Integrate Amazon GuardDuty Findings into Cloud Insight Essentials Incidents

Amazon GuardDuty is a continuous security monitoring service that requires no customer-managed hardware or software. GuardDuty analyzes and processes VPC Flow Logs and AWS CloudTrail event logs. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity, like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains.

Alert Logic provides a CloudFormation template that deploys a CloudWatch Events collector and a Lambda function that integrates GuardDuty findings into the Alert Logic Incidents page for display as threats on the Incidents page.

Before you begin

Before you perform the procedures required to integrate GuardDuty findings into the Incidents page, ensure you have the proper permissions to do so, and the correct command line interfaces to generate access keys.

Verify administrative permissions

To perform the procedures necessary to integrate GuardDuty findings into the Incidents page, your Alert Logic user account and your AWS account must have administrative permissions.

To verify your Alert Logic permissions:

  1. Log into the Alert Logic console.
  2. In the top right corner, click the Settings icon (), and then click Users.
  3. At the top of the list of users, select your user name.
  4. In the Edit User panel, verify the selected user role is Administrator.

To verify your AWS permissions:

  1. Log into the AWS console.
  2. Click IAM, located under Security, Identity & Compliance.
  3. Ensure "AdministratorAccess" appears as one of the policies in the list of policy names.

Ensure access to a command line interface (CLI)

GuardDuty integration with Alert Logic requires you use a command line interface (CLI) appropriate to your operating system to generate the access keys and secret keys required to allow Alert Logic to issue API calls on your behalf. You need the following CLI, depending on your operating system:

Enable Amazon GuardDuty

Before you can integrate GuardDuty findings into the Incidents page, you must log into AWS and enable GuardDuty. For more information, see Setting Up Amazon GuardDuty.

Create an Alert Logic access key and secret key

To support GuardDuty integration, Alert Logic uses your customer identification, in the form of access keys and secret keys, to issue API calls on your behalf. You need these keys to launch a CloudFormation template that deploys a CloudWatch Events collector and a Lambda function that integrates GuardDuty findings into the Alert Logic system for display as threats on the Incidents page.

Deploy the CloudWatch Events collector from the CloudFormation template

This CloudFormation template deploys the Alert Logic CloudWatch Events collector and Lambda function to a single AWS region for GuardDuty integration. The CloudWatch Events collector collects CloudWatch Events associated with GuardDuty findings, and the Lambda function forwards those events to the Alert Logic console to display as incidents.

If you want to collect events from multiple AWS regions, you must either install the CloudWatch Events collector in each region from which you want to collect events, or set up a GuardDuty Master Account. For more information, see Managing AWS Accounts in Amazon GuardDuty.

To deploy the CloudWatch Events collector:

  1. Log in to the AWS Console with an AWS account that has AWS administrator privileges.
  2. Click the region in which you want to deploy the CloudFormation template:
  3. Click Next.
  4. In the Specify Details window, provide the following required parameters:
  5. Click Next.
  6. On the Options panel, click Next.
  7. In the Review panel, perform a predeployment check.
  8. Select I acknowledge that AWS CloudFormation might create IAM resources, and then click Create.
  9. On the CloudFormation Stacks panel, filter results based on the stack name you created, and then select your stack.

A successful deployment returns a status of CREATE_COMPLETE.

You must repeat the collector installation procedure for each region in which you want to install the CloudWatch Events collector
You may install only one collector in each AWS region. If you try to install a second collector in a region, the second installation will not complete.

Verify the CloudFormation template launched successfully

If the CloudFormation template launched successfully, the Incident List should include recent GuardDuty findings that also appear in the GuardDuty console.

  1. Log into the Alert Logic console with an account that has administrator permissions.
  2. Click Incidents, and then click List.
  3. Verify GuardDuty findings appear as incidents on the Incident List.