AWS - GuardDuty Event Collector
This Integration is part of the AWS - GuardDuty Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
Amazon Web Services Guard Duty Service Event Collector integration for Cortex XSIAM.
Configure AWS - GuardDuty Event Collector on Cortex XSOAR#
Navigate to Settings > Configurations > Data Collection > Automation and Feed Integrations.
Search for AWS - GuardDuty Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Description Required AWS Default Region The AWS Region for this instance of the integration. For example, us-west-2 True Role ARN The Amazon Resource Name (ARN) role used for EC2 instance authentication. If this is used, an access key and secret key are not required. False Role Session Name A descriptive name for the assumed role session. For example, xsiam-IAM.integration-Role_SESSION False Role Session Duration The maximum length of each session in seconds. Default: 900 seconds. The Cortex XSOAR integration will have the permissions assigned only when the session is initiated and for the defined duration. False Access Key The access key ID used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required. False Secret Key The secret key used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required. False Timeout The time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout preceded by a comma (for example 60,10). If a connect timeout is not specified, a default of 10 seconds will be used. False Retries The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. False First fetch time First fetch query <number> <time unit>, e.g.,7 days. Default3 days.False Number of events to fetch per fetch. Default is 10. False Guard Duty Severity level The severity level or higher of findings to be fetched: Low, Medium, or High. For example, if you set the severity level to Medium, only findings with severity level Medium or High will be fetched. True Trust any certificate (not secure) False Use system proxy settings False
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
aws-gd-get-events#
Manual command to fetch events and display them.
Base Command#
aws-gd-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| should_push_events | Set this argument to True to create events, otherwise the command will only display them. Possible values are: true, false. Default is false. | Required |
| severity | The minimum severity of the events to fetch (inclusive). Possible values are: Low, Medium, High. Default is Low. | Required |
| collect_from | The date to start collecting the events from. | Optional |
| limit | The maximum amount of events to return. | Optional |
Context Output#
There is no context output for this command.
Command example#
!aws-gd-get-events severity=Low should_push_events=false limit=1 collect_from="60 days ago"
Human Readable Output#
AWSGuardDuty Logs#
| Account Id | Arn | Created At | Description | Id | Partition | Region | Resource | Schema Version | Service | Severity | Title | Type | Updated At |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SomeAccountId | SomeArn | 2022-08-16T07:22:39.877Z | A container with a sensitive host path mounted inside was launched on EKS Cluster SomeFindingEKSClusterName. If this behavior is not expected, it may indicate that your credentials are compromised. | <some_id> | aws | <some_region> | EksClusterDetails: {"Name": "SomeFindingEKSClusterName", "Arn": "SomeFindingEKSClusterArn", "VpcId": "SomeFindingEKSClusterVpcId", "Status": "ACTIVE", "Tags": [{"Key": "SomeFindingEKSClusterTag1", "Value": "SomeFindingEKSClusterTagValue1"}, {"Key": "SomeFindingEKSClusterTag2", "Value": "SomeFindingEKSClusterTagValue2"}, {"Key": "SomeFindingEKSClusterTag3", "Value": "SomeFindingEKSClusterTagValue3"}], "CreatedAt": "2021-11-11T10:15:55.218000"} KubernetesDetails: {"KubernetesUserDetails": {"Username": "SomeFindingUserName", "Uid": "SomeFindingUID", "Groups": ["SomeFindingUserGroup"]}, "KubernetesWorkloadDetails": {"Name": "SomeFindingKubernetesWorkloadName", "Type": "SomeFindingKubernetesWorkloadType", "Uid": "SomeFindingKubernetesWorkloadUID", "Namespace": "SomeFindingKubernetesWorkloadNamespace", "Containers": [{"Name": "SomeFindingContainerName", "Image": "SomeFindingContainerImage", "ImagePrefix": "SomeFindingContainerImagePrefix", "VolumeMounts": [{"Name": "SomeFindingVolumeName", "MountPath": "SomeFindingVolumeMountPath"}]}], "Volumes": [{"Name": "SomeFindingVolumeName", "HostPath": {"Path": "SomeFindingHostPath"}}]}} ResourceType: EKSCluster | 2.0 | Action: {"ActionType": "KUBERNETES_API_CALL", "KubernetesApiCallAction": {"RequestUri": "SomeFindingRequestURI", "Verb": "create", "UserAgent": "", "RemoteIpDetails": {"City": {"CityName": "SomeFindingCityName"}, "Country": {"CountryName": "SomeFindingCountryName"}, "GeoLocation": {"Lat": 0, "Lon": 0}, "IpAddressV4": "1.1.1.1", "Organization": {"Asn": "0", "AsnOrg": "SomeFindingASNOrg", "Isp": "SomeFindingISP", "Org": "SomeFindingORG"}}, "StatusCode": 201}} Archived: true Count: 1 DetectorId: detectorid EventFirstSeen: 2022-08-16T07:22:39.000Z EventLastSeen: 2022-08-16T07:22:39.000Z ResourceRole: TARGET ServiceName: guardduty AdditionalInfo: {"Value": "{\"sample\":true}", "Type": "default"} | 5 | Container launched with a sensitive host path mounted inside. | Persistence:Kubernetes/ContainerWithSensitiveMount | 2022-08-16T07:22:39.877Z |