Documentation ¶
Index ¶
- Variables
- type ALB
- type ALBParser
- type AWSExtractor
- type AWSPantherLog
- func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
- type AuroraMySQLAudit
- type AuroraMySQLAuditParser
- type CloudTrail
- type CloudTrailParser
- type CloudTrailRecords
- type CloudTrailResources
- type CloudTrailSessionContext
- type CloudTrailSessionContextAttributes
- type CloudTrailSessionContextSessionIssuer
- type CloudTrailSessionContextWebIDFederationData
- type CloudTrailUserIdentity
- type GuardDuty
- type GuardDutyParser
- type GuardDutyService
- type S3ServerAccess
- type S3ServerAccessParser
- type VPCFlow
- type VPCFlowParser
Constants ¶
This section is empty.
Variables ¶
var ALBDesc = `` /* 197-byte string literal not displayed */
var AuroraMySQLAuditDesc = `` /* 187-byte string literal not displayed */
var CloudTrailDesc = `` /* 193-byte string literal not displayed */
var GuardDutyDesc = `` /* 259-byte string literal not displayed */
var S3ServerAccessDesc = `` /* 141-byte string literal not displayed */
var VPCFlowDesc = `` /* 210-byte string literal not displayed */
Functions ¶
This section is empty.
Types ¶
type ALB ¶
type ALB struct { Type *string `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."` Timestamp *timestamp.RFC3339 `` /* 198-byte string literal not displayed */ ELB *string `` /* 168-byte string literal not displayed */ ClientIP *string `json:"clientIp,omitempty" description:"The IP address of the requesting client."` ClientPort *int `json:"clientPort,omitempty" description:"The port of the requesting client."` TargetIP *string `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."` TargetPort *int `json:"targetPort,omitempty" description:"The port of the target that processed this request."` RequestProcessingTime *float64 `` /* 513-byte string literal not displayed */ TargetProcessingTime *float64 `` /* 536-byte string literal not displayed */ ResponseProcessingTime *float64 `` /* 579-byte string literal not displayed */ ELBStatusCode *int `` /* 127-byte string literal not displayed */ TargetStatusCode *int `` /* 202-byte string literal not displayed */ ReceivedBytes *int `` /* 257-byte string literal not displayed */ SentBytes *int `` /* 232-byte string literal not displayed */ RequestHTTPMethod *string `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."` RequestURL *string `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."` RequestHTTPVersion *string `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."` UserAgent *string `` /* 243-byte string literal not displayed */ SSLCipher *string `` /* 141-byte string literal not displayed */ SSLProtocol *string `` /* 145-byte string literal not displayed */ TargetGroupARN *string `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."` TraceID *string `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."` DomainName *string `` /* 280-byte string literal not displayed */ ChosenCertARN *string `` /* 243-byte string literal not displayed */ MatchedRulePriority *int `` /* 338-byte string literal not displayed */ RequestCreationTime *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."` ActionsExecuted []string `` /* 270-byte string literal not displayed */ RedirectURL *string `` /* 181-byte string literal not displayed */ ErrorReason *string `` /* 278-byte string literal not displayed */ // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type ALBParser ¶
type ALBParser struct {
CSVReader *csvstream.StreamingCSVReader
}
ALBParser parses AWS Application Load Balancer logs
type AWSExtractor ¶ added in v0.2.0
type AWSExtractor struct {
// contains filtered or unexported fields
}
extracts useful AWS features that can be detected generically (w/context)
func NewAWSExtractor ¶ added in v0.2.0
func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor
func (*AWSExtractor) Extract ¶ added in v0.2.0
func (e *AWSExtractor) Extract(key, value gjson.Result)
type AWSPantherLog ¶ added in v0.2.0
type AWSPantherLog struct { parsers.PantherLog PantherAnyAWSAccountIds *parsers.PantherAnyString `` /* 131-byte string literal not displayed */ PantherAnyAWSInstanceIds *parsers.PantherAnyString `` /* 133-byte string literal not displayed */ PantherAnyAWSARNs *parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"` PantherAnyAWSTags *parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"` }
nolint(lll)
func (*AWSPantherLog) AppendAnyAWSARNPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSARNs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSAccountIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSInstanceIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSTagPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSTags ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
NOTE: value should be of the form <key>:<value>
type AuroraMySQLAudit ¶
type AuroraMySQLAudit struct { Timestamp *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."` ServerHost *string `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."` Username *string `json:"username,omitempty" description:"The connected user name of the user."` Host *string `json:"host,omitempty" description:"The host that the user connected from."` ConnectionID *int `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."` QueryID *int `` /* 182-byte string literal not displayed */ Operation *string `` /* 216-byte string literal not displayed */ Database *string `json:"database,omitempty" description:"The active database, as set by the USE command."` Object *string `` /* 143-byte string literal not displayed */ RetCode *int `json:"retCode,omitempty" description:"The return code of the logged operation."` // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type AuroraMySQLAuditParser ¶
type AuroraMySQLAuditParser struct {
CSVReader *csvstream.StreamingCSVReader
}
AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs
func (*AuroraMySQLAuditParser) LogType ¶
func (p *AuroraMySQLAuditParser) LogType() string
LogType returns the log type supported by this parser
func (*AuroraMySQLAuditParser) New ¶ added in v0.3.0
func (p *AuroraMySQLAuditParser) New() parsers.LogParser
func (*AuroraMySQLAuditParser) Parse ¶
func (p *AuroraMySQLAuditParser) Parse(log string) []*parsers.PantherLog
Parse returns the parsed events or nil if parsing failed
type CloudTrail ¶
type CloudTrail struct { AdditionalEventData *jsoniter.RawMessage `` /* 128-byte string literal not displayed */ APIVersion *string `json:"apiVersion,omitempty" description:"Identifies the API version associated with the AwsApiCall eventType value."` AWSRegion *string `json:"awsRegion,omitempty" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."` ErrorCode *string `json:"errorCode,omitempty" description:"The AWS service error if the request returns an error."` ErrorMessage *string `` /* 246-byte string literal not displayed */ EventID *string `` /* 269-byte string literal not displayed */ EventName *string `` /* 139-byte string literal not displayed */ EventSource *string `` /* 196-byte string literal not displayed */ EventTime *timestamp.RFC3339 `` /* 137-byte string literal not displayed */ EventType *string `` /* 213-byte string literal not displayed */ EventVersion *string `json:"eventVersion,omitempty" validate:"required" description:"The version of the log event format."` ManagementEvent *bool `` /* 307-byte string literal not displayed */ ReadOnly *bool `json:"readOnly,omitempty" description:"Identifies whether this operation is a read-only operation."` RecipientAccountID *string `` /* 278-byte string literal not displayed */ RequestID *string `` /* 126-byte string literal not displayed */ RequestParameters *jsoniter.RawMessage `` /* 205-byte string literal not displayed */ Resources []CloudTrailResources `json:"resources,omitempty" description:"A list of resources accessed in the event."` ResponseElements *jsoniter.RawMessage `` /* 341-byte string literal not displayed */ ServiceEventDetails *jsoniter.RawMessage `` /* 131-byte string literal not displayed */ SourceIPAddress *string `` /* 309-byte string literal not displayed */ UserAgent *string `` /* 167-byte string literal not displayed */ UserIdentity *CloudTrailUserIdentity `json:"userIdentity,omitempty" validate:"required" description:"Information about the user that made a request."` VPCEndpointID *string `` /* 154-byte string literal not displayed */ // NOTE: added to end of struct to allow expansion later AWSPantherLog }
CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll
type CloudTrailParser ¶
type CloudTrailParser struct{}
CloudTrailParser parses CloudTrail logs
func (*CloudTrailParser) LogType ¶
func (p *CloudTrailParser) LogType() string
LogType returns the log type supported by this parser
func (*CloudTrailParser) New ¶ added in v0.3.0
func (p *CloudTrailParser) New() parsers.LogParser
func (*CloudTrailParser) Parse ¶
func (p *CloudTrailParser) Parse(log string) []*parsers.PantherLog
Parse returns the parsed events or nil if parsing failed
type CloudTrailRecords ¶
type CloudTrailRecords struct {
Records []*CloudTrail `json:"Records" validate:"required,dive"`
}
type CloudTrailResources ¶
type CloudTrailResources struct { ARN *string `json:"arn"` AccountID *string `json:"accountId"` Type *string `json:"type"` }
CloudTrailResources are the AWS resources used in the API call.
type CloudTrailSessionContext ¶
type CloudTrailSessionContext struct { Attributes *CloudTrailSessionContextAttributes `json:"attributes,omitempty"` SessionIssuer *CloudTrailSessionContextSessionIssuer `json:"sessionIssuer,omitempty"` WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData,omitempty"` }
CloudTrailSessionContext provides information about a session created for temporary credentials.
type CloudTrailSessionContextAttributes ¶
type CloudTrailSessionContextAttributes struct { MfaAuthenticated *string `json:"mfaAuthenticated,omitempty"` CreationDate *string `json:"creationDate,omitempty"` }
CloudTrailSessionContextAttributes contains the attributes of the Session context object
type CloudTrailSessionContextSessionIssuer ¶
type CloudTrailSessionContextSessionIssuer struct { Type *string `json:"type,omitempty"` PrincipalID *string `json:"principalId,omitempty"` Arn *string `json:"arn,omitempty"` AccountID *string `json:"accountId,omitempty"` Username *string `json:"userName,omitempty"` }
CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer
type CloudTrailSessionContextWebIDFederationData ¶
type CloudTrailSessionContextWebIDFederationData struct { FederatedProvider *string `json:"federatedProvider,omitempty"` Attributes *jsoniter.RawMessage `json:"attributes,omitempty"` }
CloudTrailSessionContextWebIDFederationData contains Web ID federation data
type CloudTrailUserIdentity ¶
type CloudTrailUserIdentity struct { Type *string `json:"type,omitempty"` PrincipalID *string `json:"principalId,omitempty"` ARN *string `json:"arn,omitempty"` AccountID *string `json:"accountId,omitempty"` AccessKeyID *string `json:"accessKeyId,omitempty"` Username *string `json:"userName,omitempty"` SessionContext *CloudTrailSessionContext `json:"sessionContext,omitempty"` InvokedBy *string `json:"invokedBy,omitempty"` IdentityProvider *string `json:"identityProvider,omitempty"` }
CloudTrailUserIdentity contains details about the type of IAM identity that made the request.
type GuardDuty ¶
type GuardDuty struct { SchemaVersion *string `json:"schemaVersion" validate:"required" description:"The schema format version of this record."` AccountID *string `` /* 165-byte string literal not displayed */ Region *string `json:"region" validate:"required" description:"The AWS region in which the finding was generated."` Partition *string `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."` ID *string `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."` Arn *string `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."` Type *string `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."` Resource *jsoniter.RawMessage `` /* 154-byte string literal not displayed */ Severity *float32 `` /* 128-byte string literal not displayed */ CreatedAt *timestamp.RFC3339 `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."` UpdatedAt *timestamp.RFC3339 `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."` Title *string `json:"title" validate:"required" description:"A short description of the finding."` Description *string `json:"description" validate:"required" description:"A long description of the finding."` Service *GuardDutyService `json:"service" validate:"required" description:"Additional information about the affected service."` // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type GuardDutyParser ¶
type GuardDutyParser struct{}
VPCFlowParser parses AWS VPC Flow Parser logs
func (*GuardDutyParser) LogType ¶
func (p *GuardDutyParser) LogType() string
LogType returns the log type supported by this parser
func (*GuardDutyParser) New ¶ added in v0.3.0
func (p *GuardDutyParser) New() parsers.LogParser
func (*GuardDutyParser) Parse ¶
func (p *GuardDutyParser) Parse(log string) []*parsers.PantherLog
Parse returns the parsed events or nil if parsing failed
type GuardDutyService ¶
type GuardDutyService struct { AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo"` Action *jsoniter.RawMessage `json:"action"` ServiceName *string `json:"serviceName" validate:"required"` DetectorID *string `json:"detectorId" validate:"required"` ResourceRole *string `json:"resourceRole"` EventFirstSeen *timestamp.RFC3339 `json:"eventFirstSeen"` EventLastSeen *timestamp.RFC3339 `json:"eventLastSeen"` Archived *bool `json:"archived"` Count *int `json:"count"` }
type S3ServerAccess ¶
type S3ServerAccess struct { BucketOwner *string `` /* 196-byte string literal not displayed */ Bucket *string `` /* 230-byte string literal not displayed */ Time *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."` RemoteIP *string `` /* 190-byte string literal not displayed */ Requester *string `` /* 329-byte string literal not displayed */ RequestID *string `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."` Operation *string `` /* 188-byte string literal not displayed */ Key *string `` /* 132-byte string literal not displayed */ RequestURI *string `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."` HTTPStatus *int `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."` ErrorCode *string `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."` BytesSent *int `` /* 126-byte string literal not displayed */ ObjectSize *int `json:"objectsize,omitempty" description:"The total size of the object in question."` TotalTime *int `` /* 330-byte string literal not displayed */ TurnAroundTime *int `` /* 254-byte string literal not displayed */ Referrer *string `` /* 223-byte string literal not displayed */ UserAgent *string `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."` VersionID *string `` /* 133-byte string literal not displayed */ HostID *string `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."` SignatureVersion *string `` /* 166-byte string literal not displayed */ CipherSuite *string `` /* 136-byte string literal not displayed */ AuthenticationType *string `` /* 213-byte string literal not displayed */ HostHeader *string `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."` TLSVersion *string `` /* 194-byte string literal not displayed */ AdditionalFields []string `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."` // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type S3ServerAccessParser ¶
type S3ServerAccessParser struct {
CSVReader *csvstream.StreamingCSVReader
}
S3ServerAccessParser parses AWS S3 Server Access logs
func (*S3ServerAccessParser) LogType ¶
func (p *S3ServerAccessParser) LogType() string
LogType returns the log type supported by this parser
func (*S3ServerAccessParser) New ¶ added in v0.3.0
func (p *S3ServerAccessParser) New() parsers.LogParser
func (*S3ServerAccessParser) Parse ¶
func (p *S3ServerAccessParser) Parse(log string) []*parsers.PantherLog
Parse returns the parsed events or nil if parsing failed
type VPCFlow ¶
type VPCFlow struct { Version *int `` /* 165-byte string literal not displayed */ AccountID *string `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."` InterfaceID *string `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."` SrcAddr *string `` /* 258-byte string literal not displayed */ DstAddr *string `` /* 262-byte string literal not displayed */ SrcPort *int `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."` DstPort *int `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."` Protocol *int `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."` Packets *int `json:"packets,omitempty" description:"The number of packets transferred during the flow."` Bytes *int `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."` Start *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."` End *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."` Action *string `` /* 296-byte string literal not displayed */ LogStatus *string `` /* 413-byte string literal not displayed */ // extended custom fields VpcID *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."` SubNetID *string `` /* 131-byte string literal not displayed */ InstanceID *string `` /* 291-byte string literal not displayed */ TCPFlags *int `` /* 379-byte string literal not displayed */ Type *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."` PacketSrcAddr *string `` /* 518-byte string literal not displayed */ PacketDstAddr *string `` /* 526-byte string literal not displayed */ // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type VPCFlowParser ¶
type VPCFlowParser struct { CSVReader *csvstream.StreamingCSVReader // contains filtered or unexported fields }
VPCFlowParser parses AWS VPC Flow Parser logs
func (*VPCFlowParser) LogType ¶
func (p *VPCFlowParser) LogType() string
LogType returns the log type supported by this parser
func (*VPCFlowParser) New ¶ added in v0.3.0
func (p *VPCFlowParser) New() parsers.LogParser
func (*VPCFlowParser) Parse ¶
func (p *VPCFlowParser) Parse(log string) []*parsers.PantherLog
Parse returns the parsed events or nil if parsing failed