in detection-ml-wksp/aws_lambda/guardduty_ingest.py [0:0]
def _extract_source_ips(finding, key_in_additional_info=None):
"""
Extracts source IP addresses from a GuardDuty finding.
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
:param finding: a GuardDuty finding
:param key_in_additional_info: key name in 'additionalInfo' field for extraction
:return: collection of source IP addresses
"""
source_ips = set()
service = finding['service']
if service['action']['actionType'] == 'AWS_API_CALL':
source_ips.add(service['action']['awsApiCallAction']['remoteIpDetails']['ipAddressV4'])
elif service['action']['actionType'] == 'NETWORK_CONNECTION':
source_ips.add(service['action']['networkConnectionAction']['remoteIpDetails']['ipAddressV4'])
elif service['action']['actionType'] == 'PORT_PROBE':
source_ips.add(service['action']['portProbeAction']['portProbeDetails'][0]['remoteIpDetails']['ipAddressV4'])
for item in service.get('additionalInfo', {}).get(key_in_additional_info, []):
if item.get('ipAddressV4'):
source_ips.add(item['ipAddressV4'])
return source_ips