Add Node.js SNS to S3 Lambda sample script

Author: vincent-pelletier

README.md

@@ -29,7 +29,7 @@ The goal of the scripts in this repository is to help you manage and process the
         "Signature": "UEW81BOwF+BvMaZI2S0YOidSLVYt2f3/ApeQ7zXXy/v6Z5SXqEKbA2MlarzyO9qIQCiVXuf1ugh8WQC6bptlWiLIl3ylUvYOVg/QSVuuyi+THrhbIc69jQ5704YTJZYVyADgLSX8vhCK/oGSS1VplGfA1y7LA3xGMIcIe3FVaBw+Dq8/ufMiGPTjS5LciPEjF8na3M1jqC2VquUKysnZ1SVHgg36u1j27aevSgz0/Et1Z4rHExGOEumo9TDg5ybTb0qQzlrTIYtFLEz+89ZC5eeEY4XGf+UzD61YQR0Bi3mk+sl9l8ZpOCG5AURWYKV4/cRVLDTkpnlOO4zOrjmSBg==",
         "SigningCertUrl": "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-bb750dd426d95ee9390147a5624348ee.pem",
         "MessageId": "882160ff-dc56-522a-be8c-30e34b917eee",
-        "Message": "{\"Action\":6,\"ActionString\":\"Log Only\",\"DataFlags\":8,\"DataIndex\":17773,\"DestinationIP\":\"96.17.87.177\",\"DestinationMAC\":\"00:00:00:00:00:00\",\"DestinationPort\":443,\"Direction\":1,\"DirectionString\":\"Outgoing\",\"DriverTime\":1470272837080110,\"EventID\":838236,\"EventType\":\"PacketLog\",\"Flags\":\"SYN DF\\u003d1\",\"Flow\":0,\"FlowString\":\"Connection Flow\",\"Frame\":2048,\"FrameString\":\"IP\",\"HostAgentVersion\":\"9.6.2.7256\",\"HostAssetValue\":1,\"HostCloudType\":\"amazon\",\"HostGroupID\":435,\"HostGroupName\":\"subnet-0060112b\",\"HostID\":9341,\"HostInstanceID\":\"i-0bbafc95\",\"HostOS\":\"Amazon Linux AMI (64 bit) (4.4.11-23.53.amzn1.x86_64)\",\"HostSecurityPolicyID\":621,\"HostSecurityPolicyName\":\"DeepDemo - With Firewall\",\"Hostname\":\"ec2-54-174-110-176.compute-1.amazonaws.com (Event Test) [i-0bbafc95]\",\"Interface\":\"12:AB:F4:D7:F1:F7\",\"LogDate\":\"2016-08-04T01:07:17.080Z\",\"Origin\":0,\"OriginString\":\"Agent\",\"PacketSize\":74,\"Protocol\":6,\"ProtocolString\":\"TCP\",\"Rank\":1,\"Reason\":\"Log All - Outbound\",\"RepeatCount\":1,\"SourceIP\":\"172.31.54.167\",\"SourceMAC\":\"12:AB:F4:D7:F1:F7\",\"SourcePort\":36248,\"Status\":0,\"Tags\":\"\",\"TenantID\":4235,\"TenantName\":\"Your Tenant Name\",\"Type\":1}",
+        "Message": "[{\"Action\":6,\"ActionString\":\"Log Only\",\"DataFlags\":8,\"DataIndex\":17773,\"DestinationIP\":\"96.17.87.177\",\"DestinationMAC\":\"00:00:00:00:00:00\",\"DestinationPort\":443,\"Direction\":1,\"DirectionString\":\"Outgoing\",\"DriverTime\":1470272837080110,\"EventID\":838236,\"EventType\":\"PacketLog\",\"Flags\":\"SYN DF\\u003d1\",\"Flow\":0,\"FlowString\":\"Connection Flow\",\"Frame\":2048,\"FrameString\":\"IP\",\"HostAgentVersion\":\"9.6.2.7256\",\"HostAssetValue\":1,\"HostCloudType\":\"amazon\",\"HostGroupID\":435,\"HostGroupName\":\"subnet-0060112b\",\"HostID\":9341,\"HostInstanceID\":\"i-0bbafc95\",\"HostOS\":\"Amazon Linux AMI (64 bit) (4.4.11-23.53.amzn1.x86_64)\",\"HostSecurityPolicyID\":621,\"HostSecurityPolicyName\":\"DeepDemo - With Firewall\",\"Hostname\":\"ec2-54-174-110-176.compute-1.amazonaws.com (Event Test) [i-0bbafc95]\",\"Interface\":\"12:AB:F4:D7:F1:F7\",\"LogDate\":\"2016-08-04T01:07:17.080Z\",\"Origin\":0,\"OriginString\":\"Agent\",\"PacketSize\":74,\"Protocol\":6,\"ProtocolString\":\"TCP\",\"Rank\":1,\"Reason\":\"Log All - Outbound\",\"RepeatCount\":1,\"SourceIP\":\"172.31.54.167\",\"SourceMAC\":\"12:AB:F4:D7:F1:F7\",\"SourcePort\":36248,\"Status\":0,\"Tags\":\"\",\"TenantID\":4235,\"TenantName\":\"Your Tenant Name\",\"Type\":1}]",
         "MessageAttributes": {},
         "Type": "Notification",
         "UnsubscribeUrl": "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:435663754235:deep-security:3fdacd23-6td4-4cd2-6a1a-879e0e049524",
@@ -101,4 +101,10 @@ bucket root
             - 2016-08-04-01-07-17-080000-KE6K4KC9.txt
             - 2016-08-04-01-07-17-080000-ZHBUWVG6.txt
             - 2016-08-04-11-06-33-316000-SD9XNWTY.txt
-```
+```
+
+## lambda-save-ds-events-to-s3.js
+
+Similar script as ```lambda-save-ds-events-to-s3.py``` but in Node.js.
+Edit [line 7](https://github.com/deep-security/amazon-sns/blob/master/lambda-save-ds-event-to-s3.js#L7) by changing the value to your own S3 bucket name.
+If desired, the s3 folder name and file extension can also be modified on lines 9 and 10.

lambda-save-ds-event-to-s3.js

@@ -0,0 +1,55 @@
+/*
+ * Sample Node.js Lambda script to handle events from Deep Security SNS individually.
+ * An example of the S3 file name would be "DeepSecurityEvents/LogInspectionEvent/2018/11/05/9999.json"
+ */
+
+// MODIFY THIS HERE FOR YOUR ENVIRONMENT
+const bucket = 'YOUR-BUCKET-NAME-HERE';
+const acl = 'public-read';
+const s3prefix = 'DeepSecurityEvents/';
+const ext = '.json';
+
+const aws = require('aws-sdk');
+const s3 = new aws.S3();
+
+exports.handler = (sns, context) => {
+    //retrieve the events from the sns json
+    var events = JSON.parse(sns.Records[0].Sns.Message);
+
+    var receivedDate = getFormattedDate(new Date(sns.Records[0].Sns.Timestamp));
+
+    if(isArray(events)) {
+        // From DS 10.0 and onwards, events come as an array. Iterate through it.
+        for(var i = 0; i < events.length; i++) {
+            sendToS3(events[i], receivedDate);
+        }
+    } else {
+        // Format for DS 9.6 and before, SNS contains a single event
+        sendToS3(events, receivedDate);
+    }
+};
+
+function isArray(obj) {
+    return obj.constructor === Array;
+}
+
+function getFormattedDate(d) {
+    //returns yyyy/MM/dd
+    return d.getFullYear() + '/' + twoDigits(d.getMonth() + 1) + '/' + twoDigits(d.getDate());
+}
+
+function twoDigits(n) {
+    return n < 10 ? '0' + n : n;
+}
+
+function sendToS3(event, receivedDate) {
+    var params = {
+        Bucket: bucket,
+        Key: s3prefix + event.EventType + '/' + receivedDate + '/' + event.EventID + ext,
+        ACL: acl,
+        Body: JSON.stringify(event)
+    };
+    s3.putObject(params, function(err) {
+        if (err) console.log(err, err.stack); // log the error
+    });
+}