[AWS] Add support for Guardduty datastream

packages/aws/_dev/build/docs/guardduty.md

@@ -0,0 +1,86 @@
+# GuardDuty
+
+## Overview
+
+The [Amazon GuardDuty](https://aws.amazon.com/guardduty/) integration collects and parses data from Amazon GuardDuty [Findings](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_GetFindings.html) REST APIs.
+
+The Amazon GuardDuty integration can be used in three different modes to collect data:
+- HTTP REST API - Amazon GuardDuty pushes logs directly to an HTTP REST API.
+- AWS S3 polling - Amazon GuardDuty writes data to S3 and Elastic Agent polls the S3 bucket by listing its contents and reading new files.
+- AWS S3 SQS - Amazon GuardDuty writes data to S3, S3 pushes a new object notification to SQS, Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple Agents can be used in this mode.
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+**Note**: It is recommended to use AWS SQS for Amazon GuardDuty.
+
+## Compatibility
+
+  1. The minimum compatible version of this module is **Elastic Agent 8.6.0**.
+
+  2. Following GuardDuty Resource types have been supported in the current integration version:
+
+     | Sr. No. | Resource types       |
+     |---------|----------------------|
+     |    1    | accessKeyDetails     |
+     |    2    | containerDetails     |
+     |    3    | ebsVolumeDetails     |
+     |    4    | ecsClusterDetails    |
+     |    5    | eksClusterDetails    |
+     |    6    | instanceDetails      |
+     |    7    | kubernetesDetails    |
+     |    8    | s3BucketDetails      |
+     |    9    | rdsDbInstanceDetails |
+     |   10    | rdsDbUserDetails     |
+
+  3. Following GuardDuty Service action types have been supported in the current integration version:
+
+     | Sr. No. | Service action types     |
+     |---------|--------------------------|
+     |    1    | awsApiCallAction         |
+     |    2    | dnsRequestAction         |
+     |    3    | kubernetesApiCallAction  |
+     |    4    | networkConnectionAction  |
+     |    5    | portProbeAction          |
+     |    6    | rdsLoginAttemptAction    |
+
+## Setup
+
+### To collect data from AWS S3 Bucket, follow the steps below:
+- Configure the [Data Forwarder](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html) to ingest data into an AWS S3 bucket. However, the user can set the parameter "Bucket List Prefix" according to the requirement.
+
+### To collect data from AWS SQS, follow the steps below:
+1. If data forwarding to an AWS S3 bucket hasn't been configured, then first setup an AWS S3 bucket as mentioned in the documentation above.
+2. To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html).
+  - While creating an SQS queue, please provide the same bucket ARN that has been generated after creating the AWS S3 bucket.
+3. Setup event notification for an S3 bucket. Follow this [guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html).
+  - The user has to perform Step 3 for the guardduty data-stream, and the prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. For example, `logs/` for guardduty data stream.
+  - For all the event notifications that have been created, select the event type as s3:ObjectCreated:*, select the destination type SQS Queue, and select the queue that has been created in Step 2.
+
+**Note**:
+  - Credentials for the above AWS S3 and SQS input types should be configured according to the [input configuration guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#aws-credentials-config).
+  - Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case.
+
+## To collect data from Amazon GuardDuty API, users must have an Access Key and a Secret Key. To create an API token follow the steps below:
+
+  1. Login to https://console.aws.amazon.com/.
+  2. Go to https://console.aws.amazon.com/iam/ to access the IAM console.
+  3. On the navigation menu, choose Users.
+  4. Choose your IAM user name.
+  5. Select Create access key from the Security Credentials tab.
+  6. To see the new access key, choose Show.
+
+## Note
+
+  - The Secret Access Key and Access Key ID are required for the current integration package.
+
+## Logs
+
+### GuardDuty
+
+This is the [`GuardDuty`](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_GetFindings.html#guardduty-GetFindings-response-findings) data stream.
+
+{{event "guardduty"}}
+
+{{fields "guardduty"}}

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.31.0"
+  changes:
+    - description: Add a data stream for Amazon GuardDuty.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4915
 - version: "1.30.0"
   changes:
     - description: Add dashboards data streams filters.

packages/aws/data_stream/guardduty/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,17 @@
+version: '2.3'
+services:
+  guardduty:
+    image: docker.elastic.co/observability/stream:v0.8.0
+    hostname: guardduty.xxxx.amazonaws.com
+    ports:
+      - 443
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: "443"
+    command:
+      - http-server
+      - --addr=:443
+      - --config=/files/config.yml
+      - --tls-cert=/files/certificate.crt
+      - --tls-key=/files/private.key

packages/aws/data_stream/guardduty/_dev/deploy/docker/files/certificate.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTjCCAjYCCQCP7/+x5TSKBTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJY
+WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
+bnkgTHRkMSUwIwYDVQQDDBxndWFyZGR1dHkueHh4eC5hbWF6b25hd3MuY29tMB4X
+DTIyMTIwOTA3MDY1NVoXDTIzMTIwOTA3MDY1NVowaTELMAkGA1UEBhMCWFgxFTAT
+BgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0
+ZDElMCMGA1UEAwwcZ3VhcmRkdXR5Lnh4eHguYW1hem9uYXdzLmNvbTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAM465fWaXWFWxW2grodH77Tbn9Fh50yf
+jcn0gCdoeF0ppz6Mfr1A+sV8TEZraP2i8rfI1Qr65iWRN2p07NPQculyxmlT2VAg
+wOF0wvMfcypu+P6Wp9D62//GP4WMfG0yUblIee+jHfzaHk8TZI6d6Od+q3u82g0x
+xIuq2WruhUXc/Bx4oKqo4GfZtW82TYHxEJ21G8DbZ3Kek/rXg5w0byp+m115XVXc
+AhfaQsEnxgxzIwdPxwZyLa6G2Rdm0TBR3VzgMlgiOLqcECH1L5ZdDueI3vhM7Hpl
+sY6vvygm4GA0onduAv/NbwJy1nEIVWZ8wPa6FFAvRBPYT/mlwk2/O6UCAwEAATAN
+BgkqhkiG9w0BAQsFAAOCAQEAc+xGD2w7Btxwcud2wFiwqs9oDO4iS+DeER4hGkV7
+2zNk42pezOrNbty+cZzxbYU7+FmmLJMs35kT1ody81I/wG9iBMp08CDz6MCmzgG0
+9C8Qgiro/TfqrqoEt3xrs7iNQ06lcwR7iFqMyeqZuFyM4BRQgoGzdhYxwkQtI3t2
+sLX8n+roy+D2JlMRWEsH1xV+MOLDFhLiXDMkf7pvhp5+MKjZscnSsU2lHn6gbVkk
+Jphsrsom4I3y7Rm0PlaVMO/AKffnRkDSqEhFPx23RoFpWL0zfc5C3DDLGewd7J8O
+gCFBRnggudvoELRFuuwEQfAdANyw+xoha+ScbyQZIVUdNw==
+-----END CERTIFICATE-----

packages/aws/data_stream/guardduty/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,13 @@
+rules:
+  - path: /detector/xxxx/findings
+    methods: ["POST"]
+    responses:
+      - status_code: 200
+        body: |
+          {"findingIds": ["e0c22973b012f3af67ac593443e920ff"],"nextToken": ""}
+  - path: /detector/xxxx/findings/get
+    methods: ["POST"]
+    responses:
+      - status_code: 200
+        body: |-
+          {"findings":[{"schemaVersion":"2.0","accountId":"123412341234","region":"us-east-1","partition":"aws","id":"e0c22973b012f3af67ac593443e920ff","arn":"arn:aws:guardduty:us-east-1:123412341234:detector/12341234e19ce5461eabcd1234abcd1234/finding/43b6abcdeabcdeabcde1234562176924","type":"Discovery:Kubernetes/TorIPCaller","resource":{"resourceType":"EKSCluster","eksClusterDetails":{"name":"GeneratedFindingEKSClusterName","arn":"GeneratedFindingEKSClusterArn","createdAt":1635962410.342,"vpcId":"GeneratedFindingEKSClusterVpcId","status":"ACTIVE","tags":[{"value":"GeneratedFindingEKSClusterTagValue1","key":"GeneratedFindingEKSClusterTag1"},{"value":"GeneratedFindingEKSClusterTagValue2","key":"GeneratedFindingEKSClusterTag2"},{"value":"GeneratedFindingEKSClusterTagValue3","key":"GeneratedFindingEKSClusterTag3"}]},"kubernetesDetails":{"kubernetesWorkloadDetails":null,"kubernetesUserDetails":{"username":"GeneratedFindingUserName","uid":"GeneratedFindingUID","groups":["GeneratedFindingUserGroup"]}},"accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"Role","userName":"GeneratedFindingUserName"}},"service":{"serviceName":"guardduty","detectorId":"12341234e19ce5461eabcd1234abcd1234","action":{"actionType":"KUBERNETES_API_CALL","kubernetesApiCallAction":{"requestUri":"GeneratedFindingRequestURI","verb":"list","sourceIPs":["175.16.199.1"],"userAgent":"","remoteIpDetails":{"ipAddressV4":"175.16.199.1","organization":{"asn":"0","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"statusCode":200}},"resourceRole":"TARGET","additionalInfo":{"threatName":"GeneratedFindingThreatName","threatListName":"GeneratedFindingThreatListName","sample":true,"value":"{\"threatName\":\"GeneratedFindingThreatName\",\"threatListName\":\"GeneratedFindingThreatListName\",\"sample\":true}","type":"default"},"evidence":{"threatIntelligenceDetails":[{"threatNames":["GeneratedFindingThreatName"],"threatListName":"GeneratedFindingThreatListName"}]},"eventFirstSeen":"2022-11-17T09:33:19.000Z","eventLastSeen":"2022-11-22T12:22:20.000Z","archived":false,"count":2},"severity":5,"createdAt":"2022-11-17T09:33:19.228Z","updatedAt":"2022-11-22T12:22:20.938Z","title":"Kubernetes API commonly used in Discovery tactics invoked from a Tor exit node IP address.","description":"Kubernetes API commonly used in Discovery tactics was invoked on cluster GeneratedFindingEKSClusterName from Tor exit node IP address 175.16.199.1."}]}

packages/aws/data_stream/guardduty/_dev/deploy/docker/files/private.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOOuX1ml1hVsVt
+oK6HR++025/RYedMn43J9IAnaHhdKac+jH69QPrFfExGa2j9ovK3yNUK+uYlkTdq
+dOzT0HLpcsZpU9lQIMDhdMLzH3Mqbvj+lqfQ+tv/xj+FjHxtMlG5SHnvox382h5P
+E2SOnejnfqt7vNoNMcSLqtlq7oVF3PwceKCqqOBn2bVvNk2B8RCdtRvA22dynpP6
+14OcNG8qfptdeV1V3AIX2kLBJ8YMcyMHT8cGci2uhtkXZtEwUd1c4DJYIji6nBAh
+9S+WXQ7niN74TOx6ZbGOr78oJuBgNKJ3bgL/zW8CctZxCFVmfMD2uhRQL0QT2E/5
+pcJNvzulAgMBAAECggEAbtuQU+bnvXRkalrOlp/fxeutTGOBb1nxYRdScFyjHwlO
+AryJQHiWlOQNKGmCpZ0bNhn6E43te1JFZK93wyCxNLZi26mcDoucw1T9mq1UPgIr
+TMd1bEv9SM+rw8FR/WzoK14/VcbsTsh9NGqrSlKuKQqZacmJuUAAdEeh2e5fq754
+Dw7qJJ4QyyhyMXejz7dhQ3VG8yk28+manpZWkVOqSceWQFedaJK0op6m0I7dnS2h
+qSteq7RZeRqfvNMhEHR/dqi1e8yPx8Gk5UU3ClvCrctpDIGJl0ea64nShWYPBZfG
+vLIehk3WFmTUxK9M1ttZkqfUcYVch7CGMd6mM4ROYQKBgQD2jMUtXSaT7oR8KZ9/
+x9awOCrkbSOPGbVpXf+2mDn4nAw+oI5Buc2sxs62afb1dgh4A4PgKHECCgdNz0mt
+Hr9uIOiyPUULBI3xSDOWKxVjU7wjqFK4QNEdBicMm5XK2yvf2EPewp0OkCNHgYEL
+vRKzDKBbgG5UQR9mJe2oF/0+vQKBgQDWIn8g30zR3i3SJnAR4us+nzvgsJQg1QXO
+3mHLjNLtdXjLCHbiqoI6n5xsC7EK3dM80svwd023j3P6AHNAqLV30ohL48Rox7mL
+omPgvOp9EPCLF0cqVDYpeK4Ile/GHleUhn69RgPzyuSXOwPOik3R59ok/SwVo42y
+7IdoTfATCQKBgQDK26qFF8bdIvxpOMoelivEFILeLhp67LlCN/BlqbzRHHxKr0o9
+NAbRqUZ9+pQTBQoUzTedoUjSV7QIxoylX848a+FqflUnqpirtS+U2GAhuMztPdrJ
+9bLZQa2xhvZp0Ym5BTVavSAC0n/knt6x7ODM54+tme+tbWPLZVu02gAptQKBgQCY
+SVBAAI6RcoEDw3JQRiEnF/dthCbUcqr+xAioyi330mNlgU+LQ9f5+Sk1bdsq7zcb
+Oo7vJOmQceT5FvjgMxtba86iqgk0u1WpiIOfgLsC1tk7EgL6h4k9VSXv1TIAo/OF
+HWFlGjYVW2XWZ5H9gT522Xy6cZK4kOhlJvHlrAfggQKBgCjMj2o5HdljJHYt5Vvq
+Pq5Sjj4d5TtX99+kIbSDUb3AUMzLSp7W3B08ZZdpXo7bUjC4vQHKERJSzli1qabZ
+GvrzXhOmm7pwCndFDC9E+rKttZaatQNbVr6aljiKyyxEC+feTk1ocNQ2XLjjAd0x
+GECkVnHERfCzG1062iCOaBvT
+-----END PRIVATE KEY-----

packages/aws/data_stream/guardduty/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,4 @@
+fields:
+  tags:
+    - preserve_original_event
+    - preserve_duplicate_custom_fields