AWS GuardDuty

Overview

Panther supports ingesting Amazon Web Services (AWS) GuardDuty logs via common Data Transport options: AWS S3 and AWS SQS.

You can also ingest GuardDuty logs using Amazon EventBridge.

AWS GuardDuty logs video walkthrough

How to onboard AWS GuardDuty logs to Panther

Prerequisite

• You have your Panther instance's AWS account ID. To locate this value, in the upper-right corner of your Panther Console, click the gear icon > General. In the footer of this page, note the AWS Account ID.

Step 1: Create an AWS GuardDuty source in Panther

To pull GuardDuty logs into Panther, you will first need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.

1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for "AWS GuardDuty" then click its tile.

4. In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option. Either leave this option selected, or select AWS SQS Queue.

5. Click Start Setup.

6. Follow Panther’s documentation for configuring S3 or SQS for Data Transport:

   The instructions for the remainder of this process, below, apply to using a SQS queue. For S3 instructions, see the video above.

   • AWS S3 bucket

   • AWS SQS Queue

     • On the Configure page, leave the Allowed AWS Principals and Allowed Source ARNs fields blank. You will return to this page in Step 3.

Step 2: Create an Amazon SNS topic

1. Log into the AWS Console.

2. Select the AWS region where your Panther instance is located, then navigate to the Simple Notification Service console.

3. In the navigation bar, click Topics.

4. Click Create Topic.

5. In the Details section, provide values for the following fields:

   • Type: Select Standard.

   • Name: Enter a descriptive name.

6. In the Encryption section, leave the Encryption toggle off.
7. In the Access policy section:

   1. Within Publishers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.

   2. Within Subscribers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.
8. Click Create topic.

9. Copy the ARN and store it in a secure location, as you will need it in the next step.

Step 3: Configure your GuardDuty log source with the SNS topic

1. In your Panther Console, navigate to the GuardDuty log source you created in Step 1.

   • If you are still on the success screen you landed on at the end of Step 1, click View Log Source.

2. Click Configuration, then Edit.

3. On the Configure page, in the Allowed Source ARNs field, enter the SNS topic ARN you copied in the previous step.

4. Click Save.

Step 4: Create an SNS subscription

Create the subscription to the Panther GuardDuty SQS queue.

1. Return to the SNS console in AWS.

2. From the navigation bar, click Subscriptions.

3. Click Create subscription.

4. Enter values for the following fields:

   • Protocol: Select Amazon SQS.

   • Endpoint: Construct your endpoint using the following format: arn:aws:sqs:<Panther-region>:<account-id>:<Panther-notifications-queue-name>

     • Panther-region: The AWS region your Panther instance is deployed in

     • account-id: Your Panther instance's AWS account ID

     • Panther-notifications-queue-name: To find this value:

       1. In your Panther Console, navigate to the GuardDuty log source you created in Step 1. (You may still be on this page after Step 3).

       2. At the top of the page, locate the SQS Queue URL. The Panther-notifications-queue-name value is the portion of the URL beginning with panther-source-:
5. Click the Enable raw message delivery checkbox.

6. Click Create subscription.

Step 5: Configure GuardDuty to post announcements to the SNS topic

After enabling GuardDuty in your account, you will begin building EventBridge rules to send alerts to Panther.

1. If you have not already enabled GuardDuty in your AWS account, follow these instructions to do so.

2. In AWS, navigate to the Amazon EventBridge console.

3. In the navigation bar, click Rules, under the Buses section.

4. Click Create rule.

5. Provide values for the following fields:

   • Name: Enter a descriptive name.

   • Event bus: Select default.

   • Enable the rule on the selected event bus: Toggle ON.

   • Rule type: Select Rule with an event pattern.

6. Click Next.

7. On the Build event pattern page:

   2. In the Sample event section:

      • For Sample event type, select AWS events.
   3. In the Event pattern section, make the following selections:

      • Event source: Select AWS services.

      • AWS service: Select GuardDuty.
8. Click Next.

9. On the Select target(s) page, in the Target 1 section, enter values for the following fields:

   1. Target types: Select AWS service.

   2. Select a target: Select SNS topic.

   3. Topic: Select the name of the topic you created in Step 2.
10. Click Next.

11. On the Configure tags page, click Next.

12. On the Review and create page, click Create rule.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Querying logs in Data Explorer

See example SQL queries, for use in Panther's Data Explorer, in GuardDuty logs queries.

Supported AWS GuardDuty logs

AWS.GuardDuty

GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. For more information, see AWS's documentation on GuardDuty finding format.

schema: AWS.GuardDuty
parser:
  native:
    name: AWS.GuardDuty
description: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts.
referenceURL: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html
fields:
  - name: schemaVersion
    required: true
    description: The schema format version of this record.
    type: string
  - name: accountId
    required: true
    description: The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding.
    type: string
  - name: region
    required: true
    description: The AWS region in which the finding was generated.
    type: string
  - name: partition
    required: true
    description: The AWS partition in which the finding was generated.
    type: string
  - name: id
    required: true
    description: A unique identifier for the finding.
    type: string
  - name: arn
    required: true
    description: A unique identifier formatted as an ARN for the finding.
    type: string
  - name: type
    required: true
    description: A concise yet readable description of the potential security issue.
    type: string
  - name: resource
    required: true
    description: The AWS resource against which the activity took place that prompted GuardDuty to generate this finding.
    type: json
  - name: severity
    required: true
    description: The value of the severity can fall anywhere within the 0.1 to 8.9 range.
    type: float
  - name: createdAt
    required: true
    description: The initial creation time of the finding (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: updatedAt
    required: true
    description: The last update time of the finding (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: title
    required: true
    description: A short description of the finding.
    type: string
  - name: description
    required: true
    description: A long description of the finding.
    type: string
  - name: service
    required: true
    description: Additional information about the affected service.
    type: object
    fields:
      - name: additionalInfo
        description: AdditionalInfo field
        type: json
      - name: action
        description: Action field
        type: json
      - name: serviceName
        required: true
        description: ServiceName field
        type: string
      - name: detectorId
        required: true
        description: DetectorID field
        type: string
      - name: resourceRole
        description: ResourceRole field
        type: string
      - name: eventFirstSeen
        description: EventFirstSeen field
        type: timestamp
        timeFormat: rfc3339
      - name: eventLastSeen
        description: EventLastSeen field
        type: timestamp
        timeFormat: rfc3339
      - name: archived
        description: Archived field
        type: boolean
      - name: count
        description: Count field
        type: bigint