Skip to main content

General Documents

Onboard AWS Guardduty Alerts to CFTR

Abstract

Download PDF

Category: Analytics and SIEM, Network Security

Cyware Products Used:

  • Cyware Fusion and Threat Response (CFTR)

  • Orchestrate (CO)

Third-Party Integrations:

  • AWS Guardduty: Amazon Guardduty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. The alerts triggered on AWS Guardduty are forwarded to Elastic SIEM.

  • Elastic SIEM: SIEM solution to retrieve and log AWS Guardduty alerts.

Problem Statement

Security teams continuously monitor AWS accounts, instances, container workloads, users, and storage for potential threats and intelligently detect them in the network. However, in addition to detection, the threats have to be further processed for review of the detailed findings and remediation and prevention against the threat.

Solution

Security teams need a solution that automatically retrieves all the alerts and details from AWS Guardduty and onboards them to Cyware Fusion and Threat Response (CFTR) application for further investigation and action. This ensures that all the alert-related information is readily available for an analyst at a single location and provides thorough analysis and remediation of the threat.

Onboard_AWS_Guardduty_Alerts_to_CFTR.svg

How do we solve this problem?

  1. Retrieve Detections: The playbook starts by retrieving the latest AWS Guardduty detection alerts from Elastic SIEM. The alert contains important information such as alert context, metadata, and impacted resource details. You can also use Splunk SIEM to collect AWS Guardduty alerts.

  2. Create CFTR Incident: The playbook creates a new incident in CFTR and updates the alert details along with the alert ID. If an incident already exists for the alert, then the details are updated to the existing CFTR incident.

  3. Update the Elastic Search Alert: The playbook updates the status of the elastic search alert to Closed by adding the Created CFTR Incident. This helps users to know that the alert is already forwarded to CFTR for analyst investigation and action.

Benefits

Improved Security Teams Visibility

Security teams can gain insight into compromised credentials, unusual data access in Amazon S3, and API calls from known malicious IP addresses and makes the alert context available to analysts for investigation and action.

Respond Quickly and Accurately

The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents

Automate Manual Tasks

By automating manual tasks, security teams can allow their analysts to focus on high-value investigations.