1. Complete Configure CloudTrail monitoring with no existing trails.
2. When the stack has a status of CREATE_COMPLETE, navigate to CloudTrail.
3. Select the newly created trail, and then delete it.
   The trail was required to deploy GuardDuty configurations, and it is no longer needed.

1. Sign in to the AWS Management Console with the delegated GuardDuty administrator account.
2. In the navigation menu, click the current AWS region, and then change the region to where you want to create a bucket.
3. In the navigation menu, click Buckets.
4. Click Create bucket.
   The Create bucket page opens.
5. In the Bucket name field, enter a name similar to awn-guardduty-logs-bucket-account_id-region, where account_id is the 12-digit ID number of your current AWS account and region is the region of the S3 bucket.
   Note: Do not change the other default settings.
6. Click Create bucket.

1. Sign in to the AWS Management Console with the delegated GuardDuty administrator account.
2. Navigate to the GuardDuty console.
3. In the navigation menu, click Settings.
4. In the Findings export options section, in the Frequency section, click Edit, and then select 15 minutes.
5. Click Save changes.
6. In the Findings export options section, in the S3 Bucket section, click Configure now.
7. In the S3 bucket ARN field, enter the ARN of the bucket that you created in Create a dedicated S3 bucket for GuardDuty findings.
8. In the KMS key ARN field, enter the ARN of the AWNKMSKey.
9. Click Save.
   Note: If you receive an error about the policy, follow the steps and apply the policy according to the instructions in the error message.

1. Sign in to the AWS Management Console with the delegated GuardDuty administrator account.
2. Navigate to the GuardDuty console.
3. In the navigation menu, click Settings.
4. In the Attach Policy section, copy the required policy and attach it to the selected S3 bucket that you specified in the previous step.
5. Copy the required policy and attach it to the selected KMS Key that you specified in the previous step.

1. Sign in to the GuardDuty console.
2. In the navigation menu, click Settings > S3 Protection.
3. Select the S3 Protection is enabled on this account checkbox.

Complete these steps for each of the Amazon GuardDuty accounts that you want Arctic Wolf to monitor.

1. Sign in to the GuardDuty console with administrator permissions.
2. In the navigation menu, click Settings > Kubernetes protection.
3. Click Enable all to enable automatic EKS protection for new and existing member accounts.
4. Click Update Settings.

1. Sign in to the AWS Management Console with the log archive account.
2. Navigate to CloudFormation.
3. On the CloudFormation page, click Create stack > With new resources (standard).
4. On the Create stack page, configure these settings:
   • Prepare template — Select Choose an existing template.
   • Template source — Select Amazon S3 URL.
5. In a new browser tab, go to the Arctic Wolf Unified Portal, copy the Simple Storage Service (S3) logs link, and then paste it into the Amazon S3 URL field.
6. Click Next.
7. In the Specify stack details section, in the Stack name field, enter a name for the S3 log forwarding stack. For example, ArcticWolf-S3LogForward.
   Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf. Make sure it is unique.
8. In the Parameters section, in the bucketName field, enter the name of the S3 bucket used to save logs.
9. Keep the prefixPath field empty when using a dedicated bucket.
   Note: When entering the prefixPath value, do not include a trailing slash, /.
10. If the logs use encryption that is different from the AWNKMSKey, enter the ARN of the KMS key in the kmsKey field.
    Note: If the KMS key is located in a different account from the account you are deploying the CloudFormation stack in, contact your Concierge Security® Team (CST) for configuration guidance.
11. Click Next.
    You are redirected to the Configure stack options page. Do not make change son this page.
12. Click Next.
13. On the Review page, read the Capabilities section.
14. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
15. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

16. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
17. Contact your CST® to verify that Arctic Wolf is processing logs from your S3 bucket.

Generate a sample finding for each finding type to make sure that Arctic Wolf is receiving data.

1. Sign in to the GuardDuty console with the same account that you used to set up Arctic Wolf configurations.
2. In the navigation menu, click Settings.
3. On the Settings page, in the Sample findings section, click Generate sample findings.
4. In the navigation menu, click Findings.
   Sample findings are displayed with the prefix [SAMPLE].