Configure Amazon GuardDuty for Arctic Wolf monitoring
You can configure Amazon GuardDuty® to send the necessary logs to Arctic Wolf® for security monitoring.
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and resources for unexpected and potentially malicious activity in your AWS environment. To integrate this service with Arctic Wolf Cloud Detection and Response (CDR), configure Amazon GuardDuty to forward its findings to Arctic Wolf.
Note:
- By default, GuardDuty is integrated with AWS Security Hub. If you have Security Hub enabled or plan to enable Security Hub, see Configure AWS Security Hub for Arctic Wolf monitoring instead of this document.
- GuardDuty is a chargeable service, based on the traffic and usage of your Amazon Web Services (AWS)® account. See GuardDuty pricing documentation before enabling this service.
- Make sure to complete these steps for each region that you want to forward GuardDuty findings from.
These resources are required:
- An AWS user or Identity and Access Management (IAM) role with AdministratorAccess or an equivalent IAM policy
- Access to the AWS Management Console
These actions are required:
- Contact your Concierge Security® Team (CST) to verify that Arctic Wolf is receiving your CloudTrail events.
For more information, see Configure AWS CloudTrail events for Arctic Wolf monitoring.
Determine your AWS account configuration
Configure your Amazon GuardDuty monitoring based on your account configuration. If you have:
- A single account — Complete the steps in Configure GuardDuty with a single account.
- Multiple accounts — Proceed to Determine if you have a delegated GuardDuty administrator account.
Determine if you have a delegated GuardDuty administrator account
Note: Delegated GuardDuty administrator accounts are region-specific.