Links

Send AWS GuardDuty findings to Panther via EventBridge

Data that you currently send to Amazon EventBridge may also be routed to Panther for advanced monitoring and detection.

Overview

Amazon EventBridge is a serverless event bus that lets you receive, filter, transform, route, and deliver events. This guide is aimed at helping you quickly configure the necessary AWS resources to be used within EventBridge to allow you to perform advanced monitoring on your AWS GuardDuty data.
Within your environment, you may already be using AWS EventBridge, as it supports receiving data from AWS services, custom applications, SaaS applications, and Microservices.

Supported targets

In addition to GuardDuty, AWS EventBridge supports many targets Panther may plug into, including SNS Topics, SQS queues, Firehose delivery streams, S3, and more. This enables many possible workflows. For example:
  • Okta -> AWS EventBridge -> AWS SNS -> Panther SQS
  • Custom Application -> AWS EventBridge -> Firehose delivery stream -> S3 -> Panther

How to send AWS GuardDuty findings to Panther

These steps demonstrate how you can send AWS GuardDuty Findings to Panther through AWS EventBridge. There is also an option to generate sample GuardDuty findings or write a rule to alert when someone assumes a role from TOR.

Data Pipeline

AWS GuardDuty -> AWS EventBridge -> AWS SNS Topic -> Panther SQS

Step 1: Create a Topic in Amazon SNS

  1. 1.
    Log in to your AWS Console and navigate to Amazon SNS > Topics. Click Create Topic.
    • If you already have an SNS topic created, skip to Step 2.
  2. 2.
    Fill out the Details:
    • Type: Select Standard.
    • Name: panther-eventbridge-guard-duty
  3. 3.
    Click Create topic.
  4. 4.
    Copy the ARN value and store it in a secure location, as you will need it in the next steps.
    • Example ARN: arn:aws:sns:region:accountid:topic

Step 2: Create the SQS source in Panther

Step 3: Create a rule in AWS EventBridge

  1. 1.
    Navigate to AWS GuardDuty to ensure it is enabled.
  2. 2.
    Navigate to AWS EventBridge, then go to Events > Rules.
  3. 3.
    Click Create rule.
  4. 4.
    Fill in the rule detail section:
    • Name: Enter a descriptive name.
    • Description: Enter a description (e.g., Filtering events from GuardDuty and sending them to Panther Managed SQS)
    • Event bus: Set the dropdown menu to default.
    • Enable the rule on the selected event bus: Click the toggle to enable this setting.
    • Rule type: Select Rule with an event pattern.
  5. 5.
    Click Next.
  6. 6.
    On the "Build the event pattern" page, fill in the following:
    • Event source: Select AWS events or EventBridge partner events.
    • Event pattern:
      • Event source: Select AWS services.
      • AWS Service: Select GuardDuty.
      • Event type: Select GuardDuty Finding.
  7. 7.
    Click Next.
  8. 8.
    On the "Select target(s)" page, fill in the form for Target 1:
    • Target types: Select AWS service.
    • Select a target: Select SNS topic from the dropdown menu.
    • Topic: Enter the topic you created in Step 1 (panther-eventbridge-guard-duty).
    • Under "Additional Settings":
      • Configure target input: Select Part of the matched event.
      • Specify the part of the matched event: Select $.detail
      • Retry policy: Leave the defaults for Retry options.
      • Dead-letter queue: Leave the default option.
    • Note that there is an opportunity to add additional targets here or layer Panther in!
  9. 9.
    Click Next.
  10. 10.
    Optionally configure tags.
  11. 11.
    Click Next.
  12. 12.
    On the "Review and Create" page, click Create rule.
Now, when GuardDuty outlines a finding, that event will route to Panther where we can write a Detection to Alert us!

Generate sample findings

Since GuardDuty allows you to generate sample findings, you may use those to test end-to-end.
  1. 1.
    In GuardDuty, navigate to Settings > Sample Findings.
  2. 2.
    Click Generate Sample Findings to test.
An example rule within Panther might look like the following if I wanted to know when someone accessed AWS via TOR:
from panther_base_helpers import deep_get
def rule(event):
return deep_get(event, 'detail', 'type') == 'Discovery:S3/TorIPCaller'
def title(event):
return f"{event.get('detail-type')}: {deep_get(event, 'detail', 'type')} from principal id: {deep_get(event, 'detail', 'resource', 'accessKeyDetails', 'principalId')}"
def alert_context(event):
return {
"account": event.get('account'),
"principalId": deep_get(event, 'detail', 'resource', 'accessKeyDetails', 'principalId'),
"guardduty-finding-arn": deep_get(event, 'detail', 'arn')
}