AWS GuardDuty
This TruSTAR integration for Amazon Web Services (AWS) is an AWS Lambda function that is automatically triggered every time a AWS Guard Duty Finding is fired. It converts the Finding into a TruSTAR Intelligence Report and submits it to a private TruSTAR Enclave.
Features
- Send Cloud watch events into a TruSTAR enclave for enrichment and triage.
Demo Video
Requirements
- AWS Instance with access to Guard Duty and access to configure Lamda functions.
Installation
Downloading Required Files
The following bundle is required to manually install the TruSTAR AWS Guard integration.
Bundle Name | Description |
AWS Guard Duty App Bundle (GD-Station-Lambda.zip) | Contains the lambda functions that a user will need to trigger Guard Duty events |
Setup and Configuration
- Create Lambda Function.
- Navigate to Lambda → Create Function.
- Fill out the details, refer to image below
- Name – Unique name to identify Lambda function
- Runtime – Select Python 3.7
- Role – Select a role which has access to “AWS CloudWatch Logs”
- Select create function
- Select Upload a zip file in Function code and upload the GD-Station-Lambda.zip bundle.
- Enter the environment variables:
- API_KEY – TruStar API Key (Finding Your API Key)
- API_SECRET – TruStar API Secret (Finding Your API Secret)
- ENCLAVE_ID – TruStar Enclave ID (Look up Enclave IDs in the Web App)
- Change the timeout to 3 mins and the memory (MB) to 128 MB
- Change the reserve concurrency to 5
- Save the changes
Creating a CloudWatch Event Rule
- Navigate to Services -> Management Tools -> Cloud Watch.
- Click Rules -> Create Rule and choose the details you want for the rule.
- Add the Target and select the Lambda function.
- Click Configure Details.
- Add the name of the configure rule details and Create rule.
- Select Create Rule.
Sample JSON Event
This is what a typical event in JSON format looks like when it is submitted to TruSTAR as an Intel Report.
{
"version": "0",
"id": "c8c4daa7-a20c-2f03-0070-b7393dd542ad",
"detail-type": "GuardDuty Finding",
"source": "aws.guardduty",
"account": "123456789012",
"time": "1970-01-01T00:00:00Z",
"region": "us-east-1",
"resources": [],
"detail": {
"schemaVersion": "2.0",
"accountId": "123456789012",
"region": "us-east-1",
"partition": "aws",
"id": "99afba5c5c43e07c9e3e5e2e544e95df",
"arn": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789012/finding/16afba5c5c43e07c9e3e5e2e544e95df",
"type": "99:EC2/Stateless.IntegTest",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-05746eb48123455e0",
"instanceType": "t2.micro",
"launchTime": 1492735675000,
"productCodes": [],
"networkInterfaces": [
{
"ipv6Addresses": [],
"privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
"privateIpAddress": "172.31.36.156",
"privateIpAddresses": [
{
"privateDnsName": "ip-172-31-36-156.us-east-1.compute.internal",
"privateIpAddress": "172.31.36.156"
}
],
"subnetId": "subnet-d58b7123",
"vpcId": "vpc-34865123",
"securityGroups": [
{
"groupName": "launch-wizard-1",
"groupId": "sg-9918a123"
}
],
"publicDnsName": "ec2-11-111-111-1.us-east-1.compute.amazonaws.com",
"publicIp": "11.111.111.1"
}
],
"tags": [
{
"key": "Name",
"value": "ssh-22-open"
}
],
"instanceState": "running",
"availabilityZone": "us-east-1b",
"imageId": "ami-4836a123",
"imageDescription": "Amazon Linux AMI 2017.03.0.20170417 x86_64 HVM GP2"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "3caf4e0aaa46ce4ccbcef949a8785353",
"action": {
"actionType": "NETWORK_CONNECTION",
"networkConnectionAction": {
"connectionDirection": "OUTBOUND",
"remoteIpDetails": {
"ipAddressV4": "198.51.100.0",
"organization": {
"asn": -1,
"isp": "GeneratedFindingISP",
"org": "GeneratedFindingORG"
},
"country": {
"countryName": "United States"
},
"city": {
"cityName": "GeneratedFindingCityName"
},
"geoLocation": {
"lat": 0,
"lon": 0
}
},
"remotePortDetails": {
"port": 22,
"portName": "SSH"
},
"localPortDetails": {
"port": 2000,
"portName": "Unknown"
},
"protocol": "TCP",
"blocked": false
}
},
"resourceRole": "TARGET",
"additionalInfo": {
"unusualProtocol": "UDP",
"threatListName": "GeneratedFindingCustomerListName",
"unusual": 22
},
"eventFirstSeen": "2017-10-31T23:16:23Z",
"eventLastSeen": "2017-10-31T23:16:23Z",
"archived": false,
"count": 1
},
"severity": 5,
"createdAt": "2017-10-31T23:16:23.824Z",
"updatedAt": "2017-10-31T23:16:23.824Z",
"title": "99:EC2/Stateless.IntegTest",
"description": "99:EC2/Stateless.IntegTest"
}
}
Please reach out to support@trustar.co for any additional questions.