This quick start guide will help Symantec™ Managed Security Services (MSS) customers configure Amazon Web Service (AWS) GuardDuty to allow log collection from the Log Collection Platform (LCP).
The document includes the following topics:
A list of supported versions is available in the MSS Supported Products List document (Symantec_MSS_Supported_Products_List_CUSTOMER.xlsx), which can be found at: https://mss.symantec.com/PortalNextGen/Reports/Documents
Source |
Destination |
Port |
Description |
---|---|---|---|
LCP |
AWS GuardDuty |
443 (TCP) |
Default port |
Log in to the AWS console.
Type GuardDuty in the Search bar.
Enable the GuardDuty feature follow the below mentioned steps to forward events to Cloud watch.
LCP GuardDuty collector configuration using the CloudWatch requires the following AWS permissions along with the IAM User role set up the collector pre-requisites.
AWSLambdaFullAccess
CloudWatchFullAccess
CloudWatchLogsFullAccess
Log in to the AWS console using the AWS role with the appropriate permissions mentioned above.
From services, select the Lambda
Click the Create function button
Enter a name for the Lambda function using your organizations standards
Select Python 2.7 as the runtime
If you do not have a role to run Lambda functions already created, then select Create Custom Role under Role. A new tab/window will open for you to create a new role. If you have an existing role, select it using the Choose an existing role option under Role and proceed to step 9.
To configure your AWS Lambda role, in the tab spawned from step 7, Create Custom Rule, Lambda basic execution should already be selected as well as Create a new role policy under Policy Name.
Click done to confirm new role.
Back in the Lambda function tab/window, the Role should have Choose an existing role selected and the Existing role should have either the new or existing lambda role to be selected.
Click Create Function.
Click the Function name under the Designer view and enter the function code in the function window. Please get the function code from the file -lambda function GuardDuty which is attached with this guide.
Kindly ensure that the Handler name and Python function names match.ing, collection
Click the Save button at the top.
Navigate to the CloudWatch service
Select Rules from the navigation pane on the left
Click the Create rule button
Ensure Event Pattern radio button is selected
Under Service Name select GuardDuty
Under Event Type select GuardDuty Finding.
Click the Add Target Button in the Targets Pane.
Under the Function, select the lambda function you created in the steps above.
Click the Configure Details button
Enter the rule name using your organizations naming convention.
Note: This name will appear in the CloudWatch log trails as /aws/lambda/<rule name>.
Testing CloudWatch Rule and Lambda function
It is important to test the CloudWatch rule and lambda function prior to enabling and configuring the collector. This test will walk you through generating sample GuardDuty findings, if you can generate your own finding you can use those as triggers as well.
Click General from the left hand side navigation pane then click the Generate sample findings button.
Click Logs using the left hand side navigation link
CloudWatch rules fire for every 5 minutes and it will run the lambda function against those findings if the new ones are exist.
Please wait for 5 minutes and you should see a new Log Group appear using the format /aws/lambda/<CloudWatch Rule Name>.
Expand that line, and you should see a GuardDuty finding in a single line JSON format.
If this finding was shown, you have successfully tested the GuardDuty rule and Lambda function.
Once the device is configured as outlined in the steps above and all network pre-requisites have been made, you are now ready to onboard it for MSS monitoring. To complete this process, submit a New Request via the MSS Portal at https://mss.symantec.com/. This new request should contain the following information:
Note: If you have any questions about this process, please contact the Symantec MSS onboarding team.
Table 1-2: The AWS GuardDuty event collector properties to be configured by MSS are shown in the table.
Property |
Default Value | Description |
---|---|---|
AWS Region |
Custom Value | AWS Region mentioned in the Pre-Installation Questionnaire (PIQ). Note: Regions such as us-east-1, us-west-1, us-west-2, eu-west-1, ap-northeast-1, ap-southeast-2, ap-southeast-1, sa-east-1. US East (Northern Virginia), US West (Oregon and Northern California), EU (Ireland), EU (Frankfurt), AP Northeast (Tokyo), AP Southeast (Singapore),AP Southeast (Sydney), and SA East (Sao Paulo) regions. For reference : https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html |
AWS Secret Access ID |
Custom Value | AWS Secret Access ID mentioned in the Pre-Installation Questionnaire (PIQ). Note: Based on the Account ID. The IAM user must be part of the appropriate role that has required permissions to access/read the AWS. For reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html |
AWS Secret Access Key |
Custom Value | AWS Secret Access Key mentioned in the PIQ. Note: Based on the Account ID, refer to the following URL to get information about AWS Secret Access Key: AWS Guide. |
Cloud Watch Log Groups |
Custom Value | Name of Destination Log group. Note: Rule name will appear in the CloudWatch log trails as /aws/lambda/<rule name>. Rule name is the one which you have given while creating the Cloud Watch rule. |
lambda function GuardDuty
Subscribing will provide email updates when this Article is updated. Login is required.
This will clear the history and restart the chat.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)