AWS GuardDuty
Connecting AWS GuardDuty to your Panther Console
Last updated
Connecting AWS GuardDuty to your Panther Console
Last updated
Panther supports ingesting Amazon Web Services (AWS) GuardDuty logs via common Data Transport options: AWS S3 and AWS SQS.
You can also ingest GuardDuty logs using Amazon EventBridge.
You have your Panther instance's AWS account ID. To locate this value, in the upper-right corner of your Panther Console, click the gear icon > General. In the footer of this page, note the AWS Account ID.
To pull GuardDuty logs into Panther, you will first need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS GuardDuty" then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option. Either leave this option selected, or select AWS SQS Queue.
Click Start Setup.
Follow Panther’s documentation for configuring S3 or SQS for Data Transport:
The instructions for the remainder of this process, below, apply to using a SQS queue. For S3 instructions, see the video above.
On the Configure page, leave the Allowed AWS Principals and Allowed Source ARNs fields blank. You will return to this page in Step 3.
Log into the AWS Console.
Select the AWS region where your Panther instance is located, then navigate to the Simple Notification Service console.
In the navigation bar, click Topics.
Click Create Topic.
In the Details section, provide values for the following fields:
Type: Select Standard.
Name: Enter a descriptive name.
In the Encryption section, leave the Encryption toggle off.
In the Access policy section:
Within Publishers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.
Within Subscribers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.
Click Create topic.
Copy the ARN and store it in a secure location, as you will need it in the next step.
In your Panther Console, navigate to the GuardDuty log source you created in Step 1.
If you are still on the success screen you landed on at the end of Step 1, click View Log Source.
Click Configuration, then Edit.
On the Configure page, in the Allowed Source ARNs field, enter the SNS topic ARN you copied in the previous step.
Click Save.
Create the subscription to the Panther GuardDuty SQS queue.
Return to the SNS console in AWS.
From the navigation bar, click Subscriptions.
Click Create subscription.
Enter values for the following fields:
Protocol: Select Amazon SQS.
Endpoint: Construct your endpoint using the following format: arn:aws:sqs:<Panther-region>:<account-id>:<Panther-notifications-queue-name>
Panther-region
: The AWS region your Panther instance is deployed in
account-id
: Your Panther instance's AWS account ID
Panther-notifications-queue-name
: To find this value:
At the top of the page, locate the SQS Queue URL. The Panther-notifications-queue-name
value is the portion of the URL beginning with panther-source-
:
Click the Enable raw message delivery checkbox.
Click Create subscription.
After enabling GuardDuty in your account, you will begin building EventBridge rules to send alerts to Panther.
If you have not already enabled GuardDuty in your AWS account, follow these instructions to do so.
In AWS, navigate to the Amazon EventBridge console.
In the navigation bar, click Rules, under the Buses section.
Click Create rule.
Provide values for the following fields:
Name: Enter a descriptive name.
Event bus: Select default.
Enable the rule on the selected event bus: Toggle ON.
Rule type: Select Rule with an event pattern.
Click Next.
On the Build event pattern page:
In the Sample event section:
For Sample event type, select AWS events.
In the Event pattern section, make the following selections:
Event source: Select AWS services.
AWS service: Select GuardDuty.
Click Next.
On the Select target(s) page, in the Target 1 section, enter values for the following fields:
Target types: Select AWS service.
Select a target: Select SNS topic.
Topic: Select the name of the topic you created in Step 2.
Click Next.
On the Configure tags page, click Next.
On the Review and create page, click Create rule.
See Panther's prewritten AWS rules in the panther-analysis Github repository.
See example SQL queries, for use in Panther's Data Explorer, in GuardDuty logs queries.
GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. For more information, see AWS's documentation on GuardDuty finding format.
In the Event source section, for Event source, select AWS events or EventBridge partner events.
For Sample events, select GuardDuty Finding.
Event type: Select GuardDuty Finding.
Within Additional settings, make adjustments as needed.