AWS guardduty documentation change
Summary
Added support for SHA-256 file hashes in threat entity lists across multiple formats (TXT, STIX, CSV, FireEye CSV, AlienVault CSV) with explicit limitations and usage examples.
Security assessment
The changes document new capabilities for uploading file hashes to threat intelligence lists, enhancing security monitoring features. There's no evidence of a specific vulnerability being fixed; instead, this expands existing security functionality by allowing detection of malicious files through hash-based indicators.
Diff
diff --git a/guardduty/latest/ug/guardduty_upload-lists.md b/guardduty/latest/ug/guardduty_upload-lists.md index abc99324f..da32f31ed 100644 --- a//guardduty/latest/ug/guardduty_upload-lists.md +++ b//guardduty/latest/ug/guardduty_upload-lists.md @@ -42 +42 @@ GuardDuty offers two implementation approaches: entity lists (recommended) and I -**Entity lists** support both IP addresses and domain names. They use direct Amazon Simple Storage Service (Amazon S3) access with a single IAM permission that doesn't impact IAM policy size limits across multiple Regions. +**Entity lists** support IP addresses, domain names, and SHA-256 file hashes. They use direct Amazon Simple Storage Service (Amazon S3) access with a single IAM permission that doesn't impact IAM policy size limits across multiple Regions. @@ -69,0 +70,2 @@ In an IP address list, the entries apply to CloudTrail and VPC Flow Logs in Amaz + * SHA-256 file hashes are supported only in threat entity lists. You cannot include file hashes in trusted entity lists or IP address lists. + @@ -85 +87 @@ GuardDuty accepts multiple file formats for your lists and entity lists, with a -This format supports IP addresses, CIDR ranges, and domain names. Each entry must appear on a separate line. +This format supports IP addresses, CIDR ranges, domain names, and SHA-256 file hashes. SHA-256 file hashes are supported only in threat entity lists. Each entry must appear on a separate line. @@ -95,0 +98,10 @@ This format supports IP addresses, CIDR ranges, and domain names. Each entry mus +###### Example for threat entity list with file hashes + + + 192.0.2.1 + 192.0.2.0/24 + example.com + example.org + *.example.org + a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 + @@ -103 +115 @@ This format supports IP addresses, CIDR ranges, and domain names. Each entry mus -This format supports IP addresses, CIDR block, and domain names. STIX allows you to include additional context with your threat intelligence. GuardDuty processes IP addresses, CIDR ranges, and domain names from the STIX indicators. +This format supports IP addresses, CIDR block, domain names, and SHA-256 file hashes. STIX allows you to include additional context with your threat intelligence. GuardDuty processes IP addresses, CIDR ranges, domain names, and SHA-256 file hashes from the STIX indicators. SHA-256 file hashes are supported only in threat entity lists. @@ -138,0 +151,57 @@ This format supports IP addresses, CIDR block, and domain names. STIX allows you + +###### Example for threat entity list with file hashes + + + <?xml version="1.0" encoding="UTF-8"?> + <stix:STIX_Package + xmlns:cyboxCommon="http://cybox.mitre.org/common-2" + xmlns:cybox="http://cybox.mitre.org/cybox-2" + xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" + xmlns:stix="http://stix.mitre.org/stix-1" + xmlns:indicator="http://stix.mitre.org/Indicator-2" + xmlns:stixCommon="http://stix.mitre.org/common-1" + xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" + xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1" + xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" + id="example:Package-a1b2c3d4-1111-2222-3333-444455556666" + version="1.2"> + <stix:Indicators> + <stix:Indicator + id="example:indicator-a1b2c3d4-aaaa-bbbb-cccc-ddddeeeeffff" + timestamp="2025-08-12T00:00:00Z" + xsi:type="indicator:IndicatorType" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <indicator:Title>Malicious domain observed Example</indicator:Title> + <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type> + <indicator:Observable id="example:Observable-0000-1111-2222-3333"> + <cybox:Object id="example:Object-0000-1111-2222-3333"> + <cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType"> + <DomainNameObj:Value condition="Equals">bad.example.com</DomainNameObj:Value> + </cybox:Properties> + </cybox:Object> + </indicator:Observable> + </stix:Indicator> + <stix:Indicator + id="example:indicator-a1b2c3d4-eeee-ffff-0000-111122223333" + timestamp="2025-08-12T00:00:00Z" + xsi:type="indicator:IndicatorType" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <indicator:Title>File hash for malware variant</indicator:Title> + <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type> + <indicator:Observable id="example:Observable-4444-5555-6666-7777"> + <cybox:Object id="example:File-4444-5555-6666-7777"> + <cybox:Properties xsi:type="FileObj:FileObjectType"> + <FileObj:Hashes> + <cyboxCommon:Hash> + <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type> + <cyboxCommon:Simple_Hash_Value condition="Equals">a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3</cyboxCommon:Simple_Hash_Value> + </cyboxCommon:Hash> + </FileObj:Hashes> + </cybox:Properties> + </cybox:Object> + </indicator:Observable> + </stix:Indicator> + </stix:Indicators> + </stix:STIX_Package> + + @@ -187 +256 @@ This format supports IP addresses, CIDR block, and domain names. STIX allows you -This format supports CIDR block, individual IP addresses, and domains. This file format has comma-separated values. +This format supports CIDR block, individual IP addresses, domains, and the `SHA256` indicator type for file hashes. SHA-256 file hashes are supported only in threat entity lists. This file format has comma-separated values. @@ -196 +265,11 @@ This format supports CIDR block, individual IP addresses, and domains. This file - domain name, example.net, example + Domain name, example.net, example + +###### Example for threat entity list with file hashes + + + Indicator type, Indicator, Description + CIDR, 192.0.2.0/24, example + IPv4, 198.51.100.1, example + IPv4, 203.0.113.1, example + Domain name, example.net, example + SHA256, a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3, example @@ -206 +285 @@ This format supports CIDR block, individual IP addresses, and domains. This file -This format supports CIDR block, individual IP addresses, and domains. The following sample lists uses a `FireEyeTM` CSV format. +This format supports CIDR block, individual IP addresses, domains, and SHA-256 file hashes in the `sha256` column. SHA-256 file hashes are supported only in threat entity lists. The following sample lists uses a `FireEyeTM` CSV format. @@ -220,0 +300,15 @@ This format supports CIDR block, individual IP addresses, and domains. The follo +###### Example for threat entity list with file hashes + + + reportId, title, threatScape, audience, intelligenceType, publishDate, reportLink, webLink, emailIdentifier, senderAddress, senderName, sourceDomain, sourceIp, subject, recipient, emailLanguage, fileName, fileSize, fuzzyHash, fileIdentifier, md5, sha1, sha256, description, fileType, packer, userAgent, registry, fileCompilationDateTime, filePath, asn, cidr, domain, domainTimeOfLookup, networkIdentifier, ip, port, protocol, registrantEmail, registrantName, networkType, url, malwareFamily, malwareFamilyId, actor, actorId, observationTime + + 01-00000001, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000001, https://www.example.com/report/01-00000001, , , , , , , , , , , , , , , , , , , , , , , , 192.0.2.0/24, , , Related, , , , , , network, , Ursnif, 21a14673-0d94-46d3-89ab-8281a0466099, , , 1494944400 + + 01-00000002, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000002, https://www.example.com/report/01-00000002, , , , , , , , , , , , , , , , , , , , , , , , , , , Related, 198.51.100.1, , , , , network, , Ursnif, 12ab7bc4-62ed-49fa-99e3-14b92afc41bf, , ,1494944400 + + 01-00000003, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000003, https://www.example.com/report/01-00000003, , , , , , , , , , , , , , , , , , , , , , , , , , , Related, 203.0.113.1, , , , , network, , Ursnif, 8a78c3db-7bcb-40bc-a080-75bd35a2572d, , , 1494944400 + + 01-00000002, Malicious domain observed in test, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000002,https://www.example.com/report/01-00000002,,,,,,,,,,,,,,,,,,,,,,,, 203.0.113.0/24, example.com,, Related, 203.0.113.0, 8080, UDP,,, network,, Ursnif, fc13984c-c767-40c9-8329-f4c59557f73b,,, 1494944400 + + 01-00000005, Malicious file hash, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000005, https://www.example.com/report/01-00000005, , , , , , , , , , , , , , , a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3, , , , , , , , , , , , Related, , , , , , network, , Ursnif, 9b9a6ea0-3cbf-4e12-bd3e-0c1d7b4e5f6a, , , 1494944400 + @@ -248 +342 @@ In ProofPoint CSV format, you can add IP either addresses or domain names in a o -The following sample list uses the `AlienVault` format. +The following sample list uses the `AlienVault` format. This format also supports SHA-256 file hashes in the indicator column. SHA-256 file hashes are supported only in threat entity lists. @@ -258,0 +353,10 @@ The following sample list uses the `AlienVault` format. +###### Example for threat entity list with file hashes + + + 192.0.2.1#4#2#Malicious Host#KR##37.5111999512,126.974098206#3 + 192.0.2.2#4#2#Scanning Host#IN#Gurgaon#28.4666996002,77.0333023071#3 + 192.0.2.3#4#2##CN#Guangzhou#23.1166992188,113.25#3 + www.test.org#4#2#Malicious Host#CA#Brossard#45.4673995972,-73.4832000732#3 + www.example.com#4#2#Malicious Host#PL##52.2393989563,21.0361995697#3 + a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3#4#2#Malicious Hash###0.0,0.0#3 +