in detection-ml-wksp/aws_lambda/guardduty_ingest.py [0:0]
def get_tuples(finding):
"""
Turns a GuardDuty finding into a tuple of <principal ID, IP address>
for each source IP address in the finding.
:param finding: a GuardDuty finding
:return: list of <principal ID, IP address> tuples
"""
tuples = []
if 'accessKeyDetails' in finding['resource']:
for ip in _extract_source_ips(finding):
if ip.endswith('.amazonaws.com'):
continue # Ignore calls coming from AWS service principals
principal = finding['resource']['accessKeyDetails']['principalId']
tuples.append('{},{}'.format(principal, ip))
return tuples