Integrating Amazon GuardDuty Findings with CloudGuard

Amazon GuardDuty is an Amazon threat-detection service that continuously monitors logs for signs of malicious activity, infected hosts, and unauthorized behavior in your AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account. To further streamline your security operations, you can integrate Amazon GuardDuty with CloudGuard. This integration enables your security team to access all AWS findings from a single dashboard, which makes it easier to manage and prioritize alerts. CloudGuard can provide more security measures, such as threat intelligence and automated incident response, to help mitigate any detected threats.

Benefits

Provide a single-security view of your AWS environment for threats and security events.
Enrichment for findings.
Improve workflow - Manage events such as Acknowledge, Comment, and Archive similar to your other CloudGuard findings, see Action Menu.

Prerequisites

Onboard your AWS account to CloudGuard, see Onboarding AWS Environments.
In your AWS account, configure GuardDuty to store log files on an S3 bucket.
Configure GuardDuty to export findings to an S3 bucket and give the necessary permissions (KMS AWS Key Management Service (AWS KMS) - A managed service that simplifies the creation and control of encryption keys that are used to encrypt data.), see the AWS GuardDuty User Guide.

How it Works

When AWS logs a GuardDuty finding, GuardDuty forwards the event to a region-specific S3 bucket. CloudGuard's CFT SNS topic then forwards the findings to CloudGuard Events.

Based on your network configuration and security requirements, you can configure an S3 bucket for each AWS account or configure one centralized S3 bucket to manage multiple AWS accounts.

S3 bucket for each account:

Item	Description
1	Use a CFT to onboard your AWS account to CloudGuard.
2	Create an S3 topic to send your GuardDuty findings to.
3	Configure an SNS Topic to send data from the S3 bucket to an SQS Reliable and scalable hosted queues for storing messages as they travel between computers. queue in CloudGuard.

Centralized S3 bucket:

Item	Description
1	Use a CFT to onboard your AWS account to CloudGuard.
2	Configure GuardDuty to send its findings to a centralized GuardDuty.
3	Set up an S3 topic to send your GuardDuty findings.
4	Configure an SNS topic to send data from the S3 bucket to an SQS queue in CloudGuard.

Onboarding GuardDuty to CloudGuard

To onboard GuardDuty to Intelligence:

In the CloudGuard portal, navigate to Assets > Environments.
In the table, below the GuardDuty column select Enable GuardDuty.

Or,

From the same table, select a specific environment. In the environment page that opens, select Add GuardDuty.
Follow the instructions in the onboarding wizard.
Click Next.
When the message "Onboarding is completed successfully" shows, click Finish.

To verify that GuardDuty is onboarded, in CloudGuard go to Assets > Environments and make sure that a checkmark shows below the GuardDuty column for the applicable account name.

To see GuardDuty findings, filter the Threat & Security Events table:

In the CloudGuard portal, navigate to Events > Threat & Security Events.
In the filter bar, click Add Filter and select Source.
Click Source and select Amazon GuardDuty.

The event view shows all events filtered by GuardDuty as the source. The initial view of events takes approximately one hour from the actual onboarding.

To remove Amazon GuardDuty:

In the CloudGuard portal, navigate to Assets > Environments.
From the menu bar, select Remove GuardDuty.
In the window that opens, click Remove.