Skip to main content

AWS - GuardDuty Event Collector

This Integration is part of the AWS - GuardDuty Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Amazon Web Services Guard Duty Service Event Collector integration for Cortex XSIAM.

This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.

Configure AWS - GuardDuty Event Collector on Cortex XSOAR#

  1. Navigate to Settings > Configurations > Data Collection > Automation and Feed Integrations.

  2. Search for AWS - GuardDuty Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    AWS Default RegionThe AWS Region for this instance of the integration. For example, us-west-2True
    Role ARNThe Amazon Resource Name (ARN) role used for EC2 instance authentication. If this is used, an access key and secret key are not required.False
    Role Session NameA descriptive name for the assumed role session. For example, xsiam-IAM.integration-Role_SESSIONFalse
    Role Session DurationThe maximum length of each session in seconds. Default: 900 seconds. The Cortex XSOAR integration will have the permissions assigned only when the session is initiated and for the defined duration.False
    Access KeyThe access key ID used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required.False
    Secret KeyThe secret key used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required.False
    TimeoutThe time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout preceded by a comma (for example 60,10). If a connect timeout is not specified, a default of 10 seconds will be used.False
    RetriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.False
    First fetch timeFirst fetch query <number> <time unit>, e.g., 7 days. Default 3 days.False
    Number of events to fetch per fetch.Default is 10.False
    Guard Duty Severity levelThe severity level or higher of findings to be fetched: Low, Medium, or High. For example, if you set the severity level to Medium, only findings with severity level Medium or High will be fetched.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-gd-get-events#


Manual command to fetch events and display them.

Base Command#

aws-gd-get-events

Input#

Argument NameDescriptionRequired
should_push_eventsSet this argument to True to create events, otherwise the command will only display them. Possible values are: true, false. Default is false.Required
severityThe minimum severity of the events to fetch (inclusive). Possible values are: Low, Medium, High. Default is Low.Required
collect_fromThe date to start collecting the events from.Optional
limitThe maximum amount of events to return.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-gd-get-events severity=Low should_push_events=false limit=1 collect_from="60 days ago"

Human Readable Output#

AWSGuardDuty Logs#
Account IdArnCreated AtDescriptionIdPartitionRegionResourceSchema VersionServiceSeverityTitleTypeUpdated At
SomeAccountIdSomeArn2022-08-16T07:22:39.877ZA container with a sensitive host path mounted inside was launched on EKS Cluster SomeFindingEKSClusterName. If this behavior is not expected, it may indicate that your credentials are compromised.<some_id>aws<some_region>EksClusterDetails: {"Name": "SomeFindingEKSClusterName", "Arn": "SomeFindingEKSClusterArn", "VpcId": "SomeFindingEKSClusterVpcId", "Status": "ACTIVE", "Tags": [{"Key": "SomeFindingEKSClusterTag1", "Value": "SomeFindingEKSClusterTagValue1"}, {"Key": "SomeFindingEKSClusterTag2", "Value": "SomeFindingEKSClusterTagValue2"}, {"Key": "SomeFindingEKSClusterTag3", "Value": "SomeFindingEKSClusterTagValue3"}], "CreatedAt": "2021-11-11T10:15:55.218000"}
KubernetesDetails: {"KubernetesUserDetails": {"Username": "SomeFindingUserName", "Uid": "SomeFindingUID", "Groups": ["SomeFindingUserGroup"]}, "KubernetesWorkloadDetails": {"Name": "SomeFindingKubernetesWorkloadName", "Type": "SomeFindingKubernetesWorkloadType", "Uid": "SomeFindingKubernetesWorkloadUID", "Namespace": "SomeFindingKubernetesWorkloadNamespace", "Containers": [{"Name": "SomeFindingContainerName", "Image": "SomeFindingContainerImage", "ImagePrefix": "SomeFindingContainerImagePrefix", "VolumeMounts": [{"Name": "SomeFindingVolumeName", "MountPath": "SomeFindingVolumeMountPath"}]}], "Volumes": [{"Name": "SomeFindingVolumeName", "HostPath": {"Path": "SomeFindingHostPath"}}]}}
ResourceType: EKSCluster
2.0Action: {"ActionType": "KUBERNETES_API_CALL", "KubernetesApiCallAction": {"RequestUri": "SomeFindingRequestURI", "Verb": "create", "UserAgent": "", "RemoteIpDetails": {"City": {"CityName": "SomeFindingCityName"}, "Country": {"CountryName": "SomeFindingCountryName"}, "GeoLocation": {"Lat": 0, "Lon": 0}, "IpAddressV4": "1.1.1.1", "Organization": {"Asn": "0", "AsnOrg": "SomeFindingASNOrg", "Isp": "SomeFindingISP", "Org": "SomeFindingORG"}}, "StatusCode": 201}}
Archived: true
Count: 1
DetectorId: detectorid
EventFirstSeen: 2022-08-16T07:22:39.000Z
EventLastSeen: 2022-08-16T07:22:39.000Z
ResourceRole: TARGET
ServiceName: guardduty
AdditionalInfo: {"Value": "{\"sample\":true}", "Type": "default"}
5Container launched with a sensitive host path mounted inside.Persistence:Kubernetes/ContainerWithSensitiveMount2022-08-16T07:22:39.877Z