steampipe plugin install aws

Table: aws_guardduty_threat_intel_set - Query AWS GuardDuty ThreatIntelSet using SQL

The AWS GuardDuty ThreatIntelSet is a feature within the AWS GuardDuty service. It allows you to manage and use threat intelligence feeds that are tailored to your specific needs. This helps in identifying potential security threats and responding to them swiftly, thereby enhancing the overall security posture of your AWS environment.

Table Usage Guide

The aws_guardduty_threat_intel_set table in Steampipe provides you with information about threat intelligence sets that are associated with a GuardDuty detector in AWS GuardDuty. This table allows you, as a security analyst, to query threat-specific details, including the name, format, location, and status of the threat intelligence set. You can utilize this table to gather insights on threats, such as those that are currently active, the format and location of the threat intelligence set, and more. The schema outlines the various attributes of the threat intelligence set for you, including the threat intelligence set ID, detector ID, name, format, location, status, and associated tags.

Examples

Basic info

Discover the segments that are being monitored for potential security threats within your AWS GuardDuty service. This allows for a better understanding of the threat intelligence sets in use and their respective configurations, aiding in effective threat management and response.

select
detector_id,
threat_intel_set_id,
name,
format,
location
from
aws_guardduty_threat_intel_set;
select
detector_id,
threat_intel_set_id,
name,
format,
location
from
aws_guardduty_threat_intel_set;

List disabled threat intel sets

Identify instances where the threat intelligence sets in your AWS GuardDuty service have been deactivated. This is useful for security audits or when reviewing your threat detection capabilities.

select
threat_intel_set_id,
status
from
aws_guardduty_threat_intel_set
where
status = 'INACTIVE';
select
threat_intel_set_id,
status
from
aws_guardduty_threat_intel_set
where
status = 'INACTIVE';

Schema for aws_guardduty_threat_intel_set

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
detector_idtext=The ID of the detector.
formattextThe format of the threatIntelSet.
locationtextThe URI of the file that contains the ThreatIntelSet.
nametextA ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextThe status of threatIntelSet file uploaded.
tagsjsonbA map of tags for the resource.
threat_intel_set_idtext=The ID of the ThreatIntelSet.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_guardduty_threat_intel_set