AWS GuardDuty

You can integrate InsightIDR with AWS GuardDuty in order to receive third-party alerts. AWS GuardDuty produces data in the form of CloudWatch events, which are then sent to InsightIDR via an SQS Queue.

To set up this event source:

  1. Set up AWS GuardDuty to send data to InsightIDR.
  2. Configure the AWS GuardDuty event source in InsightIDR.

Before You Begin

Before InsightIDR can start ingesting data from AWS GuardDuty, you must enable AWS GuardDuty and ensure CloudWatch events are set up. To learn more about CloudWatch events, see https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html.

Set up AWS GuardDuty to send data to InsightIDR

To ensure InsightIDR can retrieve data from AWS GuardDuty, there are a few components that must be set up within the AWS Management Console.

Before configuring the event source in InsightIDR you must:

  1. Enable AWS GuardDuty.
  2. Generate an AWS Key for the SQS queue.
  3. Set up an SQS queue for data moving between GuardDuty and InsightIDR.
  4. Create an IAM Policy and User for HTTP requests from Rapid7.
  5. Set up encrypted SQS queue user permissions.
  6. Create a CloudWatch event rule for data transfer to the SQS queue.

Task 1: Enable AWS GuardDuty

In order to integrate AWS Guardduty with InsightIDR one of the vital components is the SQS queue key. This queue is where InsightIDR gets its AWS GuardDuty data from.

From the AWS Management Console, go to GuardDuty > enable GuardDuty. For detailed instructions, see https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html.

Task 2: Generate the AWS Key

Go to Key Management Service > Create a key. For detailed instructions, see https://docs.aws.amazon.com/kms/.

Task 3: Set up the SQS queue

This SQS queue will be used by AWS GuardDuty to communicate with InsightIDR. The SQS queue allows AWS GuardDuty to send data to and from InsightIDR, which will read and remove messages once they are processed, as it polls periodically.

  1. Go to Simple Queue Service > Create queue. Create a new SQS queue with the pre-generated AWK Key and ensure this queue is dedicated for use by InsightIDR.
  2. Store the queue URL in a secure place for later use when configuring the AWS GuardDuty event source in InsightIDR.

Task 4: Create the IAM Policy and IAM User

  1. Go to IAM > Policies > Create policy. This will be used in making HTTP requests to an SQS queue.
  2. Add this to the JSON of the policy:
New IAM Policy
1
{
2
    "Version": "2012-10-17",
3
    "Statement": [
4
        {
5
            "Effect": "Allow",
6
            "Action": [
7
                "sqs:ReceiveMessage",
8
                "sqs:DeleteMessage"
9
            ],
10
            "Resource": [
11
                "arn:aws:sqs:*:YourAccountId:GuardDutySqsQueueNameGoesHere"
12
            ]
13
        }
14
    ]
15
}
  1. Go to Users, to create an IAM User. This user should have permissions to make receiveMessage and deleteMessage calls from the above SQS queue. Learn more information about IAM here https://docs.aws.amazon.com/iam/.

Limit User Access

Because this IAM User will have access to your data, it is recommended to limit access.

  1. Create an access key for the user.
  2. Store the users' access and secret key in a secure place for later use when configuring the AWS GuardDuty event source in InsightIDR.
  3. Attach the created IAM User to the IAM policy created in step 1.

Task 5: Set up encrypted SQS queue user permissions

Users need to have the relevant permissions that will allow them to access the queue created in Task 3: Set up the SQS queue.

If the SQS queue is encrypted, you must add this JSON to the key policy created earlier. For more information on adding policy keys, see https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-how-to-console-policy-view.

Key Policy
1
{
2
  "Sid": "Allow use of the key",
3
  "Effect": "Allow",
4
  "Principal": 
5
    {"AWS": "arn:aws:iam::AWS ACCOUNT NUMBER:user/IAM USER NAME"}
6


7
,
8
 "Action": [
9
    "kms:Decrypt",
10
    "kms:GenerateDataKey"
11
  ],
12
  "Resource": "*"
13
 },
14
 {
15
"Sid": "Allow CWE to use the key",
16
  "Effect": "Allow",
17
"Principal": 
18
    {"Service": "events.amazonaws.com"}
19
 
20
,
21
"Action": [
22
  "kms:Decrypt",
23
    "kms:GenerateDataKey"
24
  ],
25
  "Resource": "*"
26
}

Task 6: Create a CloudWatch Event rule

Cloudwatch takes events from AWS GuardDuty and moves them into the SQS queue that InsightIDR uses for its request calls.

  1. Go to CloudWatch > Events > Rules to create a new rule with the event pattern. For more instructions see detailed documentation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html
New Rule with Event Pattern
1
{
2
  "source": [
3
    "aws.guardduty"
4
  ]
5
}
  1. Under Targets, enter the SQS queue you previously created.

For troubleshooting information, see the AWS CloudWatch information here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_Troubleshooting.html#SQSEncrypted.

Before Configuring This Event Source

Rapid7 highly recommends manually deleting these sample messages off of the queue, because they will generate false alarms in the InsightIDR platform.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for AWS GuardDuty in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the AWS GuardDuty event source tile.
  4. Select your collector.
  5. Select an event source type.
  6. Name your event source.
  7. Select if you want to send unparsed data.
  8. Select an AWS Authentication option.
  9. Select your AWS GuardDuty credentials, or optionally create a new credential.The credentials you enter will be the access key and secret key that corresponds to an AWS IAM User that has permissions to make receiveMessage and deleteMessage calls from the above SQS queue.
    • Access Key: the username you created with IAM permissions
    • Secret Key: the password you created that corresponds with the username with IAM permissions
  10. Enter the SQS Queue URL. This is visible when you select the queue in the AWS console. This will look similar to https://sqs.us-east-1.amazonaws.com/your-queue-name
  11. You can instead choose to use EC2 IAM Roles.
  12. Click Save.

Verify Your Configuration

After you set up the configuration, when GuardDuty produces an alert, the alert will go to the SQS queue through CloudWatch.

To verify this, go to AWS Management Console > GuardDuty > Settings > Generate Sample Findings.