🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Amazon GuardDuty Integration Guide

cloud integrations amazon guardduty aws


Secureworks® Taegis™ XDR and Amazon GuardDuty integration is only available via the Amazon GuardDuty API. Integration via Cloudwatch Events and/or S3 is not currently supported. Additionally, only one AWS account may be linked for integration. If you use the Amazon GuardDuty Master Account architecture (documented by AWS at: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html), you should use the Account ID of the Amazon GuardDuty master account in the following steps. If you are using AWS Organizations, the Amazon GuardDuty account may be different than the AWS Organizations master account.

To integrate your Amazon GuardDuty data with Secureworks® Taegis™ XDR, you must manually create an AWS Identity and Access Management (IAM) role that grants read-only access to Secureworks® Taegis™ XDR and enter this role and your AWS account ID in Secureworks® Taegis™ XDR.

Data Provided from Integration

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
Amazon GuardDuty                       V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Set Up Amazon GuardDuty

Note

If you do not have login access to Secureworks® Taegis™ XDR, have someone who does help you complete any steps that require access. You can also contact your Secureworks® representative for help.

To get started, follow these steps:

  1. From the Secureworks® Taegis™ XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
  2. Choose Set Up AWS Integrations and then select Setup under Amazon GuardDuty.

Set up GuardDuty Integration

Set up GuardDuty Integration

  1. Enter your AWS Account ID and then select Next. You will need the External ID unique to your organization that displays during Step 2 to create an AWS IAM role.
  2. In the IAM Console ensure that you are logged in to the account you want to configure the integration for and select Roles from the sidebar, then click Create role.

  3. Select Another AWS account as the type of trusted entity.

Create IAM Role

Create a New IAM Role

  1. Enter the following Secureworks Account ID: 927866642148.
  2. Enable the option to Require external ID and enter the External ID displayed in Step 2 on the Integration page in Secureworks® Taegis™ XDR.
  3. Leave the option to Require MFA disabled and click Next: Permissions.

Enter Account ID and External ID

Enter Account ID and External ID

  1. From the Attach permissions policies section, select Create policy. A new browser tab opens and displays the Create policy form.

Tip

As you work, it’s helpful to keep separate browser tabs open in AWS Console—one with the policy, so you can find the policy you’ve created, and another for the role(s) you create.

  1. Select the JSON tab, and copy and paste the following policy into the form:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "guardduty:ListDetectors",
        "guardduty:GetDetector",
        "guardduty:ListFindings",
        "guardduty:GetFindings",
        "guardduty:GetMasterAccount"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Note

We recommend that you create an AWS role with these exact permissions and then test that your Secureworks® Taegis™ XDR AWS GuardDuty integration still works.

This policy grants read-only access to Secureworks® Taegis™ XDR for your Amazon GuardDuty data. For more information on read-only IAM roles, see the Managing Access to Amazon GuardDuty User Guide.

  1. Select Review policy.

Paste the Policy then Review

Paste the Policy then Review

  1. Enter a descriptive name for the policy, such as SecureworksAWSGuardDutyIntegrationPolicy, and an optional description. Select Create policy.

Note

Remember the policy name so you can select it later.

  1. Return to the previous Create role tab and refresh the list of policies so that the new policy displays. Select the new policy and choose Next: Tags.

Select the New Policy

Select the New Policy

  1. Add any optional tags desired and choose Next: Review.
  2. Enter a descriptive name for the role, such as SecureworksAWSGuardDutyIntegrationRole, and an optional description. Choose Create role.
  3. Return to the Integration page in Secureworks® Taegis™ XDR and enter the IAM Role Name created in the preceding steps.
  4. Select Save to complete the integration.

Enter IAM Role

Enter IAM Role

  1. View the integration status on the Cloud APIs page.

View Integration Status and Details

View Integration Status and Details

 

On this page: