindingInstaceTagValue5', 'key':'GeneratedFindingInstaceTag5'}, {'value':'GeneratedFindingInstaceTagValue6', 'key':'GeneratedFindingInstaceTag6'}, {'value':'GeneratedFindingInstaceTagValue7', 'key':'GeneratedFindingInstaceTag7'}, {'value':'GeneratedFindingInstaceTagValue8', 'key':'GeneratedFindingInstaceTag8'}, {'value':'GeneratedFindingInstaceTagValue9', 'key':'GeneratedFindingInstaceTag9'}], 'instanceState': 'running', 'availabilityZone': 'GeneratedFindingInstaceAvailabilityZone', 'imageId': 'ami-99999999', 'imageDescription': 'GeneratedFindingInstaceImageDescription'}}, 'severity': 8, 'createdAt': '2019-08-08T20:09:13.805Z', 'updatedAt': '2019-10-25T00:24:41.094Z', 'title': 'DGA domain name queried by EC2 instance i-99999999.', 'description': 'EC2 instance i-99999999 is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance.', 'finding': {'serviceName': 'guardduty', 'detectorId': '7ab01139c0b81403b3c8ec8e08cf939c', 'action': {'actionType': 'DNS_REQUEST', 'dnsRequestAction': {'domain': 'GeneratedFindingDomainName', 'protocol': '0', 'blocked': True}}, 'resourceRole': 'ACTOR', 'additionalInfo': {'domain': 'GeneratedFindingAdditionalDomainName', 'sample': True}, 'eventFirstSeen': '2019-08-08T20:09:13.805Z', 'eventLastSeen': '2019-10-25T00:24:41.094Z', 'archived': False, 'count': 21}, 'category': 'Trojan:EC2/DGADomainRequest.B', 'tags': ['DNS_REQUEST']}, 'hostname': 'i-99999999', 'summary': 'EC2 instance i-99999999 is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance.', 'utctimestamp': '2019-10-25T00:26:17.714000+00:00', 'timestamp': '2019-10-25T00:26:17.714000+00:00'}
-                
+
        result, metadata = self.plugin.onMessage(event, self.metadata)

        assert result["category"] == "guardduty"
@ -567,4 +533,4 @@ class TestGuardDuty(object):
        assert result["details"]["launchtime"] == "2017-12-20T23:46:44Z"
        assert result["details"]["iamprofilearn"] == "GeneratedFindingInstanceProfileArn"
        assert result["details"]["iamprofileid"] == "GeneratedFindingInstanceProfileId"
-        assert result["details"]["detectorid"] == "7ab01139c0b81403b3c8ec8e08cf939c"
+        assert result["details"]["detectorid"] == "7ab01139c0b81403b3c8ec8e08cf939c"