This quick start guide will help Symantec™ Managed Security Services (MSS) customers configure Amazon Web Service (AWS) GuardDuty to allow log collection from the Log Collection Platform (LCP). 

The document includes the following topics:

Supported Versions

A list of supported versions is available in the MSS Supported Products List document (Symantec_MSS_Supported_Products_List_CUSTOMER.xlsx), which can be found at: https://mss.symantec.com/PortalNextGen/Reports/Documents

Port Requirements         

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

LCP

AWS GuardDuty

443 (TCP)

 Default port

Configuring AWS GuardDuty

  1. Log in to the AWS console.

  2. Type GuardDuty in the Search bar.

  3. Enable the GuardDuty feature follow the below mentioned steps to forward events to Cloud watch.

  4. LCP GuardDuty collector configuration using the CloudWatch requires the following AWS permissions along with the IAM User and the IAM user role require the below pre-requisites.  

  • CloudWatchLogsReadOnlyAccess

Configuring AWS CloudWatch Rule

  1. Log in to the AWS console using the AWS role with the appropriate permissions mentioned above. 

  2. From services, select the Lambda

           

  1. Click the Create function button 

  2. Enter a name for the Lambda function using your organizations standards

  3. Select Python 2.7 as the runtime

  4. If you do not have a role to run Lambda functions already created, then select Create Custom Role under Role.  A new tab/window will open for you to create a new role.  If you have an existing role, select it using the Choose an existing role option under Role and proceed to step 9.

  5. To configure your AWS Lambda role, in the tab spawned from step 7, Create Custom Rule, Lambda basic execution should already be selected as well as Create a new role policy under Policy Name.  

Note: Following readonly permissions are required to fetch logs. 

{
"Version": "2012-10-17",
"Statement": [
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*","logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:142776275967:log-group:/aws/lambda/guardduty-logger-prod-lambda_handler:log-stream:*" }]
}

  1. Click done to confirm new role.   

  2. Back in the Lambda function tab/window, the Role should have Choose an existing role selected and the Existing role should have either the new or existing lambda role to be selected. 

  1. Click Create Function.

  2. Click the Function name under the Designer view and enter the function code in the function window. Please get the function code from the file -lambda function GuardDuty which is attached with this guide.

  3. Kindly ensure that the Handler name and Python function names match.ing, collection

 

  1. Click the Save button at the top.

  2. Navigate to the CloudWatch service

  3. Select Rules from the navigation pane on the left

  4. Click the Create rule button

  5. Ensure Event Pattern radio button is selected

  6. Under Service Name select GuardDuty

  7. Under Event Type select GuardDuty Finding.

  8. Click the Add Target Button in the Targets Pane.

 
 

  1. Under the Function, select the lambda function you created in the steps above. 

  2. Click the Configure Details button

  3. Enter the rule name using your organizations naming convention.  

Note: This name will appear in the CloudWatch log trails as /aws/lambda/<rule name>.

Testing CloudWatch Rule and Lambda function

It is important to test the CloudWatch rule and lambda function prior to enabling and configuring the collector.  This test will walk you through generating sample GuardDuty findings, if you can generate your own finding you can use those as triggers as well. 

  1. If you can generate your own GuardDuty findings then, please proceed to step 3, otherwise select the GuardDuty Service.

  1. Click General from the left hand side navigation pane then click the Generate sample findings button.  

  2. Navigate to the CloudWatch service

  3. Click Logs using the left hand side navigation link

  4. CloudWatch rules fire for every 5 minutes and it will run the lambda function against those findings if the new ones are exist. 

  5. Please wait for 5 minutes and you should see a new Log Group appear using the format /aws/lambda/<CloudWatch Rule Name>.

  

  1. Click the Log Group name to see the Log Trails

  1. You should see an entry where one of the messages has the tag [INFO]

  1. Expand that line, and you should see a GuardDuty finding in a single line JSON format.

  2. If this finding was shown, you have successfully tested the GuardDuty rule and Lambda function.

Creating New Request for Monitoring

Once the device is configured as outlined in the steps above and all network pre-requisites have been made, you are now ready to onboard it for MSS monitoring. To complete this process, submit a New Request via the MSS Portal at https://mss.symantec.com/. This new request should contain the following information:

  1. Reporting LCP Hostname/IPAddress:
  2. AWS Region: 
  3. AWS Secret Access ID: 
  4. AWS Secret Access Key: 
  5. Cloud Watch Log Group: 

Note: If you have any questions about this process, please contact the Symantec MSS onboarding team.

LCP Configuration parameters

                                                                       Table 1-2: The AWS GuardDuty event collector properties to be configured by MSS are shown in the table.

Property

 Default Value

 Description

AWS Region

 Custom Value

AWS Region mentioned in the Pre-Installation Questionnaire (PIQ).

Note: Regions such as us-east-1, us-west-1, us-west-2, eu-west-1, ap-northeast-1, ap-southeast-2, ap-southeast-1, sa-east-1.

US East (Northern Virginia), US West (Oregon and Northern California), EU (Ireland), EU (Frankfurt), AP Northeast (Tokyo),

AP Southeast (Singapore),AP Southeast (Sydney), and SA East (Sao Paulo) regions.

For reference : https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

AWS Secret Access ID

 Custom Value

AWS Secret Access ID mentioned in the Pre-Installation Questionnaire (PIQ).

Note: Based on the Account ID. The IAM user must be part of the appropriate role that has required permissions to access/read the AWS.

For reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

AWS Secret Access Key

 Custom Value

AWS Secret Access Key mentioned in the PIQ. 

Note: Based on the Account ID, refer to the following URL to get information about AWS Secret Access Key: AWS Guide

Cloud Watch Log Groups

 Custom Value

Name of Destination Log group.

Note: Rule name will appear in the CloudWatch log trails as /aws/lambda/<rule name>. Rule name is the one which you have

given while creating the Cloud Watch rule.

 

Legal Notice
Copyright © 2018 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The software and services described in this manual are furnished under a license agreement and may be used only in accordance with the terms of the agreement.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
 

lambda function GuardDuty

lambda function GuardDuty

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.