aws: guardduty datastream collects duplicated documents

[efd6]

We have a case where the GuardDuty datastream is collecting documents more than once. This appears to be due to the API returning the same pagination cursor more than once in a pagination sequence.

For example in the pagination sequence that starts from this seed request (identifying details obfuscated in all quoted logs):

{
  "log.level": "debug",
  "@timestamp": "2023-11-28T04:12:21.233Z",
  "message": "HTTP request",
  "transaction.id": "... -391",
  "url.original": "https://guardduty. ... .amazonaws.com/detector/.../findings",
  "url.scheme": "https",
  "url.path": "/detector/.../findings",
  "url.domain": "guardduty. ... .amazonaws.com",
  "url.port": "",
  "url.query": "",
  "http.request.method": "POST",
  "user_agent.original": "...",
  "http.request.body.content": "{\"findingCriteria\":{\"criterion\":{\"updatedAt\":{\"greaterThan\":\"1701140400000\",\"lessThan\":\"1701144000000\"}}},\"maxResults\":50,\"sortCriteria\":{\"attributeName\":\"updatedAt\",\"orderBy\":\"ASC\"}}",
  "http.request.body.bytes": 183,
  "http.request.mime_type": "application/json",
  "ecs.version": "1.6.0"
}

We get the following request/response/request sequence (note response's http.response.body.content and http.response.body.bytes, and the http.request.body.content in the final request):

{
  "log.level": "debug",
  "@timestamp": "2023-11-28T04:12:22.216Z",
  "message": "HTTP request",
  "transaction.id": "... -395",
  "url.original": "https://guardduty. ... .amazonaws.com/detector/.../findings",
  "url.scheme": "https",
  "url.path": "/detector/.../findings",
  "url.domain": "guardduty. ... .amazonaws.com",
  "url.port": "",
  "url.query": "",
  "http.request.method": "POST",
  "user_agent.original": "...",
  "http.request.body.content": "{\"findingCriteria\":{\"criterion\":{\"updatedAt\":{\"greaterThan\":\"1701140400000\",\"lessThan\":\"1701144000000\"}}},\"maxResults\":50,\"nextToken\":\"1701142787842-1701142787000-md5sum(4b32102b95b3986057cc16a660419069)\",\"sortCriteria\":{\"attributeName\":\"updatedAt\",\"orderBy\":\"ASC\"}}",
  "http.request.body.bytes": 258,
  "http.request.mime_type": "application/json",
  "ecs.version": "1.6.0"
}
{
  "log.level": "debug",
  "@timestamp": "2023-11-28T04:12:22.316Z",
  "message": "HTTP response",
  "transaction.id": "... -395",
  "http.response.status_code": 200,
  "http.response.body.content": md5sum(1d166755ca9ad65949bf55eee7e9b181),
  "http.response.body.bytes": 1841,
  "http.response.mime_type": "application/json",
  "ecs.version": "1.6.0"
}
{
  "log.level": "debug",
  "@timestamp": "2023-11-28T04:12:22.518Z",
  "message": "HTTP request",
  "transaction.id": "... -396",
  "url.original": "https://guardduty. ... .amazonaws.com/detector/.../findings",
  "url.scheme": "https",
  "url.path": "/detector/.../findings",
  "url.domain": "guardduty. ... .amazonaws.com",
  "url.port": "",
  "url.query": "",
  "http.request.method": "POST",
  "user_agent.original": "...",
  "http.request.body.content": "{\"findingCriteria\":{\"criterion\":{\"updatedAt\":{\"greaterThan\":\"1701140400000\",\"lessThan\":\"1701144000000\"}}},\"maxResults\":50,\"nextToken\":\"1701142787857-1701142787000-md5sum(fcc045188185e1c27e14fdc6b66e2493)\",\"sortCriteria\":{\"attributeName\":\"updatedAt\",\"orderBy\":\"ASC\"}}",
  "http.request.body.bytes": 258,
  "http.request.mime_type": "application/json",
  "ecs.version": "1.6.0"
}

In the same pagination sequence (i.e. not after a new seed request), we get the following set of three logs that show exactly the same http.response.body.content and http.request.body.content.

{
  "log.level": "debug",
  "@timestamp": "2023-11-28T04:27:22.110Z",
  "message": "HTTP request",
  "transaction.id": "... -401",
  "url.original": "https://guardduty. ... .amazonaws.com/detector/.../findings",
  "url.scheme": "https",
  "url.path": "/detector/.../findings",
  "url.domain": "guardduty. ... .amazonaws.com",
  "url.port": "",
  "url.query": "",
  "http.request.method": "POST",
  "user_agent.original": "...",
  "http.request.body.content": "{\"findingCriteria\":{\"criterion\":{\"updatedAt\":{\"greaterThan\":\"1701140400000\",\"lessThan\":\"1701144000000\"}}},\"maxResults\":50,\"nextToken\":\"1701142787842-1701142787000-md5sum(4b32102b95b3986057cc16a660419069)\",\"sortCriteria\":{\"attributeName\":\"updatedAt\",\"orderBy\":\"ASC\"}}",
  "http.request.body.bytes": 258,
  "http.request.mime_type": "application/json",
  "ecs.version": "1.6.0"
}
{
  "log.level": "debug",
  "@timestamp": "2023-11-28T04:27:22.219Z",
  "message": "HTTP response",
  "transaction.id": "... -401",
  "http.response.status_code": 200,
  "http.response.body.content": md5sum(1d166755ca9ad65949bf55eee7e9b181),
  "http.response.body.bytes": 1841,
  "http.response.mime_type": "application/json",
  "ecs.version": "1.6.0"
}
{
  "log.level": "debug",
  "@timestamp": "2023-11-28T04:27:22.417Z",
  "message": "HTTP request",
  "transaction.id": "... -402",
  "url.original": "https://guardduty. ... .amazonaws.com/detector/.../findings",
  "url.scheme": "https",
  "url.path": "/detector/.../findings",
  "url.domain": "guardduty. ... .amazonaws.com",
  "url.port": "",
  "url.query": "",
  "http.request.method": "POST",
  "user_agent.original": "...",
  "http.request.body.content": "{\"findingCriteria\":{\"criterion\":{\"updatedAt\":{\"greaterThan\":\"1701140400000\",\"lessThan\":\"1701144000000\"}}},\"maxResults\":50,\"nextToken\":\"1701142787857-1701142787000-md5sum(fcc045188185e1c27e14fdc6b66e2493)\",\"sortCriteria\":{\"attributeName\":\"updatedAt\",\"orderBy\":\"ASC\"}}",
  "http.request.body.bytes": 258,
  "http.request.mime_type": "application/json",
  "ecs.version": "1.6.0"
}

In the case where this is observed, this result it duplicated documents in the index. This should not be happening due to fingerprinting, but that is independent of this. We should not be receiving/collecting duplicated documents. If this is a limitation of the API we need to find a work around and if we are holding the API incorrectly, we need to fix that.

Steps to address

• Document limitation of data stream: [AWS GuardDuty] - Updated docs to address data duplication issue when using GuardDuty API #15858 (released in 4.5.0)
• Re-write data stream using CEL input: blocked

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

Taking a fresh look at this and it appears that the two sequences are not part of the same cursor pagination sequence. This is indicated by the timestamps on the two log excerpts, being 15 minutes apart.

On the basis of this, it looks like this is an issue with last execution template evaluation.

The issue appears to be due to a one-hour truncation here. The offset in the expression may be less than an hour (15m in the case of the system that the original issue was identified on) which would result in refetch of the same data for ⌈60/interval⌉ times where interval is minutes (under 60). Worse, if the interval is less than one hour and the interval does not span the cutover, the duration between the lower and upper bound of the request will be zero. It's unclear to me why there should be a truncation there.

[narph]

@efd6, has this issue been fixed by the linked PR, if not, is there a clear direction on the implemention?

[efd6]

In the PR I wrote "Not marking as closing the issue as I think there are still problems with the template evaluation that are not currently diagnosable with HTTPJSON's existing template logging (will be able to look at this when v8.11 is more prevalent )." Nothing has changed except that v8.11+ will be more prevalent and so if we see the issue it will be easier to debug. We could close this now if you want, with a view to either reopening or opening a new issue if there is a new report.

[efd6]

I have an answer about "It's unclear to me why there should be a truncation there."

From Crest:

The AWS API is restrictive, particularly in that we must keep the greaterThan and lessThan parameters exactly the same across all pagination calls; otherwise, the AWS API returns an error.

In the beginning of data collection, we used the current time (now) here to set these parameters for the first call. However, by the time we made subsequent pagination requests, now had changed, resulting in errors because there was no way to retrieve the date from the last request's body. To resolve this issue, we've truncated the date to the nearest hour, which has corrected the problem.

This means that the truncation would not be required if the data stream were re-written to use CEL, since there we can keep the timestamp value across all pagination requests by including it in the returned state.