Interpres Application - AWS GuardDuty Integration

Type: Cloud
Vendor: AWS
The AWS GuardDuty integration will pull in alerts and detections based off of AWS logs that GuardDuty itself is continuously monitoring. To enable this integration you must have GuardDuty enabled in the account you are setting up and valid logs to be scanned in the account.
Vendor setup
1.0 Create an AWS policy with the following JSON permission:
﻿IAM Policy Creation﻿
Note: You can either create your own limited policy on certain detectors or you can use the AWS managed policy AmazonGuardDutyReadOnlyAccess
If creating your own policy please create a policy with the following permissions:
JSON
{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "guardduty:ListCoverage",
                    "guardduty:GetDetector"
                ],
                "Resource": "arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{AWS_DETECTOR_ID}"
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "guardduty:GetThreatIntelSet",
                    "guardduty:GetFilter"
                ],
                "Resource": [
                    "arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{AWS_DETECTOR_ID}/filter/{FILTER_ID}",
                    "arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{AWS_DETECTOR_ID}/threatintelset/{THREAT_INTEL_SET_ID}"
                ]
            },
            {
                "Sid": "VisualEditor2",
                "Effect": "Allow",
                "Action": [
                    "guardduty:GetFindings",
                    "guardduty:ListThreatIntelSets",
                    "guardduty:ListDetectors",
                    "guardduty:ListFindings",
                    "guardduty:ListFilters",
                    "guardduty:DescribeMalwareScans"
                ],
                "Resource": "*"
            }
        ]
    }
{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "guardduty:ListCoverage",
                    "guardduty:GetDetector"
                ],
                "Resource": "arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{AWS_DETECTOR_ID}"
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "guardduty:GetThreatIntelSet",
                    "guardduty:GetFilter"
                ],
                "Resource": [
                    "arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{AWS_DETECTOR_ID}/filter/{FILTER_ID}",
                    "arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{AWS_DETECTOR_ID}/threatintelset/{THREAT_INTEL_SET_ID}"
                ]
            },
            {
                "Sid": "VisualEditor2",
                "Effect": "Allow",
                "Action": [
                    "guardduty:GetFindings",
                    "guardduty:ListThreatIntelSets",
                    "guardduty:ListDetectors",
                    "guardduty:ListFindings",
                    "guardduty:ListFilters",
                    "guardduty:DescribeMalwareScans"
                ],
                "Resource": "*"
            }
        ]
    }
﻿
Note: Please replace all values in the {} brackets to limit access or to allow access on all resources and use the operator
2.0 Create an AWS role and attach the policy created in the step 1
﻿IAM Role Creation﻿
3.0 Choose one of the authentication methods currently supported by the integration
Using an AWS user with secret key and id directly to access resources
Create an AWS User with programmatic access only
﻿AWS User Creation﻿
Create AWS Access Key ID and AWS Secret Access Key and store in a safe place
Attach the role created from step 2 to new user:
﻿Assigning users or group a role﻿
Using an attached role to access resources
Note: This method can only be used if you are self hosting your Interpres deployments in AWS
Using an attached role to assume another role to access resources
Note: This method can only be used if your Interpres deployment is hosted in AWS
Note: External ID is required for this method. Interpres will provide you with it
For more information about cross account IAM roles: link﻿
JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{ACCOUNT_NUMBER}:role/{STEP_3.3.1_ROLE_NAME}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "{ASK_INTERPRES_FOR_YOUR_EXTERNAL_ID}"
                }
            }
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{ACCOUNT_NUMBER}:role/{STEP_3.3.1_ROLE_NAME}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "{ASK_INTERPRES_FOR_YOUR_EXTERNAL_ID}"
                }
            }
        }
    ]
}
﻿
App Configuration
App Parameters:
* Note *The AWS Integrations can be configured in multiple ways of authentcation and the required inputs are as follows
Using an AWS user with secret key and id directly to access resources
Access Key
Secret Key
Using an attached role to access resources
Use attached role when running in EC2 - True
Using an attached role to assume another role to access resources
Use attached role when running in EC2 - True
Use attached role to assume another specified role
Access Key: If using Authentication method 1 (step 3.1) provide AWS_ACCESS_KEY for user
Secret Key: If using Authentication method 1 (step 3.1) provide AWS_SECRET_KEY for user
Use Role: Check this box if using Authentication method 2 (step 3.2) or 3 (step 3.3)
Assume Role: AWS cross account role arn to assume (Created in step 2)
Region: AWS Region to monitor for the resources
App Validation
Check there is connectivity (green light) in the integration created.
Implemented Actions
Get Detections: This integration pulls in all available Findings defined here in AWS:
GuardDuty Findings Types﻿
Get Alerts: Pulls alerts for each one of the Findings
﻿
Did this page help you?
Interpres Application - AWS Config Integration
Interpres Application - AWS Inspector Integration