Merge pull request #30 from cevoaustralia/retreive-correct-accountid

Retreive correct accountid

src/parsers/guardduty-runtime.js

@@ -11,9 +11,10 @@ exports.parse = event => {
 	const description = "";
 	const fields = [];
 	const createdAt = new Date(_.get(event, "message.time"));
-	const accountId = _.get(event, "message.account");
 	const region = _.get(event, "message.region");
 
+	const accountId = _.get(detail, "accountId");
+
 	let color = event.COLORS.ok;
 	if (_.includes(event.getDetailType(), "Unhealthy")) {
 		color = event.COLORS.critical;

test/parsers/guardduty-runtime.test.js

@@ -16,7 +16,7 @@ const simpleSnsPacket = {
 				"TopicArn": `arn:aws:sns:region:account-id:topicname`,
 				"Subject": "TestInvoke",
 				"MessageId": "sample-message",
-				"Message": "{\"version\":\"0\",\"id\":\"c030d66e-ccae-00a7-b7ec-f233d4182986\",\"detail-type\":\"GuardDuty Finding\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-05-28T17:55:11Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"schemaVersion\":\"2.0\",\"accountId\":\"EXAMPLE\",\"region\":\"ap-southeast-2\",\"partition\":\"aws\",\"id\":\"EXAMPLE\",\"arn\":\"arn:aws:guardduty:ap-southeast-2:EXAMPLE:detector/findingg\",\"type\":\"Discovery:Kubernetes/MaliciousIPCaller\",\"resource\":{\"resourceType\":\"EKSCluster\",\"eksClusterDetails\":{\"name\":\"eks-demo\",\"arn\":\"arn:aws:eks:ap-southeast-2:EXAMPLE:cluster/eks-demo\",\"createdAt\":1.716854656938E9,\"vpcId\":\"vpc-testvpc\",\"status\":\"ACTIVE\",\"tags\":[{\"key\":\"Blueprint\",\"value\":\"eks-demo\"}]},\"kubernetesDetails\":{\"kubernetesWorkloadDetails\":null,\"kubernetesUserDetails\":{\"username\":\"system:anonymous\",\"uid\":null,\"groups\":[\"system:unauthenticated\"],\"sessionName\":[]}}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"EXAMPLE\",\"action\":{\"actionType\":\"KUBERNETES_API_CALL\",\"kubernetesApiCallAction\":{\"requestUri\":\"/version\",\"verb\":\"get\",\"sourceIPs\":[\"167.94.145.97\"],\"userAgent\":\"Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)\",\"remoteIpDetails\":{\"ipAddressV4\":\"167.94.145.97\",\"organization\":{\"asn\":\"398705\",\"asnOrg\":\"CENSYS-ARIN-02\",\"isp\":\"Censys-arin-02\",\"org\":\"Censys-arin-02\"},\"country\":{\"countryName\":\"United States\"},\"city\":{\"cityName\":\"\"},\"geoLocation\":{\"lat\":37.751,\"lon\":-97.822}},\"statusCode\":200}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"threatListName\":\"ProofPoint\",\"value\":\"{\\\"threatListName\\\":\\\"ProofPoint\\\"}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"ProofPoint\",\"threatNames\":[]}]},\"eventFirstSeen\":\"2024-05-28T17:50:48.681Z\",\"eventLastSeen\":\"2024-05-28T17:50:48.681Z\",\"archived\":false,\"count\":1},\"severity\":5,\"createdAt\":\"2024-05-28T17:51:52.721Z\",\"updatedAt\":\"2024-05-28T17:51:52.721Z\",\"title\":\"A Kubernetes API commonly used in Discovery tactics invoked from a known malicious IP address.\",\"description\":\"A Kubernetes API commonly used in Discovery tactics was invoked on cluster eks-demo from known malicious IP address 167.94.145.97.\"}}",
+				"Message": "{\"version\":\"0\",\"id\":\"c030d66e-ccae-00a7-b7ec-f233d4182986\",\"detail-type\":\"GuardDuty Finding\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-05-28T17:55:11Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"schemaVersion\":\"2.0\",\"accountId\":\"CHILD-EXAMPLE\",\"region\":\"ap-southeast-2\",\"partition\":\"aws\",\"id\":\"EXAMPLE\",\"arn\":\"arn:aws:guardduty:ap-southeast-2:EXAMPLE:detector/findingg\",\"type\":\"Discovery:Kubernetes/MaliciousIPCaller\",\"resource\":{\"resourceType\":\"EKSCluster\",\"eksClusterDetails\":{\"name\":\"eks-demo\",\"arn\":\"arn:aws:eks:ap-southeast-2:EXAMPLE:cluster/eks-demo\",\"createdAt\":1.716854656938E9,\"vpcId\":\"vpc-testvpc\",\"status\":\"ACTIVE\",\"tags\":[{\"key\":\"Blueprint\",\"value\":\"eks-demo\"}]},\"kubernetesDetails\":{\"kubernetesWorkloadDetails\":null,\"kubernetesUserDetails\":{\"username\":\"system:anonymous\",\"uid\":null,\"groups\":[\"system:unauthenticated\"],\"sessionName\":[]}}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"EXAMPLE\",\"action\":{\"actionType\":\"KUBERNETES_API_CALL\",\"kubernetesApiCallAction\":{\"requestUri\":\"/version\",\"verb\":\"get\",\"sourceIPs\":[\"167.94.145.97\"],\"userAgent\":\"Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)\",\"remoteIpDetails\":{\"ipAddressV4\":\"167.94.145.97\",\"organization\":{\"asn\":\"398705\",\"asnOrg\":\"CENSYS-ARIN-02\",\"isp\":\"Censys-arin-02\",\"org\":\"Censys-arin-02\"},\"country\":{\"countryName\":\"United States\"},\"city\":{\"cityName\":\"\"},\"geoLocation\":{\"lat\":37.751,\"lon\":-97.822}},\"statusCode\":200}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"threatListName\":\"ProofPoint\",\"value\":\"{\\\"threatListName\\\":\\\"ProofPoint\\\"}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"ProofPoint\",\"threatNames\":[]}]},\"eventFirstSeen\":\"2024-05-28T17:50:48.681Z\",\"eventLastSeen\":\"2024-05-28T17:50:48.681Z\",\"archived\":false,\"count\":1},\"severity\":5,\"createdAt\":\"2024-05-28T17:51:52.721Z\",\"updatedAt\":\"2024-05-28T17:51:52.721Z\",\"title\":\"A Kubernetes API commonly used in Discovery tactics invoked from a known malicious IP address.\",\"description\":\"A Kubernetes API commonly used in Discovery tactics was invoked on cluster eks-demo from known malicious IP address 167.94.145.97.\"}}",
 				"Timestamp": "2024-05-28T17:55:12.020Z",
 				"SignatureVersion": "1",
 				"Signature": "EXAMPLE",
@@ -50,7 +50,7 @@ const unhealthyRuntimeProtection = {
 				"MessageId": "fb4becf1-f88c-5ff5-b12d-b2226236905b",
 				"TopicArn": "arn:aws:sns:ap-southeast-2:EXAMPLE:aws-to-slack",
 				"Subject": null,
-				"Message": "{\"version\":\"0\",\"id\":\"a2f5f101-a7a3-47b3-2287-e2a83135cf7a\",\"detail-type\":\"GuardDuty Runtime Protection Unhealthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-05-31T09:29:28Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"EKS\",\"eksClusterDetails\":{\"clusterName\":\"eks-demo\",\"availableNodes\":-1,\"desiredNodes\":-1,\"addonDetails\":{\"addonVersion\":\"v1.6.1-eksbuild.1\",\"addonStatus\":\"DELETED\"}}},\"previousStatus\":\"Healthy\",\"currentStatus\":\"Unhealthy\",\"issue\":\"\",\"lastUpdatedAt\":1717147358760000}}",
+				"Message": "{\"version\":\"0\",\"id\":\"a2f5f101-a7a3-47b3-2287-e2a83135cf7a\",\"detail-type\":\"GuardDuty Runtime Protection Unhealthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-05-31T09:29:28Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"CHILD-EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"EKS\",\"eksClusterDetails\":{\"clusterName\":\"eks-demo\",\"availableNodes\":-1,\"desiredNodes\":-1,\"addonDetails\":{\"addonVersion\":\"v1.6.1-eksbuild.1\",\"addonStatus\":\"DELETED\"}}},\"previousStatus\":\"Healthy\",\"currentStatus\":\"Unhealthy\",\"issue\":\"\",\"lastUpdatedAt\":1717147358760000}}",
 				"Timestamp": "2024-05-31T09:29:30.100Z",
 				"SignatureVersion": "1",
 				"Signature": "EXAMPLE",
@@ -82,7 +82,7 @@ const healthyRuntimeProtection = {
 				"MessageId": "db0f2d8a-dabf-53a0-92de-73595e93e71b",
 				"TopicArn": "arn:aws:sns:ap-southeast-2:EXAMPLE:aws-to-slack",
 				"Subject": null,
-				"Message": "{\"version\":\"0\",\"id\":\"4eaf90cc-a2e2-06ab-1ac1-f464a1aa7412\",\"detail-type\":\"GuardDuty Runtime Protection Healthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-05-31T07:53:14Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"EC2\",\"ec2InstanceDetails\":{\"instanceId\":\"i-0e5f6345341fd7144\",\"instanceType\":\"t3.medium\",\"clusterArn\":\"arn:aws:eks:ap-southeast-2:EXAMPLE:cluster/eks-demo\",\"agentDetails\":{\"version\":\"v1.6.1\"},\"managementType\":\"MANUAL\"}},\"previousStatus\":\"Unhealthy\",\"currentStatus\":\"Healthy\",\"issue\":\"\",\"lastUpdatedAt\":1717141247000}}",
+				"Message": "{\"version\":\"0\",\"id\":\"4eaf90cc-a2e2-06ab-1ac1-f464a1aa7412\",\"detail-type\":\"GuardDuty Runtime Protection Healthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-05-31T07:53:14Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"CHILD-EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"EC2\",\"ec2InstanceDetails\":{\"instanceId\":\"i-0e5f6345341fd7144\",\"instanceType\":\"t3.medium\",\"clusterArn\":\"arn:aws:eks:ap-southeast-2:EXAMPLE:cluster/eks-demo\",\"agentDetails\":{\"version\":\"v1.6.1\"},\"managementType\":\"MANUAL\"}},\"previousStatus\":\"Unhealthy\",\"currentStatus\":\"Healthy\",\"issue\":\"\",\"lastUpdatedAt\":1717141247000}}",
 				"Timestamp": "2024-05-31T07:53:16.192Z",
 				"SignatureVersion": "1",
 				"Signature": "EXAMPLE",
@@ -106,7 +106,7 @@ runtimeMock.matchesEventWithDetail(healthyRuntimeProtection, {
 		{
 			"short": true,
 			"title": "Account",
-			"value": "EXAMPLE",
+			"value": "CHILD-EXAMPLE",
 		},
 		{
 			"short": true,
@@ -157,7 +157,7 @@ const healthyECSGuardDuty = {
 				"MessageId": "b07dddbc-90ef-59d9-8a06-83643fa2dbc1",
 				"TopicArn": "arn:aws:sns:ap-southeast-2:EXAMPLE:aws-to-slack",
 				"Subject": null,
-				"Message": "{\"version\":\"0\",\"id\":\"a0b44948-7c77-790e-b927-481427f6a97b\",\"detail-type\":\"GuardDuty Runtime Protection Healthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-06-04T05:58:35Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"ECS\",\"ecsClusterDetails\":{\"clusterName\":\"buildkite-deploy-dev-Cluster-1O47RNJPQMRI6-EcsCluster-RPPZMvAnkFJP\",\"fargateDetails\":{\"issues\":[],\"managementType\":\"AUTO_MANAGED\"},\"containerInstanceDetails\":{\"coveredContainerInstances\":0,\"compatibleContainerInstances\":0}}},\"previousStatus\":\"Unhealthy\",\"currentStatus\":\"Healthy\",\"issue\":\"\",\"lastUpdatedAt\":1717480351457}}",
+				"Message": "{\"version\":\"0\",\"id\":\"a0b44948-7c77-790e-b927-481427f6a97b\",\"detail-type\":\"GuardDuty Runtime Protection Healthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-06-04T05:58:35Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"CHILD-EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"ECS\",\"ecsClusterDetails\":{\"clusterName\":\"buildkite-deploy-dev-Cluster-1O47RNJPQMRI6-EcsCluster-RPPZMvAnkFJP\",\"fargateDetails\":{\"issues\":[],\"managementType\":\"AUTO_MANAGED\"},\"containerInstanceDetails\":{\"coveredContainerInstances\":0,\"compatibleContainerInstances\":0}}},\"previousStatus\":\"Unhealthy\",\"currentStatus\":\"Healthy\",\"issue\":\"\",\"lastUpdatedAt\":1717480351457}}",
 				"Timestamp": "2024-06-04T05:58:37.795Z",
 				"SignatureVersion": "1",
 				"Signature": "EXAMPLE",
@@ -180,7 +180,7 @@ runtimeMock.matchesEventWithDetail(healthyECSGuardDuty, {
 		{
 			"short": true,
 			"title": "Account",
-			"value": "EXAMPLE",
+			"value": "CHILD-EXAMPLE",
 		},
 		{
 			"short": true,
@@ -217,7 +217,7 @@ const unhealthyECSEvent = {
 				"MessageId": "daa6ae66-99d9-5e51-853f-f0b1e003cbfa",
 				"TopicArn": "arn:aws:sns:ap-southeast-2:EXAMPLE:aws-to-slack",
 				"Subject": null,
-				"Message": "{\"version\":\"0\",\"id\":\"7e706286-0e00-7515-f2be-0793fd3092d9\",\"detail-type\":\"GuardDuty Runtime Protection Unhealthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-06-03T07:58:16Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"ECS\",\"ecsClusterDetails\":{\"clusterName\":\"buildkite-deploy-dev-Cluster-1O47RNJPQMRI6-EcsCluster-RPPZMvAnkFJP\",\"fargateDetails\":{\"issues\":[\"Others : Unidentified issue(s), for task(s) in TaskDefinition 'buildkite:17' . Refer documentation\"],\"managementType\":\"AUTO_MANAGED\"},\"containerInstanceDetails\":{\"coveredContainerInstances\":0,\"compatibleContainerInstances\":0}}},\"previousStatus\":\"Healthy\",\"currentStatus\":\"Unhealthy\",\"issue\":\"\",\"lastUpdatedAt\":1717401173897}}",
+				"Message": "{\"version\":\"0\",\"id\":\"7e706286-0e00-7515-f2be-0793fd3092d9\",\"detail-type\":\"GuardDuty Runtime Protection Unhealthy\",\"source\":\"aws.guardduty\",\"account\":\"EXAMPLE\",\"time\":\"2024-06-03T07:58:16Z\",\"region\":\"ap-southeast-2\",\"resources\":[],\"detail\":{\"accountId\":\"CHILD-EXAMPLE\",\"resourceDetails\":{\"resourceType\":\"ECS\",\"ecsClusterDetails\":{\"clusterName\":\"buildkite-deploy-dev-Cluster-1O47RNJPQMRI6-EcsCluster-RPPZMvAnkFJP\",\"fargateDetails\":{\"issues\":[\"Others : Unidentified issue(s), for task(s) in TaskDefinition 'buildkite:17' . Refer documentation\"],\"managementType\":\"AUTO_MANAGED\"},\"containerInstanceDetails\":{\"coveredContainerInstances\":0,\"compatibleContainerInstances\":0}}},\"previousStatus\":\"Healthy\",\"currentStatus\":\"Unhealthy\",\"issue\":\"\",\"lastUpdatedAt\":1717401173897}}",
 				"Timestamp": "2024-06-03T07:58:18.667Z",
 				"SignatureVersion": "1",
 				"Signature": "EXAMPLE",
@@ -241,7 +241,7 @@ runtimeMock.matchesEventWithDetail(unhealthyECSEvent, {
 		{
 			"short": true,
 			"title": "Account",
-			"value": "EXAMPLE",
+			"value": "CHILD-EXAMPLE",
 		},
 		{
 			"short": true,