# AWS GuardDuty ## Overview Panther supports ingesting Amazon Web Services (AWS) [GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) logs via common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options: * **Amazon S3**: see [instructions for onboarding GuardDuty logs with S3 below](#how-to-onboard-aws-guardduty-logs-to-panther-using-s3). * **Amazon SQS**: see [instructions for onboarding GuardDuty logs with SQS below](#how-to-onboard-aws-guardduty-logs-to-panther-using-sqs). You can also ingest GuardDuty logs using [Amazon EventBridge](https://docs.panther.com/data-onboarding/data-transports/aws/eventbridge). ## How to onboard AWS GuardDuty logs to Panther using S3 {% hint style="info" %} The video below depicts a slightly out-of-date Panther Console. Follow the step-by-step instructions below the video for current guidance. {% endhint %} {% embed url="" %} {% hint style="warning" %} Ingesting AWS GuardDuty logs this way requires you to input a KMS key ARN. If you have server-side encryption (SSE) enabled but cannot generate a KMS key, stop this process and instead set up a [custom S3 log source](https://docs.panther.com/data-onboarding/data-transports/aws/s3) to ingest GuardDuty logs. Attach the AWS.GuardDuty schema by clicking **Configure Prefixes & Schemas (Optional)**. You will not be required to input a KMS key.

{% endhint %} ### Prerequisite for onboarding GuardDuty logs with S3 * You have [enabled GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#guardduty_enable-gd). ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-2b823a2b3b37f278fd4eb108ccaac6535b0c04fc%2Fimage.png?alt=media) {% hint style="info" %} GuardDuty is a regional service and requires its S3 export bucket and KMS key to be in the same region. {% endhint %} ### Step 1: Create a KMS Key 1. In AWS, while in the correct region, navigate to the Key Management Service (KMS). 2. Click **Customer managed keys**, then **Create Key**. 3. Leave the default **Key type** (**Symmetric**) and **Key usage** (**Encrypt and decrypt**) selections, and click **Next**.\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-128089c965ff6a677c45a34b6f75e8ae3bca1606%2Fimage.png?alt=media) 4. On the **Add labels** page, enter an **Alias** of your choice, e.g., `guardduty-log-key`. 5. Click **Skip to Review**. (We will add policies to this key in a future step.)![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-fc3e3b5f902b76300c182ea0d3c7e4933f071ea1%2Fimage.png?alt=media) 6. Click **Finish**. 7. On the **Customer managed keys** list, click the key you just created, and note the **ARN** for future steps. ### Step 2: Create an S3 bucket 1. In AWS, while in the correct region, navigate to S3. 2. Under **General purpose buckets**, click **Create bucket**. 3. Fill in the fields: * In the **General configuration** tile, enter a unique **Bucket name** (e.g. `panther-guardduty-logs-`). * In the **Default encryption** tile: 1. For **Encryption type**, select **Server-side encryption with AWS Key Management Service keys (SSE-KMS)**. 2. Under **AWS KMS key**, select **Choose from your AWS KMS keys**. 3. Under **Available AWS KMS keys**, select the KMS key you created in Step 2.

4. Click **Create bucket**. 5. On the **General purpose buckets** list, click the name of the bucket you just created, then **Properties**, and note the **ARN** for future steps. ### Step 3: Configure GuardDuty log export 1. In the AWS console, navigate to GuardDuty. 2. In the left-hand navigation menu, click **Settings**. 3. Within **Findings export options**, under **S3 bucket**, click **Configure now**.\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-ebc2d163723941e14a7a96c724ac5e063f42ae9c%2Fimage.png?alt=media) 4. Fill in the Export findings configuration fields: * **S3 bucket ARN**: enter the ARN of the S3 bucket you created in Step 2. * **KMS key ARN**: enter the ARN of the KMS key you created in Step 1. 5. Within **Attach policy**, click **View policy for S3 bucket**. Click **Copy**, then close the **S3 bucket policy** modal. 6. Update the bucket policy of the bucket you previously created: 1. In a separate browser tab, open the AWS console and navigate to the S3 service. 2. Under **General purpose buckets**, click the name of the bucket you created in Step 2. 3. Click the **Permissions** tab. 4. In the Bucket policy tile, click **Edit**.\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-681771fa765c38446b11bc2588c96a749a7ee60c%2Fimage%20\(120\).png?alt=media) 5. In the policy editor, paste the policy you copied, then click **Save changes**. 7. Navigate back to the browser tab with the GuardDuty settings, and under **Attach policy**, click **View policy for KMS key**. Click **Copy**, then close the **KMS key policy** modal. 8. Update the policy of the KMS key you previously created: 1. In a separate browser tab, open the AWS console and navigate to the KMS service. 2. Under **Customer managed keys**, click the alias of the KMS key you created in Step 1. 3. Under the **Key policy** tab, click **Switch to policy view**.\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-d9fbe2cd37230f326edb50dc2929586b4b2fc4c8%2Fimage.png?alt=media) 4. Click **Edit**. 5. After the existing console policy (i.e., the object within `Statement`), add a comma, then paste the policy statement you copied.\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-d70584f4164fcdd82e7fd9b9ea05c473dcadc1a4%2Fimage.png?alt=media) 6. Click **Save changes**. 9. Navigate back to the browser tab with the GuardDuty settings, and click **Save**. * You should see a notification reading **Successfully created publishing destination**. If you do not, double check your ARNs and policies, or consult [AWS's GuardDuty export documentation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html). ### Step 4: Onboarding GuardDuty into Panther 1. In the lefthand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for "AWS GuardDuty," then click its tile. 4. In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **AWS S3 Bucket** option—leave this option selected, and click **Start Setup**.\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-510fe30832e1a1c871c1e11daf5b43ec1f903389%2Fimage.png?alt=media) 5. Follow [Panther's instructions for configuring an S3 Source](https://docs.panther.com/data-onboarding/data-transports/aws/s3), beginning at Step 1.4. * You will need the ARNs of the KMS key and S3 bucket you created above. ## How to onboard AWS GuardDuty logs to Panther using SQS ### Prerequisite for onboarding GuardDuty logs with SQS * You have your Panther instance's AWS account ID. * To locate this value, in the upper-right corner of your Panther Console, click the gear icon > **General.** In the footer of this page, note the **AWS Account ID**. ### Step 1: Create an AWS GuardDuty source in Panther To pull GuardDuty logs into Panther, you will first need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account. 1. In the lefthand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for "AWS GuardDuty" then click its tile. 4. In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **AWS S3 Bucket** option. Either leave this option selected, or select **AWS SQS Queue**. 5. Click **Start Setup**. 6. Follow Panther’s [AWS SQS Queue](https://docs.panther.com/data-onboarding/data-transports/aws/sqs) documentation for configuring SQS for Data Transport. * On the **Configure** page, leave the **Allowed AWS Principals** and **Allowed Source ARNs** fields blank. You will return to this page in [Step 3](https://docs.panther.com/data-onboarding/supported-logs/aws/guardduty#step-3-configure-your-guardduty-log-source-with-the-sns-topic). ### Step 2: Create an Amazon SNS topic 1. In your AWS console, select the AWS region where your Panther instance is located, then navigate to the **Simple Notification Service** console. 2. In the navigation bar, click **Topics**. 3. Click **Create Topic**. 4. In the **Details** section, provide values for the following fields: * **Type**: Select **Standard**. * **Name**: Enter a descriptive name. 5. In the **Encryption** section, leave the **Encryption** toggle off.

6. In the **Access policy** section: 1. Within **Publishers**, select **Only the specified AWS accounts**. In the **Enter AWS account IDs** text box, enter your Panther AWS account ID. 2. Within **Subscribers**, select **Only the specified AWS accounts**. In the **Enter AWS account IDs** text box, enter your Panther AWS account ID.

7. Click **Create topic**. 8. Copy the **ARN** and store it in a secure location, as you will need it in the next step.

### Step 3: Configure your GuardDuty log source with the SNS topic 1. In your Panther Console, navigate to the GuardDuty log source you created in [Step 1](https://docs.panther.com/data-onboarding/supported-logs/aws/guardduty#step-1-create-an-aws-guardduty-source-in-panther). * If you are still on the success screen you landed on at the end of Step 1, click **View Log Source**. 2. Click **Configuration**, then **Edit.** 3. On the **Configure** page, in the **Allowed Source ARNs** field, enter the SNS topic ARN you copied in the previous step. 4. Click **Save**. ### Step 4: Create an SNS subscription Create the subscription to the Panther GuardDuty SQS queue. 1. Return to the SNS console in AWS. 2. From the navigation bar, click **Subscriptions**. 3. Click **Create subscription**. 4. Enter values for the following fields: * **Protocol**: Select **Amazon SQS**. * **Endpoint**: Construct your endpoint using the following format: `arn:aws:sqs:::` * `Panther-region`: The AWS region your Panther instance is deployed in * `account-id`: Your Panther instance's AWS account ID * `Panther-notifications-queue-name`: To find this value: 1. In your Panther Console, navigate to the GuardDuty log source you created in [Step 1](https://docs.panther.com/data-onboarding/supported-logs/aws/guardduty#step-1-create-an-aws-guardduty-source-in-panther). (You may still be on this page after [Step 3](https://docs.panther.com/data-onboarding/supported-logs/aws/guardduty#step-3-configure-your-guardduty-log-source-with-the-sns-topic)). 2. At the top of the page, locate the **SQS Queue URL**. The `Panther-notifications-queue-name` value is the portion of the URL beginning with `panther-source-`:

5. Click the **Enable raw message delivery** checkbox. 6. Click **Create subscription**. #### Step 5: Configure GuardDuty to post announcements to the SNS topic After enabling GuardDuty in your account, you will begin building EventBridge rules to send alerts to Panther. 1. If you have not already enabled GuardDuty in your AWS account, follow [these instructions to do so](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#guardduty_enable-gd). 2. In AWS, navigate to the **Amazon** **EventBridge** console. 3. In the navigation bar, click **Rules**, under the **Buses** section. 4. Click **Create rule**. 5. Provide values for the following fields: * **Name**: Enter a descriptive name. * **Event bus**: Select **default**. * **Enable the rule on the selected event bus**: Toggle **ON**. * **Rule type:** Select **Rule with an event pattern**. 6. Click **Next**. 7. On the **Build event pattern** page: 1. In the **Event source** section, for **Event source**, select **AWS events or EventBridge partner events**.\ ![](https://docs.panther.com/~gitbook/image?url=https:%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252FdkwwlipZc0QsBUIzidRN%252Fimage.png%3Falt=media%26token=a59b1ff5-1bfe-40b9-9d31-b7a3636910a0\&width=300\&dpr=4\&quality=100\&sign=5cc694f5427ee69fe6353718d7cbda38a7b4081a442a53a7092bc6b467000e80) 2. In the **Sample event** section: * For **Sample event type**, select **AWS events**. * For **Sample events**, select **GuardDuty Finding**.\ ![](https://docs.panther.com/~gitbook/image?url=https:%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252FbwuixsQlYfp5gz7rFfYs%252Fimage.png%3Falt=media%26token=6adedf9f-7576-4650-812f-127e24d1d8e2\&width=300\&dpr=4\&quality=100\&sign=1a964db2a37514a24eabfb588da6deedc4a0c8e5533f20b82105fdc561744e85) 3. In the **Event pattern** section, make the following selections: * **Event source**: Select **AWS services**. * **AWS service**: Select **GuardDuty**. * **Event type**: Select **GuardDuty Finding**.\ ![](https://docs.panther.com/~gitbook/image?url=https:%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252FBF3PfDI7FFh9tXvNkhUe%252Fimage.png%3Falt=media%26token=731bc68a-8ac6-4c85-bc16-9a64ac33c108\&width=300\&dpr=4\&quality=100\&sign=8ff3b949ffff52243c86183faf653a0212c44961908a61978b90d50c571f91cf) 8. Click **Next**. 9. On the **Select target(s)** page, in the **Target 1** section, enter values for the following fields: 1. **Target types**: Select **AWS service**. 2. **Select a target**: Select **SNS topic.** 3. **Topic**: Select the name of the topic you created in [Step 2](https://docs.panther.com/data-onboarding/supported-logs/aws/guardduty#step-2-create-an-amazon-sns-topic). 4. Within **Additional settings**, make adjustments as needed. ![](https://docs.panther.com/~gitbook/image?url=https:%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252FzHPNaStqfqGhLhuBwpgJ%252Fimage.png%3Falt=media%26token=ca59ff68-7774-4be6-a9ae-1425386aed24\&width=300\&dpr=4\&quality=100\&sign=31ac51358aa7cdf484ca122974d1dddd58b3c918d4c4bd96c9c2358eea305541) 10. Click **Next**. 11. On the **Configure tags** page, click **Next**. 12. On the **Review and create** page, click **Create rule**. ## Panther-built detections See Panther's prewritten AWS rules in [the panther-analysis Github repository](https://github.com/panther-labs/panther-analysis/tree/master/rules). ## Querying logs in Data Explorer See example SQL queries, for use in Panther's [Data Explorer](https://docs.panther.com/search/data-explorer), in [GuardDuty logs queries](https://docs.panther.com/search/data-explorer/example-queries/guardduty-logs-queries). ## Supported AWS GuardDuty logs ### AWS.GuardDuty GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. For more information, see [AWS's documentation on GuardDuty finding format](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html). ```yaml schema: AWS.GuardDuty parser: native: name: AWS.GuardDuty description: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. referenceURL: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html fields: - name: schemaVersion required: true description: The schema format version of this record. type: string - name: accountId required: true description: The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding. type: string - name: region required: true description: The AWS region in which the finding was generated. type: string - name: partition required: true description: The AWS partition in which the finding was generated. type: string - name: id required: true description: A unique identifier for the finding. type: string - name: arn required: true description: A unique identifier formatted as an ARN for the finding. type: string - name: type required: true description: A concise yet readable description of the potential security issue. type: string - name: resource required: true description: The AWS resource against which the activity took place that prompted GuardDuty to generate this finding. type: json - name: severity required: true description: The value of the severity can fall anywhere within the 0.1 to 8.9 range. type: float - name: createdAt required: true description: The initial creation time of the finding (UTC). type: timestamp timeFormat: rfc3339 - name: updatedAt required: true description: The last update time of the finding (UTC). type: timestamp timeFormat: rfc3339 - name: title required: true description: A short description of the finding. type: string - name: description required: true description: A long description of the finding. type: string - name: service required: true description: Additional information about the affected service. type: object fields: - name: additionalInfo description: AdditionalInfo field type: json - name: action description: Action field type: json - name: serviceName required: true description: ServiceName field type: string - name: detectorId required: true description: DetectorID field type: string - name: resourceRole description: ResourceRole field type: string - name: eventFirstSeen description: EventFirstSeen field type: timestamp timeFormat: rfc3339 - name: eventLastSeen description: EventLastSeen field type: timestamp timeFormat: rfc3339 - name: archived description: Archived field type: boolean - name: count description: Count field type: bigint ```