AWS GuardDuty

Updated 1 month ago by Sachit Soni

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides detailed instructions to setup AWS Lambda function which can listen for Guard Duty events that are triggered and send the event details into TruSTAR

TruSTAR's AWS GuardDuty Integration allows AWS users who have access to GuardDuty send GD "Findings" into their private enclaves in TruSTAR. The way the integration works is by having users send their Guard Duty Findings as events into TruSTAR. Users can create a Lambda function by importing TruSTAR’s custom script that sends findings as events in TruSTAR. This Lambda function automatically triggers every time a GD Finding is fired and submits the event into a customer specified enclave in TruSTAR.

APP Installation

Prerequisites

The following bundles are required for successful installation of the TruSTAR AWS Guard Duty app.

#

Bundle Name

Description

1

AWS Guard Duty App Bundle (GD-Station-Lambda.zip)

This bundle contains the lambda functions that a user will need to trigger Guard Duty events

2

AWS Instance with access to configure Lambda function

Users need to have access to configure Lambda functions in AWS to leverage the App



Installation

Create Lambda Function

  • Navigate to Lambda →  Create Function
  • Fill out the details, refer to image below
    • Name – Unique name to identify Lambda function
    • Runtime – Select Python 2.7
    • Role – Select a role which has access to “AWS CloudWatch Logs”
  • Select create function
  • Select “Upload a zip file” in Function code and upload the zip bundle(GD-Station-Lambda.zip)
  • Enter the environment variables
    • TRUSTAR_URL – TruStar Station URL (Ensure it doesn’t have trailing ‘/’)

https://station.trustar.co

    • API_KEY – TruStar API Key

https://station.trustar.co/settings/api

    • API_SECRET – TruStar API Secret
    • ENCLAVE_ID – TruStar Enclave Id

https://station.trustar.co/settings/profile

  • Change the timeout to 2 mins
  • Save the changes

Create CloudWatch Event

  • Create a CloudWatch Event Rule
  • Navigate Services --> Management Tools --> Cloud Watch
  • Click on Rules --> Create Rule ; select the details
  • Add the Target and select the Lambda function refer to image below
  • Click on configure details
  • Add the name of configure rule details and Create rule.
  • Select create rule

Sample JSON Event Ingested into TruSTAR

{
            "version": "0",
            "id": "c8c4daa7-a20c-2f03-0070-b7393dd542ad",
            "detail-type": "GuardDuty Finding",
            "source": "aws.guardduty",
            "account": "123456789012",
            "time": "1970-01-01T00:00:00Z",
            "region": "us-east-1",
            "resources": [],
            "detail": {
              "schemaVersion": "2.0",
              "accountId": "123456789012",
              "region": "us-east-1",
              "partition": "aws",
              "id": "99afba5c5c43e07c9e3e5e2e544e95df",
              "arn": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789012/finding/16afba5c5c43e07c9e3e5e2e544e95df",
              "type": "99:EC2/Stateless.IntegTest",
              "resource": {
                "resourceType": "Instance",
                "instanceDetails": {
                  "instanceId": "i-05746eb48123455e0",
                  "instanceType": "t2.micro",
                  "launchTime": 1492735675000,
                  "productCodes": [],
                  "networkInterfaces": [
                    {
                      "ipv6Addresses": [],
                      "privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
                      "privateIpAddress": "172.31.36.156",
                      "privateIpAddresses": [
                        {
                          "privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
                          "privateIpAddress": "172.31.36.156"
                        }
                      ],
                      "subnetId": "subnet-d58b7123",
                      "vpcId": "vpc-34865123",
                      "securityGroups": [
                        {
                          "groupName": "launch-wizard-1",
                          "groupId": "sg-9918a123"
                        }
                      ],
                      "publicDnsName": "ec2-11-111-111-1.us-east-1.compute.amazonaws.com",
                      "publicIp": "11.111.111.1"
                    }
                  ],
                  "tags": [
                    {
                      "key": "Name",
                      "value": "ssh-22-open"
                    }
                  ],
                  "instanceState": "running",
                  "availabilityZone": "us-east-1b",
                  "imageId": "ami-4836a123",
                  "imageDescription": "Amazon Linux AMI 2017.03.0.20170417 x86_64 HVM GP2"
                }
              },
              "service": {
                "serviceName": "guardduty",
                "detectorId": "3caf4e0aaa46ce4ccbcef949a8785353",
                "action": {
                  "actionType": "NETWORK_CONNECTION",
                  "networkConnectionAction": {
                    "connectionDirection": "OUTBOUND",
                    "remoteIpDetails": {
                      "ipAddressV4": "198.51.100.0",
                      "organization": {
                        "asn": -1,
                        "isp": "GeneratedFindingISP",
                        "org": "GeneratedFindingORG"
                      },
                      "country": {
                        "countryName": "United States"
                      },
                      "city": {
                        "cityName": "GeneratedFindingCityName"
                      },
                      "geoLocation": {
                        "lat": 0,
                        "lon": 0
                      }
                    },
                    "remotePortDetails": {
                      "port": 22,
                      "portName": "SSH"
                    },
                    "localPortDetails": {
                      "port": 2000,
                      "portName": "Unknown"
                    },
                    "protocol": "TCP",
                    "blocked": false
                  }
                },
                "resourceRole": "TARGET",
                "additionalInfo": {
                  "unusualProtocol": "UDP",
                  "threatListName": "GeneratedFindingCustomerListName",
                  "unusual": 22
                },
                "eventFirstSeen": "2017-10-31T23:16:23Z",
                "eventLastSeen": "2017-10-31T23:16:23Z",
                "archived": false,
                "count": 1
              },
              "severity": 5,
              "createdAt": "2017-10-31T23:16:23.824Z",
              "updatedAt": "2017-10-31T23:16:23.824Z",
              "title": "99:EC2/Stateless.IntegTest",
              "description": "99:EC2/Stateless.IntegTest"
            }
          }

Troubleshooting

Known Limitations

  • There is a known limitation in AWS Guard Duty app where

Please reach out to support@trustar.co for any additional questions.


How Did We Do?