def check_gd_backdoor()

in security_hub_correlation_cdk/lambdas/create_sh_finding/create_sh_finding.py [0:0]

• 22 lines of code
• 4 McCabe index (conditional complexity)

def check_gd_backdoor(sh_resource, ddbtable):
    gd_backdoor_list = [
        'TTPs/Command and Control/Backdoor:EC2-DenialOfService.Tcp',
        'TTPs/Command and Control/Backdoor:EC2-DenialOfService.Udp',
        'TTPs/Command and Control/Backdoor:EC2-DenialOfService.Dns',
        'TTPs/Command and Control/Backdoor:EC2-DenialOfService.UdpOnTcpPorts',
        'TTPs/Command and Control/Backdoor:EC2-DenialOfService.UnusualProtocol',
        'TTPs/Command and Control/Backdoor:EC2-Spambot',
        'TTPs/Command and Control/Backdoor:EC2-C&CActivity.B!DNS',
        'TTPs/Command and Control/Backdoor:EC2-C&CActivity.B'
        ]
    try:
        for item in gd_backdoor_list:
            backdoor_payload = ddbtable.query(
            IndexName= DYNAMODB_GSI_TYPE,
            KeyConditionExpression=Key('ResourceId').eq(sh_resource) & Key('Types').eq(item)
            )
            if backdoor_payload['Count'] >= 1:
                logger.info('Found GuardDuty EC2 backdoor finding {} for {}.'.format(item, sh_resource))
                return backdoor_payload
    except ClientError as error_handle:
        logger.error(error_handle.dynamodb_match['Error']['Code'])