AWS GuardDuty

Updated 10 months ago by Sachit Soni

INTRODUCTION

TruSTAR is an intelligence platform that helps organizations leverage multiple sources of threat intelligence and fuse it with historical event data to prioritize and enrich investigations.  This document provides detailed instructions to setup an AWS Lambda function which can listen for Guard Duty events that are triggered and send the event details into TruSTAR.

TruSTAR's AWS GuardDuty Integration allows AWS users who have access to Guard Duty to transmit Guard Duty "Findings" into their private enclaves in TruSTAR Station where they become Incident Reports.   The integration is a Lambda function that is automatically triggered every time a Guard Duty Finding is fired, converts the Finding into a TruSTAR incident report object, and transmits that incident report to a customer-specified enclave in TruSTAR Station.

FEATURES

  • Send Cloud watch events into users enclave in TruSTAR for enrichment and triage
  • Quick deployment of Guard Duty integration with TruSTAR using the AWS cloud formation template

Workflow Diagram

Demo Video

PRE-REQUISITES

Prerequisites and requirements needed for the TruSTAR AWS GuardDuty integration to work. Please make sure below components are downloaded/available.

AWS Instance with access to configure Lambda function

HOW TO INSTALL

Easy Install - AWS Cloud Formation Template

The following bundles are required for successful installation of the TruSTAR AWS Guard Duty app.

Bundle Name

Description

AWS Guard Duty App Bundle (GD-Station-Lambda.zip)

This bundle contains the lambda functions that a user will need to trigger Guard Duty events

AWS Cloud Formation Template (aws_cloud_formations)

This bundle contains preconfigured setup options to make the install of the TruSTAR Guard Duty Integration easier

Setup & Configuration
  • Upload Cloud Formation template file and Lambda function zip to S3 bucket.

  • Create Cloud Formation Stack

  • Create the Stack with the template. Provide the S3 Bucket URL of Cloud Formation Template

  • Provide the Details of Stack, TruSTAR Credentials

  • Review the Stack and Create

  • Wait for stack creation to complete

  • Once the Stack creation is complete, Lamdba function is installed and ready to treat the AWS Guard Duty requests.

Manual Install

The following bundles are required for successful installation of the TruSTAR AWS Guard Duty app.

Bundle Name

Description

AWS Guard Duty App Bundle (GD-Station-Lambda.zip)

This bundle contains the lambda functions that a user will need to trigger Guard Duty events

Setup & Configuration
  • Create Lambda Function
  • Navigate to Lambda →  Create Function
  • Fill out the details, refer to image below
    • Name – Unique name to identify Lambda function
    • Runtime – Select Python 2.7
    • Role – Select a role which has access to “AWS CloudWatch Logs”
  • Select create function
  • Select “Upload a zip file” in Function code and upload the zip bundle(GD-Station-Lambda.zip)
  • Enter the environment variables
    • TRUSTAR_URL – TruStar Station URL (Ensure it doesn’t have trailing ‘/’)

https://station.trustar.co

    • API_KEY – TruStar API Key

https://station.trustar.co/settings/api

    • API_SECRET – TruStar API Secret
    • ENCLAVE_ID – TruStar Enclave Id

https://station.trustar.co/settings/profile

  • Change the timeout to 2 mins
  • Save the changes
Create CloudWatch Event
  • Create a CloudWatch Event Rule
  • Navigate Services --> Management Tools --> Cloud Watch
  • Click on Rules --> Create Rule ; select the details
  • Add the Target and select the Lambda function refer to image below
  • Click on configure details
  • Add the name of configure rule details and Create rule.
  • Select create rule

Sample JSON Event Ingested into TruSTAR

{
  "version": "0",
  "id": "c8c4daa7-a20c-2f03-0070-b7393dd542ad",
  "detail-type": "GuardDuty Finding",
  "source": "aws.guardduty",
  "account": "123456789012",
  "time": "1970-01-01T00:00:00Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "schemaVersion": "2.0",
    "accountId": "123456789012",
    "region": "us-east-1",
    "partition": "aws",
    "id": "99afba5c5c43e07c9e3e5e2e544e95df",
    "arn": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789012/finding/16afba5c5c43e07c9e3e5e2e544e95df",
    "type": "99:EC2/Stateless.IntegTest",
    "resource": {
      "resourceType": "Instance",
      "instanceDetails": {
        "instanceId": "i-05746eb48123455e0",
        "instanceType": "t2.micro",
        "launchTime": 1492735675000,
        "productCodes": [],
        "networkInterfaces": [
          {
            "ipv6Addresses": [],
            "privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
            "privateIpAddress": "172.31.36.156",
            "privateIpAddresses": [
              {
                "privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
                "privateIpAddress": "172.31.36.156"
              }
            ],
            "subnetId": "subnet-d58b7123",
            "vpcId": "vpc-34865123",
            "securityGroups": [
              {
                "groupName": "launch-wizard-1",
                "groupId": "sg-9918a123"
              }
            ],
            "publicDnsName": "ec2-11-111-111-1.us-east-1.compute.amazonaws.com",
            "publicIp": "11.111.111.1"
          }
        ],
        "tags": [
          {
            "key": "Name",
            "value": "ssh-22-open"
          }
        ],
        "instanceState": "running",
        "availabilityZone": "us-east-1b",
        "imageId": "ami-4836a123",
        "imageDescription": "Amazon Linux AMI 2017.03.0.20170417 x86_64 HVM GP2"
      }
    },
    "service": {
      "serviceName": "guardduty",
      "detectorId": "3caf4e0aaa46ce4ccbcef949a8785353",
      "action": {
        "actionType": "NETWORK_CONNECTION",
        "networkConnectionAction": {
          "connectionDirection": "OUTBOUND",
          "remoteIpDetails": {
            "ipAddressV4": "198.51.100.0",
            "organization": {
              "asn": -1,
              "isp": "GeneratedFindingISP",
              "org": "GeneratedFindingORG"
            },
            "country": {
              "countryName": "United States"
            },
            "city": {
              "cityName": "GeneratedFindingCityName"
            },
            "geoLocation": {
              "lat": 0,
              "lon": 0
            }
          },
          "remotePortDetails": {
            "port": 22,
            "portName": "SSH"
          },
          "localPortDetails": {
            "port": 2000,
            "portName": "Unknown"
          },
          "protocol": "TCP",
          "blocked": false
        }
      },
      "resourceRole": "TARGET",
      "additionalInfo": {
        "unusualProtocol": "UDP",
        "threatListName": "GeneratedFindingCustomerListName",
        "unusual": 22
      },
      "eventFirstSeen": "2017-10-31T23:16:23Z",
      "eventLastSeen": "2017-10-31T23:16:23Z",
      "archived": false,
      "count": 1
    },
    "severity": 5,
    "createdAt": "2017-10-31T23:16:23.824Z",
    "updatedAt": "2017-10-31T23:16:23.824Z",
    "title": "99:EC2/Stateless.IntegTest",
    "description": "99:EC2/Stateless.IntegTest"
  }
}

TROUBLESHOOTING/FAQ's


Please reach out to support@trustar.co for any additional questions.

How Did We Do?