Amazon GuardDuty Threat List Integration
Amazon GuardDuty gives users threat detection without the heavy lifting of additional security software or infrastructure to deploy and maintain. Seclytics uses GuardDuty internally along with our own VPC Flow Log processing and have found GuardDuty to be very useful especially since it has visibility around DNS queries, which is not accessible via existing AWS APIs.
In our integration with GuardDuty we take a two step approach. Firstly, we improve detections by adding our Predicted IPs as a threat list. Secondly, we enhance GuardDuty findings with our aggregate threat intelligence to provide global and local context around each incident. We will talk about that in a later post.
GuardDuty allows adding your own threat intelligence through threat lists. Which is simply a list of IPs that you determine to be malicious and GuardDuty will automatically generate findings based on these lists.
To add our predictive intelligence as a threat list to your GuardDuty instance follow these steps:
- Firstly, you need to authorize your AWS account from our dashboard.
- Then, go to the "Lists" section on the GuardDuty console.
- Click 'Add a Threat List' and fill out the form as follows, once finished click 'Add List'Name:Seclytics PredictionsLocation:s3://seclytics-guard-duty/seclytics-predictions.txtFormat:Plaintext
4. Click the checkbox next to the list info and after a few moments, you should get a message stating that the list has been added.
5. That's it! GuardDuty now will generate findings using Seclytics Predictive Intelligence.
When GuardDuty creates a finding from this intelligence it will show up in your findings as 'UnauthorizedAccess:EC2/MaliciousIPCaller.Custom'.
Now that we demonstrated how we can improve detections with GuardDuty lists in our next post we will describe how we use our aggregate threat intelligence to give more context to each finding.
Find Out How We Help Secure Your Perimeter
Augur, the industry’s only PDR platform, raises the bar by predicting attacks, attributing attacks, and adjusting your security posture to block threats before they get to your network. But you don’t have to take our word for it.
Take the Augur Challenge:
Step 1: We’ll collect, aggregate, and correlate your logs
Step 2: Within 72 hours, we will send you:
- A list of compromised hosts in your network
- A list of threat actors targeting your organization
- A checklist of IP ranges associated with these threat actors for you to block
Step 3: After 30 days, we’ll send you a full breakdown of how our predictions stacked up
Seeing is believing. After taking our challenge, we’re convinced that you’ll want to put the power of Augur’s predictive threat intelligence to work full time.