{ "version": "0", "id": "3310c2dd-deb3-97ff-595d-28e57b1ff9e7", "detail-type": "Security Hub Findings - Imported", "source": "aws.securityhub", "account": "123456789012", "time": "2021-10-30T00:07:08Z", "region": "us-west-2", "resources": [ "arn:aws:securityhub:us-west-2::product/aws/guardduty/arn:aws:guardduty:us-west-2:123456789012:detector/e2b94c2eb2e1dcd5f66cd618f9ee7797/finding/30bdf43482e150d57320f2c16ca58782" ], "detail": { "findings": [ { "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Types": [ "TTPs/Command and Control/Backdoor:EC2-C&CActivity.B!DNS" ], "SourceUrl": "https://us-west-2.console.aws.amazon.com/guardduty/home?region=us-west-2#/findings?macros=current&fId=30bdf43482e150d57320f2c16ca58782", "Description": "EC2 instance i-99999999 is querying a domain name associated with a known Command & Control server.", "ProductName": "GuardDuty", "SchemaVersion": "2018-10-08", "FirstObservedAt": "2021-09-15T06:41:53.000Z", "GeneratorId": "arn:aws:guardduty:us-west-2:123456789012:detector/e2b94c2eb2e1dcd5f66cd618f9ee7797", "CreatedAt": "2021-09-15T07:43:22.050Z", "RecordState": "ACTIVE", "Title": "Command and Control server domain name queried by EC2 instance i-99999999.", "Workflow": { "Status": "NEW" }, "LastObservedAt": "2021-10-29T22:47:04.000Z", "Severity": { "Normalized": 60, "Label": "HIGH", "Product": 8 }, "UpdatedAt": "2021-10-29T23:45:33.944Z", "CompanyName": "Amazon", "FindingProviderFields": { "Types": [ "TTPs/Command and Control/Backdoor:EC2-C&CActivity.B!DNS" ], "Severity": { "Normalized": 60, "Label": "HIGH", "Product": 8 } }, "WorkflowState": "NEW", "ProductFields": { "aws/guardduty/service/action/dnsRequestAction/blocked": "false", "aws/guardduty/service/additionalInfo/threatListName": "TestDomain", "aws/guardduty/service/archived": "false", "aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatNames": "[]", "aws/guardduty/service/resourceRole": "TARGET", "aws/guardduty/service/count": "12", "aws/guardduty/service/action/dnsRequestAction/domain": "guarddutyc2activityb.com", "aws/guardduty/service/serviceName": "guardduty", "aws/guardduty/service/action/dnsRequestAction/protocol": "UDP", "aws/guardduty/service/detectorId": "e2b94c2eb2e1dcd5f66cd618f9ee7797", "aws/guardduty/service/eventFirstSeen": "2021-09-15T06:41:53.000Z", "aws/guardduty/service/eventLastSeen": "2021-10-29T22:47:04.000Z", "aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatListName": "TestDomain", "aws/guardduty/service/action/actionType": "DNS_REQUEST", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/guardduty/arn:aws:guardduty:us-west-2:123456789012:detector/e2b94c2eb2e1dcd5f66cd618f9ee7797/finding/30bdf43482e150d57320f2c16ca58782", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/CompanyName": "Amazon" }, "AwsAccountId": "123456789012", "Region": "us-west-2", "Id": "arn:aws:guardduty:us-west-2:123456789012:detector/e2b94c2eb2e1dcd5f66cd618f9ee7797/finding/30bdf43482e150d57320f2c16ca58782", "Resources": [ { "Partition": "aws", "Type": "AwsEc2Instance", "Details": { "AwsEc2Instance": { "Type": "m4.large", "VpcId": "GeneratedFindingVPCId", "ImageId": "ami-99999999", "IpV4Addresses": [ "172.16.0.30" ], "SubnetId": "subnet-064b678143ce5acac", "LaunchedAt": "2021-09-15T06:29:46.000Z", "IamInstanceProfileArn": "arn:aws:iam::123456789012:example/instance/profile" } }, "Region": "us-west-2", "Id": "arn:aws:ec2:us-west-2:123456789012:instance/i-99999999", "Tags": { "GeneratedFindingInstaceTag1": "GeneratedFindingInstaceTagValue1", "GeneratedFindingInstaceTag2": "GeneratedFindingInstaceTagValue2", "GeneratedFindingInstaceTag3": "GeneratedFindingInstaceTagValue3", "GeneratedFindingInstaceTag4": "GeneratedFindingInstaceTagValue4", "GeneratedFindingInstaceTag5": "GeneratedFindingInstaceTagValue5", "GeneratedFindingInstaceTag6": "GeneratedFindingInstaceTagValue6" } } ] } ] } }