AWS GuardDuty

Overview

Panther supports ingesting Amazon Web Services (AWS) GuardDuty logs via common Data Transport options: AWS S3 and AWS SQS.

You can also ingest GuardDuty logs using Amazon EventBridge.

AWS GuardDuty logs video walkthrough

How to onboard AWS GuardDuty logs to Panther

Prerequisite

• You have your Panther instance's AWS account ID. To locate this value, in the upper-right corner of your Panther Console, click the gear icon > General. In the footer of this page, note the AWS Account ID.

Step 1: Create an AWS GuardDuty source in Panther

To pull GuardDuty logs into Panther, you will first need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.

1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for "AWS GuardDuty" then click its tile.

4. In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option. Either leave this option selected, or select AWS SQS Queue.

5. Click Start Setup.

6. Follow Panther’s documentation for configuring S3 or SQS for Data Transport:

   The instructions for the remainder of this process, below, apply to using a SQS queue. For S3 instructions, see the video above.

   • AWS S3 bucket

   • AWS SQS Queue

     • On the Configure page, leave the Allowed AWS Principals and Allowed Source ARNs fields blank. You will return to this page in Step 3.

Step 2: Create an Amazon SNS topic

1. Log into the AWS Console.

2. Select the AWS region where your Panther instance is located, then navigate to the Simple Notification Service console.

3. In the navigation bar, click Topics.

4. Click Create Topic.

5. In the Details section, provide values for the following fields:

   • Type: Select Standard.

   • Name: Enter a descriptive name.

6. In the Encryption section, leave the Encryption toggle off.

   
7. In the Access policy section:

   1. Within Publishers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.

   2. Within Subscribers, select Only the specified AWS accounts. In the Enter AWS account IDs text box, enter your Panther AWS account ID.

   
8. Click Create topic.

9. Copy the ARN and store it in a secure location, as you will need it in the next step.

   

Step 3: Configure your GuardDuty log source with the SNS topic

1. In your Panther Console, navigate to the GuardDuty log source you created in Step 1.

   • If you are still on the success screen you landed on at the end of Step 1, click View Log Source.

2. Click Configuration, then Edit.

3. On the Configure page, in the Allowed Source ARNs field, enter the SNS topic ARN you copied in the previous step.

4. Click Save.

Step 4: Create an SNS subscription

Create the subscription to the Panther GuardDuty SQS queue.

1. Return to the SNS console in AWS.

2. From the navigation bar, click Subscriptions.

3. Click Create subscription.

4. Enter values for the following fields:

   • Protocol: Select Amazon SQS.

   • Endpoint: Construct your endpoint using the following format: arn:aws:sqs:<Panther-region>:<account-id>:<Panther-notifications-queue-name>

     • Panther-region: The AWS region your Panther instance is deployed in

     • account-id: Your Panther instance's AWS account ID

     • Panther-notifications-queue-name: To find this value:

       1. In your Panther Console, navigate to the GuardDuty log source you created in Step 1. (You may still be on this page after Step 3).

       2. At the top of the page, locate the SQS Queue URL. The Panther-notifications-queue-name value is the portion of the URL beginning with panther-source-:

          
5. Click the Enable raw message delivery checkbox.

6. Click Create subscription.

Step 5: Configure GuardDuty to post announcements to the SNS topic

After enabling GuardDuty in your account, you will begin building EventBridge rules to send alerts to Panther.

1. If you have not already enabled GuardDuty in your AWS account, follow these instructions to do so.

2. In AWS, navigate to the Amazon EventBridge console.

3. In the navigation bar, click Rules, under the Buses section.

4. Click Create rule.

5. Provide values for the following fields:

   • Name: Enter a descriptive name.

   • Event bus: Select default.

   • Enable the rule on the selected event bus: Toggle ON.

   • Rule type: Select Rule with an event pattern.

6. Click Next.

7. On the Build event pattern page:

   1. In the Event source section, for Event source, select AWS events or EventBridge partner events.

   2. In the Sample event section:

      • For Sample event type, select AWS events.

      • For Sample events, select GuardDuty Finding.

   3. In the Event pattern section, make the following selections:

      • Event source: Select AWS services.

      • AWS service: Select GuardDuty.

      • Event type: Select GuardDuty Finding.

8. Click Next.

9. On the Select target(s) page, in the Target 1 section, enter values for the following fields:

   1. Target types: Select AWS service.

   2. Select a target: Select SNS topic.

   3. Topic: Select the name of the topic you created in Step 2.

   4. Within Additional settings, make adjustments as needed.

10. Click Next.

11. On the Configure tags page, click Next.

12. On the Review and create page, click Create rule.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Querying logs in Data Explorer

See example SQL queries, for use in Panther's Data Explorer, in GuardDuty logs queries.

Supported AWS GuardDuty logs

AWS.GuardDuty

GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. For more information, see AWS's documentation on GuardDuty finding format.