Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring an Amazon GuardDuty Log Source by using the Amazon Web Services Protocol

 

If you want to collect Amazon GuardDuty logs in JSA, you need to configure a log source on the JSA Console for Amazon AWS CloudTrail to communicate with JSA by using the Amazon Web Services protocol.

  1. If automatic updates are not enabled, download and install the most recent version of the following RPM on your JSA console:

    • Protocol Common RPM

    • Amazon Web Services Protocol RPM

    • DSMCommon RPM

    • Amazon GuardDuty DSM RPM

  2. Create an IAM role for the Lambda function, create and configure a Lambda function and then create a CloudWatch events rule to retrieve Amazon GuardDuty events into JSA by completing the following steps:

    1. Create an IAM role for the Lambda function.

    2. Create a Lambda function.

    3. Create a CloudWatch events rule.

    4. Configure the Lambda function.

  3. Create a log group and log stream to retrieve Amazon GuardDuty events for JSA.

  4. Create an Identity and Access (IAM) user in the Amazon AWS user interface when using the Amazon Web Services protocol.

  5. Add a Log source for Amazon GuardDuty on the JSA Console. The following table describes the Amazon Web Services protocol parameters that require specific values for Amazon GuardDuty Logs collection:

    Table 1: Amazon GuardDuty Web Services Protocol Parameters

    Parameter

    Description

    Log Source Type

    Amazon GuardDuty

    Protocol Configuration

    Amazon Web Services

    Authentication Method

    • Access Key ID / Secret Key - Standard authentication that can be used from anywhere.

    • EC2 Instance IAM Role - If your JSA managed host is running in an AWS EC2 instance, choosing this option uses the IAM role from the metadata that is assigned to the instance for authentication; no keys are required.

      Note: This method works only for managed hosts that are running within an AWS EC2 container

    Access Key ID

    If you selected Access Key ID / Secret Key, the Access Key ID parameter displays.

    The Access Key ID was generated when you configured the security credentials for your AWS user account.

    Secret Access Key

    If you selected Access Key ID / Secret Key, the Secret Access Key ID parameter displays.

    The Secret Key that was generated when you configured the security credentials for your AWS user account.

    Regions

    Select the check box for each region that is associated with the Amazon Web Service that you want to collect logs from.

    Other Regions

    Type the names of any additional regions that are associated with the Amazon Web Service that you want to collect logs from. To collect from multiple regions use a comma-separated list, as shown in the following example: region1,region2

    AWS Service

    The name of the Amazon Web Service. From the AWS Service list, select CloudWatch Logs.

    Log Group

    The name of the log group in Amazon CloudWatch where you want to collect logs from.

    Note: A single log source collects CloudWatch logs from 1 log group at a time. If you want to collect logs from multiple log groups, create a separate log source for each log group.

    Log Stream (Optional)

    The name of the log stream within a log group. If you want to collect logs from all log streams within a log group, leave this field blank.

    Filter Pattern (Optional)

    Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specified are collected from CloudWatch Logs. If you enter ACCEPT as the Filter Pattern value, only the events that contain the word ACCEPT are collected. The following example shows the effect of the ACCEPT value:

    {LogStreamName: LogStreamTest,Timestamp: 0, Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

    Extract Original Event

    CloudWatch logs wrap the events that they receive with extra metadata. If you want only the original event that was added to the CloudWatch logs to be forwarded to JSA, select this option. The original event is the value for the message key that is extracted from the CloudWatch Logs

    The following CloudWatch logs event example shows the original event that is extracted from the CloudWatch log in bold text:

    {LogStreamName: guardDutyLogStream,Time stamp: 1519849569827,Message: {"version" : "0", "id": "00-00", "detail-type" : "GuardDuty Finding", "account": "12345 67890", "region": "us-west-2", "resour ces": [], "detail": {"schemaVersion" : "2.0", "accountId": "1234567890", " region": "us-west-2", "partition": "aws" , "type": "Behavior:IAMUser/Instance LaunchUnusual", "severity": 5.0, " createdAt": "2018-02-28T20:22:26.344Z" , "updatedAt": "2018-02-28T20:22:26. 344Z"}},IngestionTime: 1519849569862, EventId: 0000}

    Use As A Gateway Log Source

    Do not select this check box.

    Use Proxy

    If JSA accesses the Amazon Web Service by using a proxy, enable Use Proxy.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    Automatically Acquire Server Certificate(s)

    Select Yes for JSA to automatically download the server certificate and begins trusting the target server.

    This function can be used to initialize a newly created log source and obtain certificates initially, or to replace expired certificates.

    EPS Throttle

    The upper limit for the maximum number of events per second (EPS). The default is 5000.

    The default is 5000. This value is optional if the Use As A Gateway Log Source is checked. If EPS Throttle is left blank, no limit is imposed by JSA. option is selected, this value is optional.

Creating an IAM Role for the Lambda Function

You need to create and configure a CloudWatch Events rule to get GuardDuty events and forward the events to the CloudWatch Logs. To do that you need to create an IAM role for the Lambada function.

  1. Go to your IAM console (https://console.aws.amazon.com/iam/).
  2. Select Roles from the navigation pane.
  3. If you have an existing role or roles, select the role name that you want to associate with the Lambda function and complete the following steps:
    1. Expand the Policy name and then click Edit policy

    2. Click the JSON tab and then verify that the JSON entry matches the following JSON entry:

  4. If you don't have an existing role, click Create role.
  5. From the list of service or services that use the role, select Lambda.
  6. Click Next: Permissions, and then select an appropriate policy.
  7. Click Next: Review, and then type a role name in the Role name field. If you want, you can type a description in the Role description field.
  8. Click Create role, and then select the new rule that you created.
  9. If you want to add an existing policy, complete the following steps:
    1. Click Attach policies.

    2. Expand the Policy name and then click Edit policy

    3. Click the JSON tab and then verify that the JSON entry matches the following JSON entry:

  10. Click Attach policy.
  11. If you want to add a new policy, complete the following steps:
    1. Click Add inline policy.

    2. Click the JSON tab, and then copy and paste the following JSON entry:

  12. Click Review Policy, and then type a name for the policy.
  13. Click Create policy.
  14. Verify that the role has the trust relationship. Click the Trust relationships tab.
  15. Click Edit trust relationship and verify the following trust relationship:

Create a Lambda function.

Creating a Lambda Function

You need to create and configure a CloudWatch Events rule to get GuardDuty events and forward the events to the CloudWatch Logs. To do that you need to create an AWS Lambda Function that triggers the processing from CloudWatch Events to CloudWatch Logs.

  1. Go to your AWS Lambda console.
  2. Click Create function.
  3. In the Author from scratch pane, complete the following fields:

    Table 2: Lambda Function

    Field

    Entry

    Name

    You can use GuardDutyToCloudWatch or something more appropriate.

    Runtime

    Python 3.6

    Role

    Choose an existing role

    Existing Role

    Select the role that you created.

  4. Click Create function.

Create a CloudWatch events rule.

Creating a CloudWatch Events Rule

You need to configure a CloudWatch Events rule to get GuardDuty events and forward the events to the CloudWatch Logs.

Ensure that you have created an IAM role for the Lambda function and an AWS Lambda Function that triggers the processing from CloudWatch Events to CloudWatch Logs.

  1. Log in to your CloudWatch console (https://console.aws.amazon.com/cloudwatch/).
  2. Click Events > Rules in the navigation pane.
  3. Click Create rule.
  4. In the Create Rule pane, in Event Source, select the following field values:

    Table 3: CloudWatch Events Rule

    Field

    Value

    Service Name

    GuardDuty

    Event Type

    All Events

  5. In the Targets pane, click Add targets.
  6. Select Lambda function.
  7. In the Function field, select the function that you created when you completed the Creating a Lambda function procedure.
  8. Click Configure details to open the Configure rule details pane.
  9. In the Configure rule details pane, type a name, such as GuardDutyToJSA.
  10. Click Create rule.

Configure the Lambda function.

Configuring the Lambda Function

To do that you need to create an AWS Lambda Function that triggers the processing from CloudWatch Events to CloudWatch Logs.

Ensure that you have completed the following tasks:

  1. Creating an IAM role for the Lambda function

  2. Creating a Lambda function

  3. Creating a CloudWatch events rule

  1. Go to your AWS Lambda console.
  2. Open the configuration section of your Lambda function. Click Create function.
  3. If CloudWatch Events is not automatically added as a trigger source, then add it. The Designer tab appears:
  4. On the Function code pane, replace the default code in lambda_function.py with the following Python code:
  5. Click Save.

The GuardDuty events are now forwarded automatically to your Amazon CloudWatch logs. Create a log group and log stream inside the log group in Amazon CloudWatch Logs to make the GuardDuty events available for JSA polling.