Documentation Center
AlienVault® USM Anywhere™

Amazon GuardDuty

When you configure Amazon GuardDuty to send log data to USM Anywhere, you can use the Amazon GuardDuty plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Amazon
Device Type IDS
Connection Type CloudWatch

Integrating Amazon GuardDuty

Before you configure the Amazon GuardDuty integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Amazon GuardDuty to send event logs to USM Anywhere

Until integration through the AlienVault AWS app is ready, users will need to set up an AWS Lambda function to process records, an AWS firehose delivery stream to store the logs in S3 (Amazon Simple Storage Service), and then create a CloudWatch rule to send GuardDuty events to the firehose stream.

  1. Open the Lambda console in AWS.
  2. Click Create Function.
  3. Select Author from scratch.
  4. In the Author from scratch section:
    • Specify a name for the new Lambda function. Make a note of the name as you will need to reference that name later on in the integration procedure.
    • Specify the Runtime version as Python 2.7.

      In the Role field, select the Create new role from template option; in the Policy template section, select Basic Edge Lambda Permissions as shown in the following sample display.

  5. Enter the following code for the function (using Edit Code Inline):

    from __future__ import print_function
    import base64
    def lambda_handler(event, context):
        output = []
        for record in event['records']:
          newrec = {}
          newrec['recordId'] = record['recordId']
          newrec['data'] = base64.b64encode('\n' + str(base64.b64decode(record['data'])))
          newrec['result'] = 'Ok'	
        return {'records': output}
      except Exception, e:
        print('Error processing event %s: %s' % (event, e))

    The following display shows the definition of the new lambda function:

  6. In Basic settings, set the timeout to 1 minute.

  7. Open the Kinesis Console in AWS and create a new Firehose delivery stream:

  8. Set the source as Direct PUT or other sources:

  9. Enable the transform of records with AWS Lambda and select the lambda function you created previously.

  10. Set the S3 destination. You can also create an S3 bucket in this step, if you haven't already created one.

  11. Disable compression and encryption, and select an IAM role to access specified resources. You can also create a new IAM role in this step.

  12. Click Next and complete the firehose delivery stream setup.
  13. Now open the CloudWatch console.
  14. Create a new CloudWatch rule with GuardDuty events as the source and the Firehose delivery stream you just created, as target.

Amazon GuardDuty should now use the firehose stream to direct logged events to the S3 location you specified.

Plugin Enablement

To enable the plugin, you need to set up an S3 collection job to collect the logs and point it to the S3 used as the firehose destination. For more information, see Creating a New AWS S3 Access Collection Job.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application
  • asset_status
  • base_event_count
  • customfield_0
  • customheader_0
  • destination_address
  • destination_asn
  • destination_instance_id
  • destination_port
  • destination_service_name
  • destination_zone
  • device_direction
  • dns_rrname
  • event_action
  • event_description
  • event_name
  • event_severity
  • malware_family
  • plugin_device
  • plugin_device_type
  • rep_device_rule_id
  • rep_device_version
  • source_address
  • source_asn
  • source_instance_id
  • source_port
  • source_userid
  • source_username
  • source_user_privileges
  • time_end
  • time_start
  • transport_protocol
  • user_resource

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.