This article leads you through the process of integrating Amazon GuardDuty with Red Canary. Follow the procedure from beginning to end.

Prerequisites

Before you connect AWS GuardDuty to Red Canary, make sure that both AWS and GuardDuty are deployed in your security environment.

Step 1: AWS–Identity and Access Management (IAM)

Use your AWS Identity and Access Management (IAM) dashboard to create a new AWS user profile and security policy. This will grant Red Canary API access to pull GuardDuty alerts. 

Create a security policy

1. From your AWS IAM dashboard, click Policies, and then click Create Policy.
2. Click Service, and then click GuardDuty.
3. From the Access level dropdown, select ListDetectors and ListFindings.
4. From the Read dropdown, select GetFindings.
   
5. Click Next: Tags to add any additional tags you want associated with this security policy. 
6. Name your policy, and then click Create.

Create a user account

1. From your AWS IAM dashboard, click Users, and then click Add User.
2. Enter a name for the user account.
3. In the Select AWS access type section, select Access key - Programmatic access.
   
   
4. Click Next: Permissions.
5. From the Set permissions dropdown, click Attach existing policies directly.
6. Click the Filter policies dropdown, and then select Customer Managed.
7. Find and select the newly created security policy.
   
   
8. Optionally, click Next: Tags to add any additional tags you want associated with this user name. 
9. Click Next: Review to review your new user account.
10. Click Create user.
11.  Once the user is created, download and record your AWS Access Key ID and AWS Secret Access Key ID (.csv). 
12. With your access keys downloaded, log in to Red Canary.

Step 2: Red Canary–Connect your AWS access keys

Connect your AWS access keys to Red Canary in order to start receiving GuardDuty alerts.

1. From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources.
2. In the search bar, type and select GuardDuty.
   
   
3. To configure your new alert source, scroll down and click Amazon GuardDuty.
4. Click Edit Configuration.
5. Enter a name for your external alert source.  
6. Select a display category.
7. From the Ingest Format/Method dropdown, select Aws Guard Duty via API Poll. 
8. Enter the AWS Access Key ID, and then enter the AWS Secret Access Key ID.
9. Enter the AWS Region.
   
   
10. Click Save Configuration.
11. Click Edit Configuration, and then click Activate.

Confirm that the integration was successful

To confirm that your AWS GuardDuty integration was successful, generate a sample finding to create an AWS GuardDuty alert, which will then notify Red Canary.  

1. From your AWS IAM dashboard, click Settings, and then click Generate sample findings. 
   
   
2. After the sample findings are generated, log in to Red Canary.
3. From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources. After a few minutes, you will see the activity you just reported from the sample findings at the top of the Recent Alerts list.