我是来自一些 dotnet 经验的 Python 新手,所以如果这对 Python 没有意义,请告诉我。
我的意图是获取 json GuardDuty 发现(下面的示例)并使用 json 内容实例化一个类。我将使用这个类来使用表中的数据填充 HMTL 页面,模仿 AWS GuardDuty 控制台的外观,并且该类将具有响应发现的方法(例如:对于 EC2:关闭、快照、移动隔离 VPC / 用于 IAM:恢复角色)
GuardDuty 调查结果,原始 json
类型:侦察:EC2/Portscan:
{
"schemaVersion": "2.0",
"accountId": "accountid",
"region": "us-east-1",
"partition": "aws",
"id": "findingid",
"arn": "arn:aws:guardduty:us-east-1:accountid:detector/detectorid/finding/findingid",
"type": "Recon:EC2/Portscan",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-99999999",
"instanceType": "m3.xlarge",
"outpostArn": "arn:aws:outposts:us-west-2:accountid:outpost/outpostid",
"launchTime": "2016-08-02T02:05:06Z",
"platform": null,
"productCodes": [
{
"productCodeId": "GeneratedFindingProductCodeId",
"productCodeType": "GeneratedFindingProductCodeType"
}
],
"iamInstanceProfile": {
"arn": "arn:aws:iam::accountid:example/instance/profile",
"id": "GeneratedFindingInstanceProfileId"
},
"networkInterfaces": [
{
"ipv6Addresses": [],
"networkInterfaceId": "eni-bfcffe88",
"privateDnsName": "GeneratedFindingPrivateDnsName",
"privateIpAddress": "10.0.0.1",
"privateIpAddresses": [
{
"privateDnsName": "GeneratedFindingPrivateName",
"privateIpAddress": "10.0.0.1"
}
],
"subnetId": "GeneratedFindingSubnetId",
"vpcId": "GeneratedFindingVPCId",
"securityGroups": [
{
"groupName": "GeneratedFindingSecurityGroupName",
"groupId": "GeneratedFindingSecurityId"
}
],
"publicDnsName": "GeneratedFindingPublicDNSName",
"publicIp": "198.51.100.0"
}
],
"tags": [
{
"key": "GeneratedFindingInstaceTag1",
"value": "GeneratedFindingInstaceValue1"
},
{
"key": "GeneratedFindingInstaceTag2",
"value": "GeneratedFindingInstaceTagValue2"
},
{
"key": "GeneratedFindingInstaceTag3",
"value": "GeneratedFindingInstaceTagValue3"
},
{
"key": "GeneratedFindingInstaceTag4",
"value": "GeneratedFindingInstaceTagValue4"
},
{
"key": "GeneratedFindingInstaceTag5",
"value": "GeneratedFindingInstaceTagValue5"
},
{
"key": "GeneratedFindingInstaceTag6",
"value": "GeneratedFindingInstaceTagValue6"
},
{
"key": "GeneratedFindingInstaceTag7",
"value": "GeneratedFindingInstaceTagValue7"
},
{
"key": "GeneratedFindingInstaceTag8",
"value": "GeneratedFindingInstaceTagValue8"
},
{
"key": "GeneratedFindingInstaceTag9",
"value": "GeneratedFindingInstaceTagValue9"
}
],
"instanceState": "running",
"availabilityZone": "GeneratedFindingInstaceAvailabilityZone",
"imageId": "ami-99999999",
"imageDescription": "GeneratedFindingInstaceImageDescription"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "detectorid",
"action": {
"actionType": "NETWORK_CONNECTION",
"networkConnectionAction": {
"connectionDirection": "OUTBOUND",
"localIpDetails": {
"ipAddressV4": "10.0.0.23"
},
"remoteIpDetails": {
"ipAddressV4": "198.51.100.0",
"organization": {
"asn": "-1",
"asnOrg": "GeneratedFindingASNOrg",
"isp": "GeneratedFindingISP",
"org": "GeneratedFindingORG"
},
"country": {
"countryName": "GeneratedFindingCountryName"
},
"city": {
"cityName": "GeneratedFindingCityName"
},
"geoLocation": {
"lat": 0,
"lon": 0
}
},
"remotePortDetails": {
"port": 797,
"portName": "Unknown"
},
"localPortDetails": {
"port": 24844,
"portName": "Unknown"
},
"protocol": "TCP",
"blocked": false
}
},
"resourceRole": "ACTOR",
"additionalInfo": {
"portsScannedSample": [
855,
738,
837,
819,
792,
882,
756,
678,
732,
714,
400,
813,
795,
822,
696,
735,
708,
690,
654,
717
],
"sample": true
},
"eventFirstSeen": "2021-06-15T17:11:33.303Z",
"eventLastSeen": "2021-06-15T17:11:33.303Z",
"archived": false,
"count": 1
},
"severity": 5,
"createdAt": "2021-06-15T17:11:33.303Z",
"updatedAt": "2021-06-15T17:11:33.303Z",
"title": "Outbound portscan from EC2 instance i-99999999.",
"description": "EC2 instance i-99999999 is performing outbound port scans against remote host 198.51.100.0."
}
示例表:
| 概述 | |
|---|---|
| 严重性 | 严重性 |
| 地区 | 地区 |
| 数数 | 数数 |
| 帐户ID | 帐户ID |
| 资源 ID | 资源 ID |
对于该类,我通过查找类型来创建一个类:EC2、IAM 或 S3。这些发现中的每一个都有子类型(对于 EC2:Trojan、Recon、Backdoor / IAM:Discovery、Exfiltration),这些子类型的属性可能略有不同,但我有一个所有可能组合的列表。我应该将这些作为可为空的初始化属性放入类中,还是应该在初始化后执行 **kwargs 之类的验证,可能在方法或 getter/setter 中?