Integrate Amazon GuardDuty Findings into Cloud Insight Essentials Incidents

Amazon GuardDuty is a continuous security monitoring service that requires no customer-managed hardware or software. GuardDuty analyzes and processes VPC Flow Logs and AWS CloudTrail event logs. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity, like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains.

Alert Logic provides a CloudFormation template that deploys a CloudWatch Events collector and a Lambda function that integrates GuardDuty findings into Cloud Insight Essentials for display as threats on the Incidents page.

Before you begin

Before you perform the procedures required to integrate GuardDuty findings into Cloud Insight Essentials Incidents, ensure you have the proper permissions to do so, and the correct command line interfaces to generate access keys.

Verify administrative permissions

To perform the procedures necessary to integrate GuardDuty findings into Cloud Insight Essentials Incidents, your Cloud Insight Essentials account and your AWS account must have administrative permissions.

To verify your Cloud Insight Essentials permissions:

  1. Log into Cloud Insight Essentials.
  2. In the top right corner, click the user name tile > Users.
  3. At the top of the list of users, select your user name.
  4. In the Edit User panel, verify the selected user role is Administrator.

To verify your AWS permissions:

  1. Log into the AWS console.
  2. Click IAM, located under Security, Identity & Compliance.
  3. Ensure "AdministratorAccess" appears as one of the policies in the list of policy names.

Ensure access to a command line interface (CLI)

GuardDuty integration with Cloud Insight Essentials requires you use a command line interface (CLI) appropriate to your operating system to generate the access keys and secret keys required to allow Alert Logic to issue API calls on your behalf. You need the following CLI, depending on your operating system:

Enable Amazon GuardDuty

Before you can integrate GuardDuty findings into Cloud Insight Essentials, you must log into AWS and enable GuardDuty. For more information, see Setting Up Amazon GuardDuty.

Create an Alert Logic access key and secret key

To support GuardDuty integration, Alert Logic uses your customer identification, in the form of access keys and secret keys, to issue API calls on your behalf. You need these keys to launch a CloudFormation template that deploys a CloudWatch Events collector and a Lambda function that integrates GuardDuty findings into Cloud Insight Essentials for display as threats on the Incidents page.

1. From the bash command line, type the following command, where <email address> is your Cloud Insight Essentials user name.

export AL_USERNAME='<email address>'

2. Copy, and then paste, the following command into the command line:

auth=$(curl -X POST -s -u $AL_USERNAME https://api.global-services.global.alertlogic.com/aims/v1/authenticate); export AL_ERROR=$(echo $auth | jq -r '.error // ""'); export AL_ACCOUNT_ID=$(echo $auth | jq -r '.authentication.account.id'); export AL_USER_ID=$(echo $auth | jq -r '.authentication.user.id'); export AL_TOKEN=$(echo $auth | jq -r '.authentication.token'); if [ -n "$AL_ERROR" -o -z "$AL_TOKEN" ]; then echo "Authentication failure - $AL_ERROR "; else roles=$(curl -s -X GET -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/roles | jq -r '.roles[].name'); if [ "$roles" != "Administrator" ]; then echo "The $AL_USERNAME doesn’t have Administrator role. Assigned role is '$roles'"; else curl -s -X POST -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys | jq .; fi; fi; unset AL_USERNAME;

2. When prompted, enter your Cloud Insight Essentials password.

Successful response example:
{

"access_key_id": "712c0b413eef41f6",

"secret_key": "1234567890b3eea8880d292fb31aa96902242a076d3d0e320cc036eb51bf25ad"

}

Note the access_key_id and secret_key values, which you need to deploy the CloudFormation template to your AWS account.

1. In the Windows PowerShell console, type the following command:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $creds = Get-Credential -Message "Please enter your Alert Logic Cloud Insight email address and password"; $unsecureCreds = $creds.GetNetworkCredential(); $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $unsecureCreds.UserName,$unsecureCreds.Password))); Remove-Variable unsecureCreds; $AUTH = Invoke-RestMethod -Method Post -Headers @{"Authorization"=("Basic {0}" -f $base64AuthInfo)} -Uri https://api.global-services.global.alertlogic.com/aims/v1/authenticate ; Remove-Variable base64AuthInfo; $AL_ACCOUNT_ID = $AUTH.authentication.account.id; $AL_USER_ID = $AUTH.authentication.user.id; $AL_TOKEN = $AUTH.authentication.token; if (!$AL_TOKEN) { Write-Host "Authentication failure"} else { $ROLES_RESP = Invoke-RestMethod -Method Get -Headers @{"x-aims-auth-token"=$AL_TOKEN} -Uri https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/roles ; $ROLES = $ROLES_RESP.roles.name; if ($ROLES -ne "Administrator" ) { Write-Host "Your user doesn’t have Administrator role. Assigned role is '$ROLES'" } else { $ACCESS_KEY = Invoke-RestMethod -Method Post -Headers @{"x-aims-auth-token"=$AL_TOKEN} -Uri https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys ; Write-Host $ACCESS_KEY } }

2. When prompted, enter your Cloud Insight Essentials user name and password.

Successful response example:
@{access_key_id=712c0b413eef41f6; secret_key=1234567890b3eea8880d292fb31aa96902242a076d3d0e320cc036eb51bf25ad}

Note the access_key_id and secret_key values, which you need to deploy the CloudFormation template to your AWS account.

Deploy the CloudWatch Events collector from the CloudFormation template

This CloudFormation template deploys the Alert Logic CloudWatch Events collector and Lambda function to a single AWS region for GuardDuty integration. The CloudWatch Events collector collects CloudWatch Events associated with GuardDuty findings, and the Lambda function forwards those events to Cloud Insight Essentials to display as incidents.

If you want to collect events from multiple AWS regions, you must either install the CloudWatch Events collector in each region from which you want to collect events, or set up a GuardDuty Master Account. For more information, see Managing AWS Accounts in Amazon GuardDuty.

To deploy the CloudWatch Events collector:

  1. Log in to the AWS Console with an AWS account that has AWS administrator privileges.
  2. Click the region in which you want to deploy the CloudFormation template:
  3. Click Next.
  4. In the Specify Details window, provide the following required parameters:
  5. Click Next.
  6. On the Options panel, click Next.
  7. In the Review panel, perform a predeployment check.
  8. Select I acknowledge that AWS CloudFormation might create IAM resources, and then click Create.
  9. On the CloudFormation Stacks panel, filter results based on the stack name you created, and then select your stack.

A successful deployment returns a status of CREATE_COMPLETE.

You must repeat the collector installation procedure for each region in which you want to install the CloudWatch Events collector
You may install only one collector in each AWS region. If you try to install a second collector in a region, the second installation will not complete.

Verify the CloudFormation template launched successfully

If the CloudFormation template launched successfully, the Cloud Insight Essentials Incident List should include recent GuardDuty findings that also appear in the GuardDuty console.

  1. Log into the Alert Logic console with an account that has administrator permissions.
  2. Click Incidents, and then click List.
  3. Verify GuardDuty findings appear as incidents on the Incident List.