static void Main(string[] args) { String detectorId = "cdc02b15f9f520a8882c959g3e95c24b"; FindingCriteria criteria = new FindingCriteria(); Condition condition = new Condition(); condition.Eq.Add("Recon:EC2/PortProbeUnprotectedPort"); condition.Eq.Add("Recon:EC2/Portscan"); criteria.Criterion.Add("type", condition); using (var gdClient = new AmazonGuardDutyClient(RegionEndpoint.USWest2)) { var request = new ListFindingsRequest { DetectorId = detectorId, FindingCriteria = criteria, }; Task <ListFindingsResponse> response = gdClient.ListFindingsAsync(request); response.Wait(); foreach (String findingId in response.Result.FindingIds) { Console.WriteLine(findingId.ToString()); } } }
static int Main(string[] args) { foreach (var line in titleBanner) { Console.WriteLine(line); } if (args == null || args.Length == 0) { // Help screen foreach (var line in helpScreen) { Console.WriteLine(line); } System.Environment.Exit(-1); } Options options = null; Parser.Default.ParseArguments <Options>(args) .WithParsed(o => options = o) .WithNotParsed(errors => { foreach (var error in errors) { Console.WriteLine(error); } System.Environment.Exit(-2); }); // Setup AWS credentials var chain = new CredentialProfileStoreChain(); AWSCredentials awsCredentials; RegionEndpoint awsRegion; if (!string.IsNullOrWhiteSpace(options.Profile)) { if (!chain.TryGetAWSCredentials(options.Profile, out awsCredentials)) { Console.WriteLine($"Unable to retrieve credentials for profile {options.Profile}"); System.Environment.Exit(-3); return(-3); } CredentialProfile credentialProfile; if (!chain.TryGetProfile(options.Profile, out credentialProfile)) { Console.WriteLine($"Unable to retrieve credential profile for {options.Profile}"); System.Environment.Exit(-4); return(-4); } awsRegion = credentialProfile.Region ?? RegionEndpoint.GetBySystemName(options.Region); } else { if (string.IsNullOrWhiteSpace(options.AccessKeyId)) { Console.Error.WriteLine("No profile was specified, but an access key ID was not provided either."); System.Environment.Exit(-5); return(-5); } if (string.IsNullOrWhiteSpace(options.AccessKeySecret)) { Console.Error.WriteLine("No profile was specified, but an access key secret was not provided either."); System.Environment.Exit(-6); return(-6); } awsCredentials = new BasicAWSCredentials(options.AccessKeyId, options.AccessKeySecret); awsRegion = RegionEndpoint.GetBySystemName(options.Region); } var cts = new CancellationTokenSource(); var getFindingsTask = Task.Run(new Func <Task <Tuple <object, Exception> > >(async() => { var client = new AmazonGuardDutyClient(awsCredentials, awsRegion); var detectorRequest = new ListDetectorsRequest(); var detectorResponse = await client.ListDetectorsAsync(detectorRequest, cts.Token); dynamic bundle = new ExpandoObject(); bundle.type = "bundle"; bundle.id = $"guardduty-stix-{DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffZ", System.Globalization.CultureInfo.InvariantCulture)}"; bundle.spec_version = "2.0"; var objects = new List <object>(); foreach (var detectorId in detectorResponse.DetectorIds) { var listFindingsRequest = new ListFindingsRequest() { DetectorId = detectorId, /*FindingCriteria = new FindingCriteria * { * Criterion = { { "service.archived", new Condition { Eq = { "FALSE" } } } } * }*/ }; try { // Get list of findings var listFindingsResponse = await client.ListFindingsAsync(listFindingsRequest, cts.Token); // For the list, get the details var getFindingsRequest = new GetFindingsRequest() { DetectorId = detectorId, FindingIds = listFindingsResponse.FindingIds }; var getFindingsResponse = await client.GetFindingsAsync(getFindingsRequest, cts.Token); foreach (var finding in getFindingsResponse.Findings) { var sdo = await ConvertFindingToStixAsync(finding); objects.Add(sdo); } } catch (Exception e) { await Console.Error.WriteLineAsync(e.ToString()); return(new Tuple <object, Exception>(null, e)); } } bundle.objects = objects; return(new Tuple <object, Exception>(bundle, null)); })); if (!Task.WaitAll(new[] { getFindingsTask }, 60000, cts.Token)) { Console.Error.WriteLine("Failed to complete within 60 seconds, aborted."); System.Environment.Exit(-7); return(-7); } var result = getFindingsTask.Result; if (result.Item2 != null) { Console.Error.WriteLine($"Unable to parse output: {result.Item2.ToString()}"); System.Environment.Exit(-8); return(-8); } if (string.IsNullOrWhiteSpace(options.OutputFile)) { Console.Out.WriteLine(Newtonsoft.Json.JsonConvert.SerializeObject(result.Item1)); } else { try { using (var fs = new FileStream(options.OutputFile, FileMode.Create, FileAccess.Write)) using (var sw = new StreamWriter(fs)) { sw.Write(Newtonsoft.Json.JsonConvert.SerializeObject(result.Item1)); } Console.Out.WriteLine($"Output saved to file {options.OutputFile}"); } catch (Exception e) { Console.Error.WriteLine($"Unable to write file: {e.ToString()}"); System.Environment.Exit(-9); return(-9); } } return(0); }