Amazon GuardDuty Monitoring

Updated Jan 26, 2024

Configure Amazon GuardDuty for Arctic Wolf monitoring

You can configure Amazon GuardDuty® to send the necessary logs to Arctic Wolf® for security monitoring.

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and resources for unexpected and potentially malicious activity in your AWS environment. To integrate this service with Arctic Wolf Cloud Detection and Response, configure Amazon GuardDuty to forward its findings to Arctic Wolf. Your Concierge Security® Team (CST) analyzes these findings, eliminates false positives, and provides guidance within the context of your security posture.

Note: GuardDuty is a chargeable service, based on the traffic and usage of your Amazon Web Services (AWS)® account. See GuardDuty pricing documentation before enabling the service.

Requirements

Before you begin

Steps

For each region that you want to forward GuardDuty findings from, complete these steps:

  1. Enable GuardDuty monitoring.
  2. Enable S3 protection.
  3. Enable EKS protection.
  4. Configure GuardDuty to write logs.
  5. Configure GuardDuty to export logs.
  6. Verify the GuardDuty configuration.

Step 1: Enable GuardDuty monitoring

Based on your AWS account type, complete one of these actions:

Step 2: Enable S3 protection

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings > S3 Protection.
  3. Select the S3 Protection is enabled on this account checkbox.

Step 3: Enable EKS protection

For each of the Amazon GuardDuty accounts that you want Arctic Wolf to monitor, based on the account type, complete one of these actions:

Tips:

Step 4: Configure GuardDuty to write logs

Note: If you have already configured GuardDuty to export logs to an S3 bucket, contact your CST for instructions.

  1. Determine if you previously configured CloudTrail event monitoring with the same account you assigned as your delegated GuardDuty administrator:
    1. Sign in to the Arctic Wolf Unified Portal.
    2. Click Telemetry Management > Connected Accounts.
    3. Compare the Account ID value to the 12-digit Account ID value in the GuardDuty console.
    4. If the Account ID values:

Write GuardDuty logs to the same account

For each region that has GuardDuty monitoring enabled, complete these steps:

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings.
  3. In the Findings export options section, in the S3 Bucket section, click Configure now.
  4. Click Existing bucket in your account.
  5. In the Choose a bucket section, select the bucket with a name similar to awn-logs-bucket-<account-id>-<region>, where <account-id> is the 12-digit ID number of your current AWS account and <region> is the region of the S3 bucket.
  6. Keep the Log file prefix field empty.
  7. In the KMS Encryption section, click Choose a key from your account.
  8. In the Key Alias section, select AWNKMSKey.
  9. Click Save.

Write GuardDuty logs to a different account

Complete one of these actions:

Add the bucket policy for AWS Control Tower

For most environments, the base stack adds the permissions needed for the newly created log bucket. However, AWS Control Tower guardrails prevent the addition of the necessary policy. To configure the necessary permissions, complete these steps:

  1. Sign in to the AWS Management Console.

  2. In the Amazon S3 Console, select the awn-logs-bucket-<account-id>-<region> bucket, where <account-id> is your 12-digit AWS account number and <region> is the region of the bucket.

  3. On the Permissions tab, in the Bucket policy section, click Edit.

  4. Copy this policy, and then paste it into the Policy field:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "GuardDutyPutObject",
                "Effect": "Allow",
                "Principal": {
                    "Service": "guardduty.amazonaws.com"
                },
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::<bucket-name>/*"
            },
            {
                "Sid": "GuardDutyGetBucketLocation",
                "Effect": "Allow",
                "Principal": {
                    "Service": "guardduty.amazonaws.com"
                },
                "Action": "s3:GetBucketLocation",
                "Resource": "arn:aws:s3:::<bucket-name>"
            }
        ]
    }

    Where:

    • <bucket-name> is the name of your bucket.
  5. Click Save changes.

Write GuardDuty logs to an AWS account that Arctic Wolf already monitors

For each region that you want to forward GuardDuty findings from, complete these steps:

  1. In the AWS Management Console, sign in to the AWS account that Arctic Wolf already monitors.

  2. Click Services > Key Management Service.

  3. In the KMS console navigation menu, click Customer managed keys.

  4. Copy the Key ID value for the AWNKMSKey key, and save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

  5. In the Services menu, click S3.

  6. In the Buckets list, select the account bucket name, similar to awn-logs-bucket-<account-id>-<region>, where <account-id> is the 12-digit ID of the in the AWS account that Arctic Wolf already monitors and <region> is the region of the in the S3 bucket.

    Tip: This bucket was created in Configuring AWS CloudTrail Event Monitoring.

  7. On the Properties tab, copy the Amazon Resource Name (ARN) value, and save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

  8. In the Services menu, click GuardDuty.

  9. In the in the GuardDuty console, in the navigation menu, click Settings.

  10. In the Findings export options section, in the S3 Bucket setting, click Configure now.

  11. Click Existing bucket in another account.

  12. In the Bucket ARN field, enter the bucket ARN.

  13. In the Key ARN field, enter the AWNKMSKey Key ID value.

  14. Click Save.

Step 5: Configure GuardDuty to export logs

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings.
  3. In the Findings export options section, select Frequency for updated findings, and then select Update CWE and S3 every 15 minutes.
  4. Click Save.

Step 6: Verify the GuardDuty configuration

  1. Sign in to the GuardDuty console.

  2. In the navigation menu, click Settings.

  3. On the Settings page, in the Sample findings section, click Generate sample findings.

  4. In the navigation menu, click Findings.

    The sample findings are displayed on the Current findings page with a "SAMPLE" prefix.

  5. Contact your CST to verify that Arctic Wolf received these sample findings.

    Tip: If you have access to Raw Log Search in the Arctic Wolf Unified Portal, you can check for these sample findings.

Next steps