AWS GuardDuty

Connecting AWS GuardDuty to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) GuardDuty logs via common Data Transport options: AWS S3 and AWS SQS.

You can also ingest GuardDuty logs using Amazon EventBridge.

AWS GuardDuty logs video walkthrough

Walkthrough video showing how to onboard AWS GuardDuty logs to Panther

How to onboard AWS GuardDuty logs to Panther

To pull GuardDuty logs into Panther, you will need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS GuardDuty.

  5. Select a transport method for your source to begin setup. Follow Panther’s documentation for configuring S3 or SQS for Data Transport:

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Querying logs in Data Explorer

See example SQL queries, for use in Panther's Data Explorer, in GuardDuty logs queries.

Supported AWS GuardDuty logs

AWS.GuardDuty

GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. For more information, see AWS's documentation on GuardDuty finding format.

schema: AWS.GuardDuty
parser:
  native:
    name: AWS.GuardDuty
description: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts.
referenceURL: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html
fields:
  - name: schemaVersion
    required: true
    description: The schema format version of this record.
    type: string
  - name: accountId
    required: true
    description: The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding.
    type: string
  - name: region
    required: true
    description: The AWS region in which the finding was generated.
    type: string
  - name: partition
    required: true
    description: The AWS partition in which the finding was generated.
    type: string
  - name: id
    required: true
    description: A unique identifier for the finding.
    type: string
  - name: arn
    required: true
    description: A unique identifier formatted as an ARN for the finding.
    type: string
  - name: type
    required: true
    description: A concise yet readable description of the potential security issue.
    type: string
  - name: resource
    required: true
    description: The AWS resource against which the activity took place that prompted GuardDuty to generate this finding.
    type: json
  - name: severity
    required: true
    description: The value of the severity can fall anywhere within the 0.1 to 8.9 range.
    type: float
  - name: createdAt
    required: true
    description: The initial creation time of the finding (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: updatedAt
    required: true
    description: The last update time of the finding (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: title
    required: true
    description: A short description of the finding.
    type: string
  - name: description
    required: true
    description: A long description of the finding.
    type: string
  - name: service
    required: true
    description: Additional information about the affected service.
    type: object
    fields:
      - name: additionalInfo
        description: AdditionalInfo field
        type: json
      - name: action
        description: Action field
        type: json
      - name: serviceName
        required: true
        description: ServiceName field
        type: string
      - name: detectorId
        required: true
        description: DetectorID field
        type: string
      - name: resourceRole
        description: ResourceRole field
        type: string
      - name: eventFirstSeen
        description: EventFirstSeen field
        type: timestamp
        timeFormat: rfc3339
      - name: eventLastSeen
        description: EventLastSeen field
        type: timestamp
        timeFormat: rfc3339
      - name: archived
        description: Archived field
        type: boolean
      - name: count
        description: Count field
        type: bigint

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated