This article leads you through the process of integrating Amazon GuardDuty with Red Canary. Follow the procedure from beginning to end.
Estimated Procedure Time: 10 Minutes
- Create a security policy for AWS
- Create a user profile for AWS
- Connect your AWS access keys to Red Canary
- Confirm that the integration was successful
Before you connect AWS GuardDuty to Red Canary, make sure that both AWS and GuardDuty are deployed in your security environment.
Step 1: AWS–Identity and Access Management (IAM)
Use your AWS Identity and Access Management (IAM) dashboard to create a new AWS user profile and security policy. This will grant Red Canary API access to pull GuardDuty alerts.
Create a security policy
- From your AWS IAM dashboard, click Policies, and then click Create Policy.
- Click Service, and then click GuardDuty.
- From the Access level dropdown, select ListDetectors and ListFindings.
- From the Read dropdown, select GetFindings.
- Click Next: Tags to add any additional tags you want associated with this security policy.
- Name your policy, and then click Create.
Create a user account
- From your AWS IAM dashboard, click Users, and then click Add User.
- Enter a name for the user account.
- In the Select AWS access type section, select Access key - Programmatic access.
- Click Next: Permissions.
- From the Set permissions dropdown, click Attach existing policies directly.
- Click the Filter policies dropdown, and then select Customer Managed.
- Find and select the newly created security policy.
- Optionally, click Next: Tags to add any additional tags you want associated with this user name.
- Click Next: Review to review your new user account.
- Click Create user.
- Once the user is created, download and record your AWS Access Key ID and AWS Secret Access Key ID (.csv).
- With your access keys downloaded, log in to Red Canary.
Step 2: Red Canary–Connect your AWS access keys
Connect your AWS access keys to Red Canary in order to start receiving GuardDuty alerts.
- From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources.
- In the search bar, type and select GuardDuty.
- To configure your new alert source, scroll down and click Amazon GuardDuty.
- Click Edit Configuration.
- Enter a name for your external alert source.
- Select a display category.
- From the Ingest Format/Method dropdown, select Aws Guard Duty via API Poll.
- Enter the AWS Access Key ID, and then enter the AWS Secret Access Key ID.
- Enter the AWS Region.
- Click Save Configuration.
- Click Edit Configuration, and then click Activate.
Confirm that the integration was successful
To confirm that your AWS GuardDuty integration was successful, generate a sample finding to create an AWS GuardDuty alert, which will then notify Red Canary.
- From your AWS IAM dashboard, click Settings, and then click Generate sample findings.
- After the sample findings are generated, log in to Red Canary.
- From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources. After a few minutes, you will see the activity you just reported from the sample findings at the top of the Recent Alerts list.