AWS GuardDuty

Rapid7 allows you to integrate InsightIDR with the AWS GuardDuty in order to receive third-party alerts.

Before You Begin

Before InsightIDR can start digesting data from GuardDuty, you must enable GuardDuty and ensure CloudWatch events are set up. GuardDuty produces data in the form of CloudWatch events, which are then sent to InsightIDR via an SQS Queue. Learn more about CloudWatch events in the AWS Documentation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html

Setup Guardduty to send data to InsightIDR

To ensure InsightIDR can retrieve the data from Guardduty, there are a few components that need to be set up for a smooth experience. All of these components are set up within the AWS Management Console.

Before configuring the event source in InsightIDR you must:

  1. Enable AWS GuardDuty.
  2. Generate an AWS Key for the SQS queue.
  3. Set up an SQS queue for data moving between GuardDuty and InsightIDR.
  4. Create an IAM Policy and User for HTTP requests from Rapid7.
  5. Ensure both the IAM User and Cloud Watch Event have the relevant permissions to decrypt the data.
  6. Create a CloudWatch event rule for data transfer to the SQS queue.

To enable Guardduty:

In order to integrate Guardduty with InsightIDR one of the vital components is the SQS queue key. This queue is where InsightIDR gets its Guardduty data from.

  1. From the AWS Management Console, go to GuardDuty > enable Guardduty. For more information see detailed documentation here: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html.

To generate the AWS Key:

  1. Go to Key Management Service > Create a key. For more information see detailed documentation here: https://docs.aws.amazon.com/kms/.

To set up the SQS queue:

This SQS queue will be used by AWS Guardduty to communicate with InsightIDR. GuardDuty will send data to, and from it, and InsightIDR will read and remove messages once they are processed, as it polls periodically.

  1. Go to Simple Queue Service > Create queue. Create a new SQS queue with the pre-generated AWK Key and ensure this queue is dedicated for use by InsightIDR.
    • Store the queue url in a secure place for later use when configuring the GuardDuty event source in InsightIDR.

To create the IAM Policy and IAM User

  1. Go to IAM > Policies > Create policy. This will be used in making HTTP requests to an SQS queue.
  2. Add this to the JSON of the policy:
New IAM Policy
1
{
2
    "Version": "2012-10-17",
3
    "Statement": [
4
        {
5
            "Effect": "Allow",
6
            "Action": [
7
                "sqs:ReceiveMessage",
8
                "sqs:DeleteMessage"
9
            ],
10
            "Resource": [
11
                "arn:aws:sqs:*:YourAccountId:GuardDutySqsQueueNameGoesHere"
12
            ]
13
        }
14
    ]
15
}
  1. Go to Users, to create an IAM User. This user should have permissions to make receiveMessage and deleteMessage calls from the above SQS queue. Learn more information about IAM here https://docs.aws.amazon.com/iam/.

Limit User Access

Because this IAM User will have access to your data, it is recommended to limit access.

  1. Create an access key for the user.
    • Store the users' access and secret key in a secure place for later use when configuring the GuardDuty event source in InsightIDR.
  2. Attach the created IAM User to the IAM policy created in step 1.

To set up encrypted SQS queue user permissions:

In the case of using an encrypted SQS queue, users need to have the relevant permissions that will allow them to access the queue, we created earlier. This queue will be used by AWS Guardduty to communicate with InsightIDR.

  1. If the SQS queue is encrypted, you must add this JSON to the key policy created earlier. For more information on adding policy keys visit, see detailed documentation here: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-how-to-console-policy-view
Key Policy
1
{
2
  "Sid": "Allow use of the key",
3
  "Effect": "Allow",
4
  "Principal": 
5
    {"AWS": "arn:aws:iam::AWS ACCOUNT NUMBER:user/IAM USER NAME"}
6


7
,
8
 "Action": [
9
    "kms:Decrypt",
10
    "kms:GenerateDataKey"
11
  ],
12
  "Resource": "*"
13
 },
14
 {
15
"Sid": "Allow CWE to use the key",
16
  "Effect": "Allow",
17
"Principal": 
18
    {"Service": "events.amazonaws.com"}
19
 
20
,
21
"Action": [
22
  "kms:Decrypt",
23
    "kms:GenerateDataKey"
24
  ],
25
  "Resource": "*"
26
}

To set up the Cloud Watch Events:

Cloudwatch takes events from Guardduty and moves them into the SQS queue that InsightIDR uses for its request calls.

  1. Go to CloudWatch > Events > Rules to create a new rule with the event pattern. For more instructions see detailed documentation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html
New Rule with Event Pattern
1
{
2
  "source": [
3
    "aws.guardduty"
4
  ]
5
}
  1. Under Targets, enter the SQS queue you previously created.

For troubleshooting information, see the AWS CloudWatch information here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_Troubleshooting.html#SQSEncrypted.

Before Configuring This Event Source

Rapid7 highly recommends manually deleting these sample messages off of the queue, because they will generate false alarms in the InsightIDR platform.

How to Configure This Event Source

  1. From the left menu, select Data Collection > Setup Event Source > Add Event Source > Third Party Alerts section.
  2. Click AWS GuardDuty. The “Add Event Source” panel appears.
  3. Select your collector.
  4. Select an event source type.
  5. Name your event source.
  6. Select if you want to send unoarsed data.
  7. Select an AWS Authentication option.
  8. Select your AWS GuardDuty credentials, or optionally create a new credential.The credentials you enter will be the access key and secret key that corresponds to an AWS IAM User that has permissions to make receiveMessage and deleteMessage calls from the above SQS queue.
    • Access Key: the username you created with IAM permissions
    • Secret Key: the password you created that corresponds with the username with IAM permissions
  9. Enter the SQS Queue URL. This is visible when you select the queue in the AWS console. This will look similar to https://sqs.us-east-1.amazonaws.com/your-queue-name
  10. You can instead choose to use EC2 IAM Roles.
  11. Click Save.

AWS GuardDuty Event Source Configuration

Verify Your Configuration

After you have finished the configuration, when GuardDuty produces an alert, the alert will go to the SQS queue through CloudWatch.

To verify this, go to AWS Management Console > GuardDuty > Settings > Generate Sample Findings.