Integrate Amazon GuardDuty Findings into Alert Logic Incidents

Amazon GuardDuty is a continuous security monitoring service that requires no customer-managed hardware or software. GuardDuty analyzes and processes VPC Flow Logs and AWS CloudTrail event logs. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity, like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains.

Alert Logic provides a CloudFormation template that deploys a CloudWatch Events collector and a Lambda function that integrates GuardDuty findings into the Alert Logic console for display as threats on the Incidents page.

Before you begin

Before you perform the procedures required to integrate GuardDuty findings into the Incidents page, ensure you have the proper permissions to do so and the correct command line interfaces to generate access keys.

Verify administrative permissions

To perform the procedures necessary to integrate GuardDuty findings into the Incidents page, your Alert Logic user account and your AWS account must have administrative permissions.

To verify your Alert Logic permissions:

Log in to the Alert Logic console.
Click the menu icon () to see the navigation menu.
Click the Manage menu item, and then select Users.
At the top of the list of users, select your user name.
In the Account Details panel, verify the selected user role is Administrator.

To verify your AWS permissions:

Log in to the AWS console.
Click IAM, under Security, Identity & Compliance.
Ensure "AdministratorAccess" appears as one of the policies in the list of policy names.

Ensure access to a command line interface (CLI)

GuardDuty integration with Alert Logic requires you use a command line interface (CLI) appropriate to your operating system to generate the access keys and secret keys required to allow Alert Logic to issue API calls on your behalf. You need the following CLI, depending on your operating system:

Microsoft Windows requires PowerShell 3.0 or later.
Unix and Linux require cURL and jq.

Enable Amazon GuardDuty

Before you can integrate GuardDuty findings into the Incidents page, you must log in to AWS and enable GuardDuty. For more information, see Setting Up Amazon GuardDuty.

Create an Alert Logic access key and secret key

To support GuardDuty integration, Alert Logic uses your customer identification, in the form of access keys and secret keys, to issue API calls on your behalf. You need these keys to launch a CloudFormation template that deploys a CloudWatch Events collector and a Lambda function that integrates GuardDuty findings into the Alert Logic system for display as threats on the Incidents page.

You can create an access key through the Alert Logic console, or by using a Unix or Linux bash command line. For more information about access key creation in the Alert Logic console, see Create and Manage Alert Logic Access Keys .

Deploy the CloudWatch Events collector from the CloudFormation template

This CloudFormation template deploys the Alert Logic CloudWatch Events collector and Lambda function to a single AWS region for GuardDuty integration. The CloudWatch Events collector collects CloudWatch Events associated with GuardDuty findings, and the Lambda function forwards those events to the Alert Logic console to display as incidents.

If you want to collect events from multiple AWS regions, you must either install the CloudWatch Events collector in each region from which you want to collect events or set up a GuardDuty Master Account. For more information, see Managing AWS Accounts in Amazon GuardDuty.

Use the AWS console to deploy

To deploy the CloudWatch Events collector from the CloudFormation template:

Log in to the AWS Console with an AWS account that has AWS administrator privileges.
Click the region in which you want to deploy the CloudFormation template.
Click Services, and then click CloudFormation.
Click Create Stack.
Under Choose a template section, select Specify an Amazon S3 template URL, and then enter the following URL: https://s3.amazonaws.com/alertlogic-collectors-us-east-1/cfn/guardduty.template
Click Next.
In the Specify Details window, provide the following required parameters:
- Stack name—Accept the default, or use any preferred name
- AccessKeyId—access_key_id you created in Create an Alert Logic access key and secret key
- AlApiEndpoint—Accept the default (api.global-services.global.alertlogic.com)
- AlDataResidency—Usually default
- SecretKey—secret_key you created in Create an Alert Logic access key and secret key
Click Next.
On the Options panel, click Next.
In the Review panel, perform a predeployment check.
Select I acknowledge that AWS CloudFormation might create IAM resources, and then click Create.
On the CloudFormation Stacks panel, filter results based on the stack name you created, and then select your stack.

A successful deployment returns a status of CREATE_COMPLETE.

You must repeat the collector installation procedure for each region in which you want to install the CloudWatch Events collector.

You may install only one collector in each AWS region. If you try to deploy the template multiple times in the same region, you will receive an error.

Use the AWS CLI to deploy

To use the command line to deploy the Alert Logic custom template, see the instructions in the Alert Logic github readme.

Verify the CloudFormation template launched successfully

If the CloudFormation template launched successfully, the Incident List will include recent GuardDuty findings that also appear in the GuardDuty console.

Log in to the Alert Logic console with an account that has administrator permissions.
- Use the US Alert Logic console for regions in the United States and associated geographical regions.
- Use the UK Alert Logic console for regions in Europe and other regions not in the US.
Click the navigation menu icon (), click Respond, and then click Incidents.
Verify that GuardDuty findings appear as incidents in the Incident List.

Troubleshooting installation issues

AWS console troubleshooting

If installation through the AWS console is not successful, you can see the detailed error messages in the AWS CloudWatch Log Stream.

To access the error messages:

Click CloudFormation, and then click Stacks.
Click Stack Detail, and then select your stack name from the list.
Click Logs, and then filter by /aws/lambda/my-new-stack (where my-new-stack is the name you gave your stack).

AWS CLI troubleshooting

If installation through the AWS CLI is not successful, issue the following command for more information:

aws cloudformation describe-stack-events --stack-name my-new-stack

Lambda function troubleshooting

If GetEndpointsLambdaFunction fails, an issue could exist with the access_key_id or the secret_key you provided. Be sure the access_key_id is correct, your secret_key is valid, and your user account has administrative permissions for the Alert Logic console.