Guard Duty is a basic, easy-to-use intrusion detection system provided by Amazon Web services. The main benefit of Guard Duty is that is extremely easy to setup (one click). Over time, the user can customize the detection and prevention rules to make the AWS findings more useful.
One big draw back of Guard Duty is that it provides very little forensic and correlation capabilities. As with most intrusion detection systems, the user can only look at single events in isolation without the ability of investigating why they where generated within a more general security context. Without this deeper understanding, single events are not very useful and, more importantly, by themselves may fail to reveal more important security insights.
MetaFlows now supports the analysis and correlation of AWS Guard Duty events thus providing a more advanced forensic capability through the MetaFlows Security System (which includes full packet logging, pcap generation and a number of advanced forensic tools) .
Setup
Guard Duty only works within each availability zone; therefore you will need a MetaFlows sensor running in the same availability zone where you want to run Guard Duty.
Below are the steps necessary to forward guard duty events to a MetaFlows sensor.
- Enable Guard Duty.
- Find out your Guard Duty MetaFlows port for the sensor to which you want to export Guard Duty events. Please contact MetaFlows’ support on how to find this value
- Go to the Amazon SNS service and create a topic called guardduty Note: The Amazon SNS topic must be in the same Region as your AWS Guard Duty service.
- Open the CloudWatch console.
- In the navigation pane, choose Rules, and then choose Create rule.
- From the Service Name menu, choose GuardDuty.
- From the Event Type menu, choose GuardDuty Finding.
- In Targets, choose Add target.
- In Select Target, choose SNS topic.
- In Select Topic, choose your SNS topic guardduty
- Click configure details and enter a mnemonic name like Guarddutytometaflows
- Go back to the SNS console and select the topic guardduty
- Click on Create subscription
- Select HTTPS protocol
- Under endpoint enter https://sensor.metaflows.net:<port> where <port> is the port number that you obtained in step 2 and click on Create subscription
- Click on Subscriptions and verify the new subscription status is Confirmed
After the subscription is confirmed, you will start receiving Guard Duty Events in the MetaFlows system such as the ones below:
As any other event type, Guard Duty events are aggregated by IP addresses, ports and classes so you can easily explore the event types hierarchically and correlate them with other MetaFlows events that share the same IP addresses. Importantly (as shown here) you can also run several forensic tools on the events including inspecting the payloads associated with the network activity that triggered the events. You can also easily start blocking the servers or the clients with our IPS system as well as initiate vulnerability scanning.
If you are interested in exploring how MetaFlows can augment AWS Guard Duty or other AWS security products, do not hesitate contacting us.
Thanks and Happy Hunting!