GuardDuty is a valuable source of visibility into threats against your infrastructure. However, it can produce a large number of findings. This query shows the distribution of findings which be used to assess the posture of an account.
SELECT severity,count(1) AS total_rowsFROM panther_logs.public.aws_guarddutyWHERE p_occurs_between('2021-01-01', '2021-02-01')GROUP BY severityORDER BY total_rows DESC
SELECT severity,count(1) AS total_rowsFROM panther_logs.aws_guarddutyWHERE p_occurs_between('2021-01-01', '2021-02-01')GROUP BY severityORDER BY total_rows DESC
Rank all GuardDuty alerts by affected resources
Similar to the above example, but in this example the query characterizes the findings by ranking affected resources.
SELECTresource:resourceType AS resource_type,count(1) AS total_rowsFROM panther_logs.public.aws_guarddutyWHERE p_occurs_between('2021-01-01', '2021-02-01')GROUP BYresource:resourceTypeORDER BY total_rows DESC
SELECT json_extract(resource, '$.resourcetype') AS resource_type,count(1) AS total_rowsFROM panther_logs.aws_guarddutyWHERE p_occurs_between('2021-01-01', '2021-02-01')GROUP BY json_extract(resource, '$.resourcetype')ORDER BY total_rows DESC
