Does anyone use AWS GuardDuty?

JDMurrayJDMurray Certification InvigilatorSurf City, USAPosts: 11,447Admin Admin
I'm looking for opinions from first-hand experience with AWS GuardDuty.

Tagged:

Comments

  • scascscasc Posts: 200Member ■■■□□□□□□□
    An excellent tool used where I’m currently doing some consultancy work. Used to facilitate threat intel from your VPC flow logs, DNS logs and Cloudwatch. Anything you were particularly keen in finding out.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSNA, GSTRT, CEH, CHFI, TOGAF, CISMP
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,447Admin Admin
    Right now I'm interested in all the log sources that GD ingests. I assume it does CloudTrail logs as well? Does it also support logs from some non-AWS software?
  • scascscasc Posts: 200Member ■■■□□□□□□□
    Sources at the moment are Cloud Trail logs, DNS and Flow logs - interface, subnet or instance. Does not at the moment, as far as I know, support other sources. Though you could through it’s API send logs to a SIEM for example if you needed multiple log sources. 
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSNA, GSTRT, CEH, CHFI, TOGAF, CISMP
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,447Admin Admin
    I'm hoping GD can be (one day) customized to use its rules engine to read custom application logs. I can see GD supporting a Lambda-like feature that would use customer-supplied regex's to read custom log files for standard data (src/dst IP, src/dst port, protocol, etc.) and free-form information (DNS TXT record) and process it using GD's rules. I guess I'm looking for a simpler and cheaper alternative to Splunk inside of AWS. :)
  • scascscasc Posts: 200Member ■■■□□□□□□□
    edited September 30
    haha - if only! At the moment limited as the objective is to do continuous monitoring against unauthorised use of your AWS platform (e.g. Bit-mining, SSH brute forcing, DNS ex filtration etc). Only place I have seen supplied Regex's is Athena - but that is from S3 bucket where you query the logs fed here (via SQL) for things like IP addresses, time etc. 

    You could also use Config to stipulate a policy that will then connect to Lambda to run your serverless rules if there is non compliance to that policy.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSNA, GSTRT, CEH, CHFI, TOGAF, CISMP
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,447Admin Admin
    Hey, thanks for the pointer to AWS Athena, Config, and Glue. I'll ponder those for my needs. :smiley:
  • scascscasc Posts: 200Member ■■■□□□□□□□
    No worries, best of luck. 
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSNA, GSTRT, CEH, CHFI, TOGAF, CISMP
Sign In or Register to comment.