{ "version": "0", "id": "12345abc-ca56-771b-cd1b-710550598e37", "detail-type": "Security Hub Findings - Imported", "source": "aws.securityhub", "account": "123456789012", "time": "2021-01-05T01:20:33Z", "region": "us-east-1", "resources": [ "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:123456789012:detector/012343feb722b1388a5ddc6dd4abcdef/finding/1234680e481690b44f7cc7e221abcdef" ], "detail": { "findings": [ { "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty", "Types": [ "Software and Configuration Checks/Backdoor:EC2.C&CActivity.B" ], "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=1234680e481690b44f7cc7e221abcdef", "Description": "EC2 instance i-99999999 is communicating outbound with a known Command & Control Server 198.51.100.0 located in GeneratedFindingCountryName.", "SchemaVersion": "2018-10-08", "GeneratorId": "arn:aws:guardduty:us-east-1:123456789012:detector/012343feb722b1388a5ddc6dd4abcdef", "FirstObservedAt": "2021-01-05T01:15:01.549Z", "CreatedAt": "2021-01-05T01:15:01.549Z", "RecordState": "ACTIVE", "Title": "EC2 instance i-99999999 communicating outbound with C&C Server.", "Workflow": { "Status": "NEW" }, "LastObservedAt": "2021-01-05T01:15:01.549Z", "Severity": { "Normalized": 80, "Label": "HIGH", "Product": 8 }, "UpdatedAt": "2021-01-05T01:15:01.549Z", "WorkflowState": "NEW", "ProductFields": { "aws/guardduty/service/additionalInfo/threatListName": "GeneratedFindingThreatListName", "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "SMTP", "aws/guardduty/service/archived": "false", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "GeneratedFindingASNOrg", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "0", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "198.51.100.0", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "0", "aws/guardduty/service/action/networkConnectionAction/blocked": "false", "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "25", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "GeneratedFindingCountryName", "aws/guardduty/service/serviceName": "guardduty", "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "10.0.0.23", "aws/guardduty/service/detectorId": "012343feb722b1388a5ddc6dd4abcdef", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "GeneratedFindingORG", "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "OUTBOUND", "aws/guardduty/service/eventFirstSeen": "2021-01-05T01:15:01.549Z", "aws/guardduty/service/eventLastSeen": "2021-01-05T01:15:01.549Z", "aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatListName": "GeneratedFindingThreatListName", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "Unknown", "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "GeneratedFindingCityName", "aws/guardduty/service/resourceRole": "TARGET", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "2000", "aws/guardduty/service/action/networkConnectionAction/protocol": "TCP", "aws/guardduty/service/count": "1", "aws/guardduty/service/additionalInfo/sample": "true", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "-1", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "GeneratedFindingISP", "aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatNames.0_": "GeneratedFindingThreatName", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:123456789012:detector/012343feb722b1388a5ddc6dd4abcdef/finding/1234680e481690b44f7cc7e221abcdef", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/CompanyName": "Amazon" }, "AwsAccountId": "123456789012", "Id": "arn:aws:guardduty:us-east-1:123456789012:detector/012343feb722b1388a5ddc6dd4abcdef/finding/1234680e481690b44f7cc7e221abcdef", "Resources": [ { "Partition": "aws", "Type": "AwsEc2Instance", "Details": { "AwsEc2Instance": { "Type": "m3.xlarge", "VpcId": "GeneratedFindingVPCId", "ImageId": "ami-99999999", "IpV4Addresses": [ "10.0.0.1", "198.51.100.0" ], "SubnetId": "GeneratedFindingSubnetId", "LaunchedAt": "2016-08-02T02:05:06Z", "IamInstanceProfileArn": "arn:aws:iam::123456789012:example/instance/profile" } }, "Region": "us-east-1", "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-99999999", "Tags": { "GeneratedFindingInstaceTag7": "GeneratedFindingInstaceTagValue7", "GeneratedFindingInstaceTag8": "GeneratedFindingInstaceTagValue8", "GeneratedFindingInstaceTag9": "GeneratedFindingInstaceTagValue9", "GeneratedFindingInstaceTag1": "GeneratedFindingInstaceValue1", "GeneratedFindingInstaceTag2": "GeneratedFindingInstaceTagValue2", "GeneratedFindingInstaceTag3": "GeneratedFindingInstaceTagValue3", "GeneratedFindingInstaceTag4": "GeneratedFindingInstaceTagValue4", "GeneratedFindingInstaceTag5": "GeneratedFindingInstaceTagValue5", "GeneratedFindingInstaceTag6": "GeneratedFindingInstaceTagValue6" } } ] } ] } }