InsightIDR

AWS GuardDuty

Rapid7 allows you to integrate InsightIDR with the AWS GuardDuty in order to receive third party alerts.

Before You Begin

GuardDuty produces data in the form of CloudWatch events, which must be sent to InsightIDR via an SQS Queue. Learn more about CloudWatch events in the AWS Documentation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html

To integrate GuardDuty with InsightIDR, complete the following:

  1. Turn on GuardDuty.
  2. Create a new SQS queue to which GuardDuty will send data, and from which InsightIDR will read and remove messages once they are processed, as it polls periodically. Make sure this queue is dedicated for use by InsightIDR.
    • If your SQS queue is encrypted, prepare your decryption key for use in later steps.
  3. Based on the example below, create a new IAM Policy for Rapid7 to use in order to make HTTP requests to an SQS queue:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage"
            ],
            "Resource": [
                "arn:aws:sqs:*:YourAccountId:GuardDutySqsQueueNameGoesHere"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage"
            ],
            "Resource": [
                "arn:aws:sqs:*:YourAccountId:GuardDutySqsQueueNameGoesHere"
            ]
        }
    ]
}
  1. Create a new IAM User that belongs only to the IAM policy created in step 3. This user should have permissions to make receiveMessage and deleteMessage calls from the above SQS queue.
  2. If you encrypted your SQS queue, go to IAM > Encryption Keys and select the decryption key that the SQS queue uses. Under IAM > Key Users, add the user you created in step 4.

Because this IAM User will have access to your data, it is recommended to limit access.

  1. When making the User, copy the secret key to a secure place for later use when configuring GuardDuty in InsightIDR.
  2. In AWS CloudWatch, create a new rule with event pattern:
{
  "source": [
    "aws.guardduty"
  ]
}
Create rule

Create rule

Configure rule with event pattern

Configure rule with event pattern

  1. Add the SQS queue created in step 2 to the targets for the CloudWatch rule created in step 7.
Add a target

Add a target

  1. If the SQS queue is encrypted, you must add JSON to the key policy. To do so, go to your AWS console and navigate to Key Management Service > your SQS encryption key > Edit Policy.
  2. Add the following JSON to the key policy:
{
  "Sid": "Allow CWE to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "*"
}

After you have finished configuration, when GuardDuty produces an alert, the alert will go to the SQS queue through CloudWatch.

  1. To verify this, go to GuardDuty > Settings > General > Generate Sample Findings.

For troubleshooting information, see the AWS CloudWatch information here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_Troubleshooting.html#SQSEncrypted.

At this point, you should now see several messages available on the queue.

Before Configuring This Event Source

Rapid7 highly recommends manually deleting these sample messages off of the queue, because they will generate false alarms in the InsightIDR platform.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.

  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.

  3. From the “Third Party Alerts” section, click the AWS Guard Duty icon. The “Add Event Source” panel appears. 

  4. Choose your collector and event source. You can also name your event source if you want.
  1. Select your credentials, or create a new credential. The credential you enter will be the access key and secret key that corresponds to an AWS IAM User that has permissions to make receiveMessage and deleteMessage calls from the above SQS queue.
    • Access Key: the username you created with IAM permissions
    • Secret Key: the password you created that corresponds with the username with IAM permissions
    • URL: the URL of the SQS queue. This is visible when you select the queue in the AWS console. This will look similar to https://sqs.us-east-1.amazonaws.com/your-queue-name
  2. You can instead choose to use EC2 IAM Roles.
  3. Select Save.

AWS GuardDuty


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.