AWS GuardDuty
Connecting AWS GuardDuty to your Panther Console
Overview
Panther supports ingesting Amazon Web Services (AWS) GuardDuty logs via common Data Transport options:
Amazon S3: see instructions for onboarding GuardDuty logs with S3 below.
Amazon SQS: see instructions for onboarding GuardDuty logs with SQS below.
You can also ingest GuardDuty logs using Amazon EventBridge.
How to onboard AWS GuardDuty logs to Panther using S3
Ingesting AWS GuardDuty logs this way requires you to input a KMS key ARN. If you have server-side encryption (SSE) enabled but cannot generate a KMS key, stop this process and instead set up a custom S3 log source to ingest GuardDuty logs. Attach the AWS.GuardDuty schema by clicking Configure Prefixes & Schemas (Optional). You will not be required to input a KMS key.
Prerequisite for onboarding GuardDuty logs with S3
You have enabled GuardDuty.
Step 1: Create a KMS Key
In AWS, while in the correct region, navigate to the Key Management Service (KMS).
Click Customer managed keys, then Create Key.
Leave the default Key type (Symmetric) and Key usage (Encrypt and decrypt) selections, and click Next.
On the Add labels page, enter an Alias of your choice, e.g.,
guardduty-log-key.Click Skip to Review. (We will add policies to this key in a future step.)
Click Finish.
On the Customer managed keys list, click the key you just created, and note the ARN for future steps.
Step 2: Create an S3 bucket
In AWS, while in the correct region, navigate to S3.
Under General purpose buckets, click Create bucket.
Fill in the fields:
In the General configuration tile, enter a unique Bucket name (e.g.
panther-guardduty-logs-<identifier>).In the Default encryption tile:
For Encryption type, select Server-side encryption with AWS Key Management Service keys (SSE-KMS).
Under AWS KMS key, select Choose from your AWS KMS keys.
Under Available AWS KMS keys, select the KMS key you created in Step 2.
Click Create bucket.
On the General purpose buckets list, click the name of the bucket you just created, then Properties, and note the ARN for future steps.
Step 3: Configure GuardDuty log export
In the AWS console, navigate to GuardDuty.
In the left-hand navigation menu, click Settings.
Within Findings export options, under S3 bucket, click Configure now.
Fill in the Export findings configuration fields:
S3 bucket ARN: enter the ARN of the S3 bucket you created in Step 2.
KMS key ARN: enter the ARN of the KMS key you created in Step 1.
Within Attach policy, click View policy for S3 bucket. Click Copy, then close the S3 bucket policy modal.
Update the bucket policy of the bucket you previously created:
In a separate browser tab, open the AWS console and navigate to the S3 service.
Under General purpose buckets, click the name of the bucket you created in Step 2.
Click the Permissions tab.
In the Bucket policy tile, click Edit.
In the policy editor, paste the policy you copied, then click Save changes.
Navigate back to the browser tab with the GuardDuty settings, and under Attach policy, click View policy for KMS key. Click Copy, then close the KMS key policy modal.
Update the policy of the KMS key you previously created:
In a separate browser tab, open the AWS console and navigate to the KMS service.
Under Customer managed keys, click the alias of the KMS key you created in Step 1.
Under the Key policy tab, click Switch to policy view.
Click Edit.
After the existing console policy (i.e., the object within
Statement), add a comma, then paste the policy statement you copied.
Click Save changes.
Navigate back to the browser tab with the GuardDuty settings, and click Save.
You should see a notification reading Successfully created publishing destination. If you do not, double check your ARNs and policies, or consult AWS's GuardDuty export documentation.
Step 4: Onboarding GuardDuty into Panther
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS GuardDuty," then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option—leave this option selected, and click Start Setup.
Follow Panther's instructions for configuring an S3 Source, beginning at Step 1.4.
You will need the ARNs of the KMS key and S3 bucket you created above.
How to onboard AWS GuardDuty logs to Panther using SQS
Prerequisite for onboarding GuardDuty logs with SQS
You have your Panther instance's AWS account ID.
To locate this value, in the upper-right corner of your Panther Console, click the gear icon > General. In the footer of this page, note the AWS Account ID.
Step 1: Create an AWS GuardDuty source in Panther
To pull GuardDuty logs into Panther, you will first need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS GuardDuty" then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option. Either leave this option selected, or select AWS SQS Queue.
Click Start Setup.
Follow Panther’s AWS SQS Queue documentation for configuring SQS for Data Transport.
On the Configure page, leave the Allowed AWS Principals and Allowed Source ARNs fields blank. You will return to this page in Step 3.
Step 2: Create an Amazon SNS topic
In your AWS console, select the AWS region where your Panther instance is located, then navigate to the Simple Notification Service console.
In the navigation bar, click Topics.
Click Create Topic.
In the Details section, provide values for the following fields:
Type: Select Standard.
Name: Enter a descriptive name.
In the Encryption section, leave the Encryption toggle off.
In the Access policy section:
Within Publishers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.
Within Subscribers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.
Click Create topic.
Copy the ARN and store it in a secure location, as you will need it in the next step.
Step 3: Configure your GuardDuty log source with the SNS topic
In your Panther Console, navigate to the GuardDuty log source you created in Step 1.
If you are still on the success screen you landed on at the end of Step 1, click View Log Source.
Click Configuration, then Edit.
On the Configure page, in the Allowed Source ARNs field, enter the SNS topic ARN you copied in the previous step.
Click Save.
Step 4: Create an SNS subscription
Create the subscription to the Panther GuardDuty SQS queue.
Return to the SNS console in AWS.
From the navigation bar, click Subscriptions.
Click Create subscription.
Enter values for the following fields:
Protocol: Select Amazon SQS.
Endpoint: Construct your endpoint using the following format:
arn:aws:sqs:<Panther-region>:<account-id>:<Panther-notifications-queue-name>Panther-region: The AWS region your Panther instance is deployed inaccount-id: Your Panther instance's AWS account IDPanther-notifications-queue-name: To find this value:At the top of the page, locate the SQS Queue URL. The
Panther-notifications-queue-namevalue is the portion of the URL beginning withpanther-source-:
Click the Enable raw message delivery checkbox.
Click Create subscription.
Step 5: Configure GuardDuty to post announcements to the SNS topic
After enabling GuardDuty in your account, you will begin building EventBridge rules to send alerts to Panther.
If you have not already enabled GuardDuty in your AWS account, follow these instructions to do so.
In AWS, navigate to the Amazon EventBridge console.
In the navigation bar, click Rules, under the Buses section.
Click Create rule.
Provide values for the following fields:
Name: Enter a descriptive name.
Event bus: Select default.
Enable the rule on the selected event bus: Toggle ON.
Rule type: Select Rule with an event pattern.
Click Next.
On the Build event pattern page:
In the Event source section, for Event source, select AWS events or EventBridge partner events.
In the Sample event section:
For Sample event type, select AWS events.
For Sample events, select GuardDuty Finding.
In the Event pattern section, make the following selections:
Event source: Select AWS services.
AWS service: Select GuardDuty.
Event type: Select GuardDuty Finding.
Click Next.
On the Select target(s) page, in the Target 1 section, enter values for the following fields:
Target types: Select AWS service.
Select a target: Select SNS topic.
Topic: Select the name of the topic you created in Step 2.
Within Additional settings, make adjustments as needed.
Click Next.
On the Configure tags page, click Next.
On the Review and create page, click Create rule.
Panther-built detections
See Panther's prewritten AWS rules in the panther-analysis Github repository.
Querying logs in Data Explorer
See example SQL queries, for use in Panther's Data Explorer, in GuardDuty logs queries.
Supported AWS GuardDuty logs
AWS.GuardDuty
GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. For more information, see AWS's documentation on GuardDuty finding format.
schema: AWS.GuardDuty
parser:
native:
name: AWS.GuardDuty
description: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts.
referenceURL: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html
fields:
- name: schemaVersion
required: true
description: The schema format version of this record.
type: string
- name: accountId
required: true
description: The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding.
type: string
- name: region
required: true
description: The AWS region in which the finding was generated.
type: string
- name: partition
required: true
description: The AWS partition in which the finding was generated.
type: string
- name: id
required: true
description: A unique identifier for the finding.
type: string
- name: arn
required: true
description: A unique identifier formatted as an ARN for the finding.
type: string
- name: type
required: true
description: A concise yet readable description of the potential security issue.
type: string
- name: resource
required: true
description: The AWS resource against which the activity took place that prompted GuardDuty to generate this finding.
type: json
- name: severity
required: true
description: The value of the severity can fall anywhere within the 0.1 to 8.9 range.
type: float
- name: createdAt
required: true
description: The initial creation time of the finding (UTC).
type: timestamp
timeFormat: rfc3339
- name: updatedAt
required: true
description: The last update time of the finding (UTC).
type: timestamp
timeFormat: rfc3339
- name: title
required: true
description: A short description of the finding.
type: string
- name: description
required: true
description: A long description of the finding.
type: string
- name: service
required: true
description: Additional information about the affected service.
type: object
fields:
- name: additionalInfo
description: AdditionalInfo field
type: json
- name: action
description: Action field
type: json
- name: serviceName
required: true
description: ServiceName field
type: string
- name: detectorId
required: true
description: DetectorID field
type: string
- name: resourceRole
description: ResourceRole field
type: string
- name: eventFirstSeen
description: EventFirstSeen field
type: timestamp
timeFormat: rfc3339
- name: eventLastSeen
description: EventLastSeen field
type: timestamp
timeFormat: rfc3339
- name: archived
description: Archived field
type: boolean
- name: count
description: Count field
type: bigintLast updated
Was this helpful?