class GuardDuty

Collect GuardDuty resources

Public Instance Methods

collect() click to toggle source

Returns an array of resources.

# File lib/aws_recon/collectors/guardduty.rb, line 10
def collect
  resources = []

  #
  # list_detectors
  #
  @client.list_detectors.each_with_index do |response, page|
    log(response.context.operation_name, page)

    response.detector_ids.each do |detector|
      log(response.context.operation_name, 'get_detector', detector)

      # get_detector
      struct = OpenStruct.new(@client.get_detector({ detector_id: detector }).to_h)
      struct.type = 'detector'
      struct.arn = "arn:aws:guardduty:#{@region}:#{@account}:detector/#{detector}"

      # get_findings_statistics (only active findings)
      struct.findings_statistics = @client.get_findings_statistics({
                                                                     detector_id: detector,
                                                                     finding_statistic_types: ['COUNT_BY_SEVERITY'],
                                                                     finding_criteria: finding_criteria
                                                                   }).finding_statistics.to_h
      # get_findings_statistics (only active findings older than 7 days)
      struct.findings_statistics_aged_short = @client.get_findings_statistics({
                                                                                detector_id: detector,
                                                                                finding_statistic_types: ['COUNT_BY_SEVERITY'],
                                                                                finding_criteria: finding_criteria(7)
                                                                              }).finding_statistics.to_h
      # get_findings_statistics (only active findings older than 30 days)
      struct.findings_statistics_aged_long = @client.get_findings_statistics({
                                                                               detector_id: detector,
                                                                               finding_statistic_types: ['COUNT_BY_SEVERITY'],
                                                                               finding_criteria: finding_criteria(30)
                                                                             }).finding_statistics.to_h

      # get_master_account
      struct.master_account = @client.get_master_account({ detector_id: detector }).master.to_h

      resources.push(struct.to_h)
    end
  end

  resources
end

Private Instance Methods

finding_criteria(days = 1) click to toggle source
# File lib/aws_recon/collectors/guardduty.rb, line 58
def finding_criteria(days = 1)
  criteria = {
    criterion: {
      'service.archived': { eq: ['false'] }
    }
  }

  if days > 1
    days_ago = (Time.now.to_f * 1000).to_i - (60 * 60 * 24 * 1000 * days) # with miliseconds

    criteria = {
      criterion: {
        'service.archived': { eq: ['false'] },
        'updatedAt': { less_than: days_ago }
      }
    }
  end

  criteria
end