English follows Japanese
いつもお世話になっております。
この通知は、Amazon GuardDuty をご利用のお客様に今後の重要な変更をお知らせするためのものです。2021年 3月12日、異常なユーザー動作を検出する既存の 13 の Amazon GuardDuty 検索タイプが廃止され、8 つの新しい検索タイプに置き換えられます。 新しい検索タイプは、GuardDuty 検出の拡張を表し、より広範かつ正確なセキュリティカバレッジを提供します。 新しい検索タイプには、異常なアクティビティのトリアージと調査に役立つ豊富なコンテキスト情報も含まれています。 潜在的なカバレッジギャップを回避するために、GuardDuty と Amazon EventBridge [1] との統合により、既存の検索タイプを基にした自動取り込みを設定しているお客様は、2021年3月12日以前に新しい検索タイプに基づいて自動化を追加する必要があります。
以下は、2021年 3月12日に GuardDuty から廃止予定の検索タイプです。
- Persistence:IAMUser/NetworkPermissions
- Persistence:IAMUser/ResourcePermissions
- Persistence:IAMUser/UserPermissions
- Recon:IAMUser/NetworkPermissions
- Recon:IAMUser/ResourcePermissions
- Recon:IAMUser/UserPermissions
- ResourceConsumption:IAMUser/ComputeResources
- Stealth:IAMUser/LoggingConfigurationModified
- UnauthorizedAccess:IAMUser/ConsoleLogin
- Discovery:S3/BucketEnumeration.Unusual
- Impact:S3/PermissionsModification.Unusual
- Impact:S3/ObjectDelete.Unusual
- PrivilegeEscalation:IAMUser/AdministrativePermissions
2021年 3月12日に GuardDuty に追加される検索タイプの種類は次のとおりです。
- Discovery:IAMUser/AnomalousBehavior
- InitialAccess:IAMUser/AnomalousBehavior
- Persistence:IAMUser/AnomalousBehavior
- PrivilegeEscalation:IAMUser/AnomalousBehavior
- DefenseEvasion:IAMUser/AnomalousBehavior
- CredentialAccess:IAMUser/AnomalousBehavior
- Impact:IAMUser/AnomalousBehavior
- Exfiltration:IAMUser/AnomalousBehavior
新しい検索の詳細フィールド:
2021年 3月12日に追加される 8 つの新しい検索タイプには、フィールド resource.resourceType が AccessKey である既存の GuardDuty 検索タイプに含まれているものと同じ検索詳細フィールドが含まれます。 さらに、これらの検索タイプには豊富なコンテキストの詳細が含まれ、これらは GuardDuty コンソール及び、最上位のフィールド service.addionalInfo に含まれる json からご確認いただけます。
新しい検索タイプには、次のフィールドが含まれます。
• service.additionalInfo.userAgent.fullUserAgent // アクティビティに関連付けられた完全なユーザーエージェント
• service.additionalInfo.userAgentCategory // アクティビティに関連付けられたユーザーエージェントカテゴリ
• service.additionalInfo.unusualBehavior.isUnusualUserIdentity // アクティビティに関連付けられたユーザーが以前プロファイルされた期間に確認されたかどうかを示す Boolean 型フィールド。
• service.additionalInfo.anomalies.anomalousAPIs // アクティビティに関連付けられた異常な API のリスト。 API は、属する AWS のサービスに基づいてグループ化され、リクエストが成功したかどうか、または受信したエラー応答の詳細が提供されます。
新しい検索タイプには、次の動作コンテキストも含まれます。
• ユーザーおよびアカウントレベルの動作:API、自律システム番号(ASN)、ユーザーエージェント
• アカウントレベルの動作:ユーザー名、ユーザータイプ
行動コンテキストは、プロファイルされた期間中の行動頻度に基づいてグループ化されます。
• Unusual: 動作は以前見られていませんでした
• Rare: 動作は1ヶ月に1回またはそれ以下の頻度で見られました
• Infrequent: 動作は月に数回見られました
• Frequent: 動作は毎週から毎日見られました
新しい結果には、次の動作コンテキストフィールドが含まれます。
• service.additionalInfo.unusualBehavior.unusualAPIsAccountProfiling
• service.additionalInfo.unusualBehavior.unusualAPIsUserIdentityProfiling
• service.additionalInfo.unusualBehavior.unusualASNsAccountProfiling
• service.additionalInfo.unusualBehavior.unusualASNsUserIdentityProfiling
• service.additionalInfo.unusualBehavior.unusualUserAgentsAccountProfiling
• service.additionalInfo.unusualBehavior.unusualUserAgentsUserIdentityProfiling
• service.additionalInfo.unusualBehavior.unusualUserNamesAccountProfiling
• service.additionalInfo.unusualBehavior.unusualUserTypesAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledAPIsAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledAPIsAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledAPIsAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledAPIsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledAPIsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.rareProfiledAPIsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledASNsAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledASNsAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledASNsAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledASNsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledASNsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.rareProfiledASNsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserAgentsAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserAgentsAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserAgentsAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserAgentsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserAgentsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserAgentsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserNamesAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserNamesAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserNamesAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserTypesAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserTypesAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserTypesAccountProfiling
これらの変更が 2021年 3月12日に実施されると、追加の詳細はドキュメント [2] に記載されます。
ご質問やご不明な点がある場合は、AWS サポート [3] にお問い合わせください。
[1] https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
[2] https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
[3] https://aws.amazon.com/support
Hello,
This notification serves to inform Amazon GuardDuty Customers of important upcoming changes to the service. On March 12, 2021, 13 existing Amazon GuardDuty finding types that detect anomalous user behavior will be deprecated in favor of 8 new finding types to replace them. The new findings types represent an enhancement to GuardDuty detections, and will provide broader, and more accurate security coverage. The new finding types will also include enriched contextual information to help triage and investigate anomalous activity. To avoid a potential coverage gap, customers that have set up automated downstream ingestion of the existing finding types via GuardDuty's integration with Amazon EventBridge [1] should add automation based on the new finding types before March 12, 2021.
Following are the finding types that will be deprecated from GuardDuty on March 12, 2021:
-
Persistence:IAMUser/NetworkPermissions
-
Persistence:IAMUser/ResourcePermissions
-
Persistence:IAMUser/UserPermissions
-
Recon:IAMUser/NetworkPermissions
-
Recon:IAMUser/ResourcePermissions
-
Recon:IAMUser/UserPermissions
-
ResourceConsumption:IAMUser/ComputeResources
-
Stealth:IAMUser/LoggingConfigurationModified
-
UnauthorizedAccess:IAMUser/ConsoleLogin
-
Discovery:S3/BucketEnumeration.Unusual
-
Impact:S3/PermissionsModification.Unusual
-
Impact:S3/ObjectDelete.Unusual
-
PrivilegeEscalation:IAMUser/AdministrativePermissions
Following are the finding types that will be added to GuardDuty on March 12, 2021:
-
Discovery:IAMUser/AnomalousBehavior
-
InitialAccess:IAMUser/AnomalousBehavior
-
Persistence:IAMUser/AnomalousBehavior
-
PrivilegeEscalation:IAMUser/AnomalousBehavior
-
DefenseEvasion:IAMUser/AnomalousBehavior
-
CredentialAccess:IAMUser/AnomalousBehavior
-
Impact:IAMUser/AnomalousBehavior
-
Exfiltration:IAMUser/AnomalousBehavior
New finding details fields:
The 8 new finding types that will be added on March 12, 2021 will include the same finding detail fields that are included in existing GuardDuty finding types in which the field resource.resourceType is AccessKey. Additionally these finding types will include enriched contextual details that will be viewable in the GuardDuty console, and in the finding json under the top-level field service.additionalInfo.
The following fields will be included in the new finding types:
• service.additionalInfo.userAgent.fullUserAgent // the full user agent associated with the activity
• service.additionalInfo.userAgent.userAgentCategory // the user agent category associated with the activity
• service.additionalInfo.unusualBehavior.isUnusualUserIdentity // a Boolean field that indicates whether the user associated with the activity has been previously seen during the profiled period.
• service.additionalInfo.anomalies.anomalousAPIs // a list of anomalous APIs associated with the activity. The APIs will be grouped based on the AWS service they belong to, and provide details on whether the request was successful, or what error response was received.
The new finding types will also include the following behavioral context:
• User and account level behavior: APIs, Autonomous System Numbers (ASNs), UserAgents
• Account level behavior: UserNames, UserTypes
The behavioral context will be grouped based on frequency of behavior during the profiled period:
• Unusual: the behavior was not previously seen
• Rare: the behavior was seen once a month or less
• Infrequent: the behavior was seen a few times a month
• Frequent: the behavior was seen daily to weekly
The following behavioral context fields will be included in the new findings:
• service.additionalInfo.unusualBehavior.unusualAPIsAccountProfiling
• service.additionalInfo.unusualBehavior.unusualAPIsUserIdentityProfiling
• service.additionalInfo.unusualBehavior.unusualASNsAccountProfiling
• service.additionalInfo.unusualBehavior.unusualASNsUserIdentityProfiling
• service.additionalInfo.unusualBehavior.unusualUserAgentsAccountProfiling
• service.additionalInfo.unusualBehavior.unusualUserAgentsUserIdentityProfiling
• service.additionalInfo.unusualBehavior.unusualUserNamesAccountProfiling
• service.additionalInfo.unusualBehavior.unusualUserTypesAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledAPIsAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledAPIsAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledAPIsAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledAPIsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledAPIsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.rareProfiledAPIsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledASNsAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledASNsAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledASNsAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledASNsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledASNsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.rareProfiledASNsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserAgentsAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserAgentsAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserAgentsAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserAgentsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserAgentsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserAgentsUserIdentityProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserNamesAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserNamesAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserNamesAccountProfiling
• service.additionalInfo.profiledBehavior.frequentProfiledUserTypesAccountProfiling
• service.additionalInfo.profiledBehavior.infrequentProfiledUserTypesAccountProfiling
• service.additionalInfo.profiledBehavior.rareProfiledUserTypesAccountProfiling
Once these changes are implemented on March 12, 2021 additional details will be provided in our documentation [2]
If you have any questions or concerns please reach out to us through AWS Support [3]
[1] https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
[2] https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
[3] https://aws.amazon.com/support
Sincerely,
Amazon Web Services
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210