Closed 0xdabbad00 closed 6 years ago
We'll ship this in Q1 :)
I'll take this on. I'll submit a PR within two weeks.
Great, thanks @0xdabbad00!
Sorry for the delays. Finally started looking at this. GuardDuty sends events to CloudWatch Events and they are in the same format as the existing events (https://github.com/airbnb/streamalert/blob/0bb9ae2b75f0ce9791180eb15b73fd20bf4157e3/conf/logs.json#L1096). Because StreamAlert already watches CloudWatch Events by default and the schema already matches, there isn't much to do other than create rules. I'll have a PR for a sample rule shortly. This will just be:
@rule(logs=['cloudwatch:events'], matchers=[], outputs=['slack:sample-channel'])
def guardduty(rec):
if rec['detail-type'] == 'GuardDuty Finding':
return True
return False
We could turn on GuardDuty, similar to how we turn on CloudTrail. GuardDuty is a little more expensive ($4/mo + potentially some extra fees) and it would require adding some privileges to StreamAlert. That work should fall under a separate ticket if people are interested. From the UI, "integrating" GuardDuty with StreamAlert is just turning GuardDuty on, because it flows directly into StreamAlert's existing data flows.
Amazon just announced a new security service named GuardDuty this week. https://aws.amazon.com/guardduty/
It has some useful rules that would be difficult to implement in StreamAlert, such as detecting logins from new ASNs, which requires correlation with past events. When GuardDuty detects something, it writes to CloudWatch Events. My request is:
From the User Guide (p 44, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-ug.pdf), the format of the CloudWatch events is: