search

matanolabs / matano

Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
https://matano.dev
Apache License 2.0
1.42k stars 98 forks source link

Feature Request: GuardDuty managed log source #191

Open britton-from-notion opened 3 weeks ago

britton-from-notion commented 3 weeks ago

TL;DR

Managed AWS GuardDuty log source support

Feature Request

Hey there! Love the project, thanks for all your work on it.

The Matano documentation lists a few Supported managed AWS log sources, however it doesn't appear that GuardDuty is currently supported. Totally understandable considering guard duty isn't the most consistent data structure in the world. However, I think Matano has a real opportunity to make a difference in the detection engineering experience for malicious AWS activity by implementing support for guard duty findings as a managed AWS Log source, offering the same transformation into Elastic Common Schema and realtime detection benefits Matano offers for its other managed sources.

As an user, this is roughly the experience that I'd hope to have with this managed log source.

  1. Create a log source in the matano directory with the following contents 
    
# matano/log_sources/aws_guardduty/log_source.yml
name: "aws_guardduty"

managed: type: "AWS_GUARDDUTY"


2. Execute `matano deploy` and matano sets up the guardduty [Findings Export](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html) infrastructure as well as required tables as seen in the other managed log sources
3. Navigate to athena and have the ability to query guardduty events that are transformed into elastic common schema as well as the ability to develop realtime detections on these guard duty events (same as the other managed sources). 

See [here for reference of what a guard duty event would look like transformed into ECS](https://www.elastic.co/docs/current/integrations/aws/guardduty#logs).