Amazon GuardDuty Threat List Integration

Guard duty header 964a71c5

Amazon GuardDuty gives users threat detection without the heavy lifting of additional security software or infrastructure to deploy and maintain. Seclytics uses GuardDuty internally along with our own VPC Flow Log processing and have found GuardDuty to be very useful especially since it has visibility around DNS queries, which is not accessible via existing AWS APIs.

In our integration with GuardDuty we take a two step approach. Firstly, we improve detections by adding our Predicted IPs as a threat list. Secondly, we enhance GuardDuty findings with our aggregate threat intelligence to provide global and local context around each incident. We will talk about that in a later post.

GuardDuty allows adding your own threat intelligence through threat lists. Which is simply a list of IPs that you determine to be malicious and GuardDuty will automatically generate findings based on these lists.

To add our predictive intelligence as a threat list to your GuardDuty instance follow these steps:

  1. Firstly, you need to authorize your AWS account from our dashboard.
  2. Then, go to the "Lists" section on the GuardDuty console.
  3. Click 'Add a Threat List' and fill out the form as follows, once finished click 'Add List'
    Name:
    Seclytics Predictions
    Location:
    s3://seclytics-guard-duty/seclytics-predictions.txt
    Format:
    Plaintext
    Guardduty add threat list 11d17f6b
  4. Click the checkbox next to the list info and after a few moments, you should get a message stating that the list has been added.
    Guardduty activate threat list ba51538d
  5. That's it! GuardDuty now will generate findings using Seclytics Predictive Intelligence.

When GuardDuty creates a finding from this intelligence it will show up in your findings as 'UnauthorizedAccess:EC2/MaliciousIPCaller.Custom'.

Guardduty threat list findings a7a9d74c

Now that we demonstrated how we can improve detections with GuardDuty lists in our next post we will describe how we use our aggregate threat intelligence to give more context to each finding.