AWS GuardDuty
Integration version: 4.0
Prerequisites
If you require read-only access to the integration, such as running the
connector, use the AmazonGuardDutyReadOnlyAccess policy.
To get full access to all integration features, use the
AmazonGuardDutyFullAccess policy.
For more details about using policies, see AWS managed policies on the AWS documentation website.
Configure AWS GuardDuty integration in Google Security Operations SOAR
For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| AWS Access Key ID | String | N/A | Yes | AWS Access Key ID to use in integration. |
| AWS Secret Key | Password | N/A | Yes | AWS Secret Key to use in integration. |
| AWS Default Region | String | N/A | Yes | AWS default region to use in integration, for example us-west-1. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Use cases
- Detect and manage threats in the AWS system using playbooks or manual actions.
- Ingest AWS GuardDuty findings. Findings that are fetched are moved to the GuardDuty archive.
Actions
Ping
Description
Test connectivity to AWS GuardDuty with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
This action doesn't run on entities, nor has mandatory input parameters.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | If successful: "Successfully connected to the AWS GuardDuty server with the provided connection parameters!" Else: "Failed to connect to the AWS if successful: "Successfully connected to the AWS GuardDuty server with the provided connection parameters!" Else: "Failed to connect to the AWS GuardDuty server! Error: {0}".format(exception.stacktrace)GuardDuty server! Error: {0}".format(exception.stacktrace) |
General |
Create a Detector
Description
Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. You can have only one detector per account per Region.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Enable | Checkbox | Unchecked | Yes | Specifies whether the detector is to be enabled. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: Is successful: "The detector <new detector ID> has been created." If the detector is not created (is_success=false): "Action wasn't able to create a detector. Reason: a detector already exists for the current account. If "ErrorCode" is reported (is_success=false): "Action wasn't able to create a detector. Error: {}".format (ErrorMessage)" The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Create a Detector". Reason: {0}''.format(error.Stacktrace) |
General |
Delete a Detector
Description
Delete an Amazon GuardDuty detector that is specified by the detector ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | The unique ID of the detector that you want to delete. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the detector is not deleted (is_success=false): "Action wasn't able to delete <detector_ID> detector. Error: {}".format(ErrorMessage)" If the detector is successfully deleted (is_success=true): "The detector <detector ID> has been deleted." The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Delete a Detector". Reason: {0}''.format(error.Stacktrace) |
General |
Update a Detector
Description
Update the Amazon GuardDuty detector specified by the detector ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | The unique ID of the detector that you want to update. |
| Enable | Checkbox | Unchecked | No | Specifies whether the detector should be enabled. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If "ErrorCode" is reported (is_success=false): "Action wasn't able to create a detector. Error: {}".format(ErrorMessage)" If the detector is successfully updated (is_success=true): "The detector <detector ID> has been updated." The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Update a Detector". Reason: {0}''.format(error.Stacktrace) |
General |
Get Detector Details
Description
Retrieve an Amazon GuardDuty detector specified by the detector ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | The unique ID of the detector that you want to retrieve. Comma-separated values. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{
"DetectorId": detector_id,
"CreatedAt": response['CreatedAt'],
"ServiceRole": response['ServiceRole'],
"Status": response['Status'],
"UpdatedAt": response['UpdatedAt'],
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully retrieved information about <Indicator ID> indicator." Note: If some detector IDs found, and some not - display both messages based on the relevant detector ID. The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Get a Detector Details". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV Table | Table Title: Detectors Details Table Columns:
|
General |
List Detectors
Description
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Max Detectors To Return | Integer | 50 | No | Specify the number of detectors to return. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{"detectorIds": [id1,id2,etc]}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully listed available detectors in AWS GuardDuty. Indicator ID:<value>" If other status code is reported (is_success=false): "Action wasn't able to list available detectors" The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Detectors". Reason: {0}''.format(error.Stacktrace) |
General |
List Findings for a Detector
Description
Lists all Amazon GuardDuty findings for the specified detector ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | The unique ID of the detector that you want to retrieve. |
| Max Findings To Return | Integer | 50 | No | Specify the number of detectors to return. |
| Sort By | String | N/A | No | Represents the finding attribute (for example, accountId) to sort findings by. |
| Order By | DDL | ASC Possible values:
|
No | The order by which the sorted findings are to be displayed. |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{"FindingIds": ["10ba96ae50733ae38b9cae95431b7558"]}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail and stop a playbook execution: If "ErrorCode" is reported (is_success=false): "Action wasn't able to get findings for <detector ID> detector. Error: {}".format(ErrorMessage)" If successful: "Successfully retrieved available findings IDs for detector {detector ID}" The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "List Findings for a Detector". Reason: {0}''.format(error.Stacktrace) |
General |
Archive Findings
Description
Archive GuardDuty findings that are specified by finding IDs.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Finding IDs | String | N/A | Yes | The IDs of the findings that you want to retrieve. Comma-separated IDs. |
| Detector ID | String | N/A | Yes | The unique ID of the detector |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
AWS IAM Policy Permission:
- Effect: Allow
- Action: guardduty:ArchiveFindings
Only the master account can archive findings. Member accounts don't have permission to archive findings from their accounts.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If "ErrorCode" is reported (is_success=false): "Action wasn't able to archive Findings. Error: {}".format(ErrorMessage). Please check if all Finding IDs are correct." If successful: "Findings were successfully archived" → Changed to: "The following findings were successfully archived: <ids> In case of one/all invalid finding IDs, the action should not fail, but is_success should be set to false: "Could not archive the following findings: <ids>" Note: The error code cannot be for one of the IDs. In case of wrong finding ID, an exception is thrown with the following error: "When calling the ArchiveFindings operation (reached max retries: 4): Internal server error." Same here:Check first if finding is valid. Successfully archived the following findings: 88bac20f959084244a2b91778d12e883 Failed to archived the following findings: 1abac689941ae6f3e3e24d02ac4cf612 The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Archive Findings". Reason: {0}''.format(error.Stacktrace" |
General |
Unarchive Findings
Description
Unarchive GuardDuty findings that are specified by finding IDs.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Finding IDs | String | N/A | Yes | The IDs of the findings that you want to retrieve. Comma-separated values. |
| Detector ID | String | N/A | Yes | The unique ID of the detector. |
AWS IAM Policy Permission:
- Effect: Allow
- Action: guardduty:UnarchiveFindings
Only the master account can archive findings. Member accounts don't have permission to archive findings from their accounts.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "The following findings were successfully archived: <ids>" In case of one/all invalid finding IDs, the action should not fail, but is_success should set to false: "Could not unarchive the following findings: <ids> The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Unarchive Findings". Reason: {0}''.format(error.Stacktrace)" Note: The error code cannot be for one of the IDs. In case of wrong finding ID, an exception is thrown with the following error: "When calling the ArchiveFindings operation (reached max retries: 4): Internal server error." Same here: Check first if finding is valid. Successfully archived the following findings: 88bac20f959084244a2b91778d12e883 Failed to archived the following findings: 1abac689941ae6f3e3e24d02ac4cf612 |
General |
Create Sample Findings
Description
Generates example findings of types specified by the list of findings.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | The unique ID of the detector to create sample findings for. |
| Finding Types | String | N/A | No | The types of sample findings to generate. Comma-separated values. Types can be found in the UI in the Findings section under the Finding Type column. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If "ErrorCode" is reported (is_success=false): "Action wasn't able to create sample findings. Error: {}".format(ErrorMessage)" If successful: "Successfully created sample findings" If one of the inputs (Findings Types) is invalid, catch the following exception: "The request is rejected because an invalid or out-of-range value is specified as an input parameter." set, is_sucess=false: "Action wasn't able to create sample findings because an invalid value was found as Finding Types parameter. Updated: In case of invalid finding type, the action should fail, with this msg: "Action wasn't able to create sample findings because an invalid value was found as Finding Types parameter. Error: <traceback>
The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Create Sample Findings". Reason: {0}''.format(error.Stacktrace) |
General |
Update Findings Feedback
Description
Mark the specified Amazon GuardDuty findings as useful or not useful.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | The unique ID of the detector associated with the findings to update feedback for. |
| Useful? | Checkbox | Unchecked | Yes | The feedback for the finding. |
| Findings IDs | String | N/A | Yes | The IDs of the findings that you want to mark as useful or not useful. Comma-separated values. |
| Comment | String | N/A | No | Additional feedback about the GuardDuty findings. |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If "ErrorCode" is reported (is_success=false): "Action wasn't able to update findings feedback. Error: {}".format(ErrorMessage) If successful: "Findings feedback was updated." If an error/not found for one of the finding IDs, the response object still returns an empty response, although one of the IDs does not exist. If findings are not found:"Cannot update feedback. <finding id> is not valid." The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Update Findings Feedback". Reason: {0}''.format(error.Stacktrace)" |
General |
Delete a Trusted IP List
Description
Delete the IPSet specified by the ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to delete an IP set. This parameter can be found in the Settings tab. |
| Trusted IP List IDs | String | N/A | Yes | Specify the comma-separated list of IDs of IP sets. Example: id_1,id_2 |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success=true): "Successfully deleted the following Trusted IP lists: <ids>" If not successful for some of the IDs (is_success=true): "Action wasn't able to delete the following Trusted IP Lists from AWS GuardDuty:\n{0}.".format(list_of_ids)" The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Delete a Trusted IP List". Reason: {0}''.format(error.Stacktrace" |
General |
Get Finding Details
Description
Return detailed information about a finding in AWS Guard Duty.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Finding IDs | String | N/A | Yes | The IDs of the findings that you want to retrieve. Comma-separated IDs. |
| Detector ID | String | N/A | Yes | The unique ID of the detector that you want to retrieve. |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{
"Findings": [{
"AccountId": "582302349248",
"Arn": "arn:aws:guardduty:us-east-1:582302349248:detector/26b8d318c596f5eb942b4c146870944f/finding/02ba7e2d000521f35033ed64488b8e1b",
"CreatedAt": "2020-10-06T05:19:50.794Z",
"Description": "213.108.133.9 is performing RDP brute force attacks against i-053d1520f53584149. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password.", "Id": "02ba7e2d000521f35033ed64488b8e1b",
"Partition": "aws",
"Region": "us-east-1",
"Resource": {
"InstanceDetails": {
"AvailabilityZone": "us-east-1e",
"ImageId": "ami-01b670d1a5b2c1da7",
"InstanceId": "i-053d1520f53584149",
"InstanceState": "running",
"InstanceType": "t2.micro",
"LaunchTime": "2020-05-27T08:54:03Z", "NetworkInterfaces": [{
"Ipv6Addresses": [],
"NetworkInterfaceId": "eni-012d9b8a1a3b4e40a",
"PrivateDnsName": "ip-1.1.1.1.ec2.internal",
"PrivateIpAddress": "1.1.1.1",
"PrivateIpAddresses": [{
"PrivateDnsName": "ip-1.1.1.1.ec2.internal",
"PrivateIpAddress": "1.1.1.1"
}],
"PublicDnsName": "ec2-54-234-69-236.compute-1.amazonaws.com",
"PublicIp": "54.234.69.236",
"SecurityGroups": [{
"GroupId": "sg-0fa42e04e9cd15407",
"GroupName": "Windows Server 2016"
}],
"SubnetId": "subnet-2edddf10",
"VpcId": "vpc-48a7ac32"
}],
"Platform": "windows",
"ProductCodes": [],
"Tags": [{
"Key": "Name",
"Value": "CiscoAMP-win2012"
}]},
"ResourceType": "Instance"
},
"SchemaVersion": "2.0",
"Service": {
"Action": {
"ActionType": "NETWORK_CONNECTION", "NetworkConnectionAction": {
"Blocked": false,
"ConnectionDirection": "INBOUND",
"LocalPortDetails": {
"Port": 3389, "PortName": "RDP"
},
"Protocol": "TCP",
"LocalIpDetails": {
"IpAddressV4": "1.1.1.1"
},
"RemoteIpDetails": {
"City": {
"CityName": "Moscow"
},
"Country": {
"CountryName": "Russia"
},
"GeoLocation": {
"Lat": 55.7522, "Lon": 37.6156
},
"IpAddressV4": "213.108.133.9",
"Organization": {
"Asn": "24875",
"AsnOrg": "NovoServe B.V.",
"Isp": "NovoServe B.V.",
"Org": "NovoServe B.V."
}},
"RemotePortDetails": {
"Port": 1549,
"PortName": "Unknown"
}}},
"Archived": false,
"Count": 5,
"DetectorId": "26b8d318c596f5eb942b4c146870944f",
"EventFirstSeen": "2020-10-06T05:10:58Z",
"EventLastSeen": "2020-10-06T05:46:59Z",
"ResourceRole": "TARGET",
"ServiceName": "guardduty"
},
"Severity": 2,
"Title": "213.108.133.9 is performing RDP brute force attacks against i-053d1520f53584149.",
"Type": "UnauthorizedAccess:EC2/RDPBruteForce",
"UpdatedAt": "2020-10-06T06:01:46.380Z"
}]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If "ErrorCode" is reported (is_success=false): "Action wasn't able to get Findings details. Error: {}".format(ErrorMessage)" If successful: "Successfully retrieved information for the following findings <finding ids that retrieved>" If an error for one of the IDs is reported, the response object has results only for the good IDs. Check if the response object didn't have some of the IDs and print out a proper message.
The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Get Findings". Reason: {0}''.format(error.Stacktrace" |
General |
| Case Wall Table | Note: if exists. Table Columns:
|
General |
Get all Trusted IP lists
Description
Get all trusted IP lists (IPSets) of the GuardDuty service specified by the detector ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to list IP sets. This parameter can be found in the Settings tab. |
| Max Trusted IP Lists To Return | Integer | 50 | No | Specify the number of Trusted IP lists to return. |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{"IpSetIds": ['', '' , '']}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully listed available sets (is_success=true): "Successfully retrieved available Trusted IP lists." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get all Trusted IP Lists". Reason: {0}''.format(error.Stacktrace) |
General |
Get a Trusted IP list
Description
Get details about a trusted IP list in AWS GuardDuty.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to get an IP set. This parameter can be found in the Settings tab. |
| Trusted IP List IDs | CSV | N/A | Yes | Specify the comma-separated list of IDs of IP sets. Example: id_1,id_2 |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{
ip_set_id: {
"Format": response['Format'],
"Location": response['Location'],
"Name": response['Name'],
"Status": response['Status']}
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully returned details (is_success=true):"Successfully retrieved details about the following Trusted IP Lists from AWS GuardDuty:\n{0}.".format(list_of_ids)" If not successful for some of the IDs (is_success=true): "Action wasn't able to retrieve details about the following Trusted IP Lists from AWS GuardDuty:\n{0}.".format(list_of_ids) If no IDs are used (is_success=false): "No details were retrieved about the provided Trusted IP Lists".format(list_of_ids)" The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Trusted IP Lists". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Table Name: Trusted IP Lists Details Table Columns:
|
General |
Update a Trusted IP list
Description
Update a trusted IP list in AWS GuardDuty.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to update a Trusted IP List. This parameter can be found in the Settings tab. |
| Trusted IP List ID | String | N/A | Yes | Specify the ID of the Trusted IP List that should be updated. |
| Name | String | N/A | No | Specify the new name of the Trusted IP List. |
| File Location | String | https://s3.amazonaws.com/{bucket-name}/file.txt |
No | Specify a new URI location, where the file is located. |
| Activate | Checkbox | Checked | Yes | If enabled, the Trusted IP List will be activated. |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully updated one set (is_success=true): "Successfully updated the trusted IP list '{0}' in AWS GuardDuty.".format(Threat ID) If unsuccessful to update one set (is_success=false): "Action wasn't able to update the trusted IP list '{0}' in AWS GuardDuty.".format(Threat ID)" The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Trusted IP list". Reason: {0}''.format(error.Stacktrace) |
General |
Create a Trusted IP list
Description
Creates a new list of trusted IP addresses (IPSet) that were whitelisted for secure communication with the AWS infrastructure and applications.
GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the master account can use this operation.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to create a Trusted IP List. This parameter can be found in the Settings tab. |
| Name | String | N/A | Yes | Specify the name of the Trusted IP List. |
| File Format | DDL | Plaintext | Yes | Select the format of the file that should be used to create a Trusted IP List. Possible values:
|
| File Location | String | https://s3.amazonaws.com/{bucket-name}/file.txt |
Yes | Specify the URI location, where the file is located |
| Activate | Checkbox | Checked | Yes | If enabled, the newly created Trusted IP List is activated. |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{'TrustedIPID: <ID>}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully created a set (is_success=true): "Successfully created new Trusted IP List '{0}' in AWS GuardDuty.".format(Name)" If unsuccessful to create a set (is_success=false): "Action wasn't able to create new Trusted IP List '{0}' in AWS GuardDuty.".format(name)" The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Create Trusted IP List". Reason: {0}''.format(error.Stacktrace)" |
General |
List Threat Intelligence Sets
Description
List available threat intelligence sets in AWS GuardDuty.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to list threat intelligence sets. This parameter can be found in the Settings tab. |
| Max Threat Intelligence Sets To Return | Integer | 50 | No | Specify the number of threat intelligence sets to return. |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
"ThreatIntelSetIds": ['14ba8b942b76c1be6d985715eb7443eb',
'32ba8b92e553fe04d06dab543ed57a70',
'8aba8b93ba6e08e8fd5349b2c2b57709']}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully listed available sets (is_success=true): "Successfully listed available Threat Intelligence Sets." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Threat Intelligence Sets". Reason: {0}''.format(error.Stacktrace) |
General |
Get Threat Intelligence Set Details
Description
Get details about a threat intelligence set in AWS GuardDuty.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to get threat intelligence sets details. This parameter can be found in the Settings tab. |
| Threat Intelligence Set IDs | String | 50 | Yes | Specify the comma-separated list of IDs of threat intelligence sets. Example: id_1,id_2 |
| AWS Region | String | N/A | No | Optionally specify the AWS Region to be used in the action that can be different from the default region specified in the integration configuration page. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{
"Format": "TXT",
"Location": "https: //testsiemplify.s3.amazonaws.com/test.txt",
"Name": "API Test",
"ResponseMetadata": {
"HTTPHeaders": {
"connection": "keep-alive",
"content-length": "149",
"content-type": "application/json",
"date": "Mon,19 Oct 2020 06: 23: 22 GMT",
"x-amz-apigw-id": "UpSSIGNgIAMFpsg=",
"x-amzn-requestid": "b8328bb2-756d-4099-a091-79b72e52b34c",
"x-amzn-trace-id": "Root=1-5f8d30d9-0346b3d03530be7a1ae4c426;Sampled=0"
},
"HTTPStatusCode": 200,
"RequestId": "b8328bb2-756d-4099-a091-79b72e52b34c",
"RetryAttempts": 0
},
"Status": "ERROR",
"Tags": {}
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully returned details about at list one set (is_success=true): "Successfully retrieved details about the following Threat Intelligence Sets from AWS GuardDuty:\n{0}.".format(list_of_ids)" If unsuccessful for some of the IDs (is_success=true): "Action wasn't able to retrieve details about the following Threat Intelligence Sets from AWS GuardDuty:\n{0}.".format(list_of_ids)" If no IDs are used: "No details were retrieved about the provided Threat Intelligence Sets.".format(list_of_ids) The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Threat Intelligence Sets". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Table Name: Threat Intelligence Set Details Table Column:
|
Create Threat Intelligence Set
Description
Create a threat intelligence set in AWS GuardDuty.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to create a Threat Intelligence Set. This parameter can be found in the Settings tab. |
| Name | String | N/A | Yes | Specify the name of the Threat Intelligence Set. |
| File Format | DDL | Plaintext Possible values:
|
Yes | Select the format of the file that is used to create a threat intelligence set. |
| File Location | String | https://s3.amazonaws.com/{bucket-name}/file.txt |
Yes | Specify the URI location, where the file is located. |
| Active | Checkbox | Checked | Yes | If enabled, the newly created Threat Intelligence Set is activated. |
| Tags | CSV | N/A | No | Specify additional tags that should be added to the Threat Intelligence Set. Format: key_1:value_1,key_2:value_1 |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
{"ThreatIntelSetId": 'b6f0c884a54449cc8e29eed3094e9c31'
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully created a set (is_success=true): "Successfully created the Threat Intelligence Set '{0}' in AWS GuardDuty.".format(Name) If unsuccessful to create a set (is_success=false):"Action wasn't able to create the Threat Intelligence Set '{0}' in AWS GuardDuty.".format(name) The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Create Threat Intelligence Set". Reason: {0}''.format(error.Stacktrace) |
General |
Update Threat Intelligence Set
Description
Update a threat intelligence set in AWS GuardDuty.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Detector ID | String | N/A | Yes | Specify the detector ID that should be used to update a Threat Intelligence Set. This parameter can be found in the Settings tab. |
| ID | String | N/A | Yes | Specify the ID of the Threat Intelligence set that should be updated. |
| Name | String | N/A | No | Specify the new name of the Threat Intelligence Set. |
| File Location | String | https://s3.amazonaws.com/{bucket-name}/file.txt |
No | Specify a new URI location, where the file is located. |
| Active | Checkbox | Checked | Yes | If enabled, the Threat Intelligence Set is activated. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully updated one set (is_success=true): "Successfully updated the Threat Intelligence Set '{0}' in AWS GuardDuty.".format(Threat ID) If unsuccessful to update a set (is_success=false): "Action wasn't able to update the Threat Intelligence Set '{0}' in AWS GuardDuty.".format(Threat ID) The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Threat Intelligence Set". Reason: {0}''.format(error.Stacktrace) |
General |
Delete Threat Intelligence Set
Description
Delete a threat intelligence set in AWS GuardDuty.
Parameters
| Parameter name | Type | Default value | Watermark | Is mandatory | Description |
|---|---|---|---|---|---|
| Detector ID | String | N/A | N/A | Yes | Specify the detector ID that should be used to get threat intelligence sets details. This parameter can be found in the Settings tab. |
| Threat Intelligence Set IDs | CSV | N/A | N/A | Yes | Specify the comma-separated list of IDs of threat intelligence sets. Example: id_1,id_2 |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success=False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successfully returned details about at list one set (is_success=true): "Successfully deleted the following Threat Intelligence Sets in AWS GuardDuty:\n{0}.".format(list_of_ids) If unsuccessful for some of the IDs (is_success=true): "Action wasn't able to delete the following Threat Intelligence Sets in AWS GuardDuty:\n{0}.".format(list_of_ids) If no IDs are used: "No Threat Intelligence Sets were deleted.".format(list_of_ids) The action should fail and stop a playbook execution: Invalid detector ID should raise an exception as well, stop the playbook and set is_success to false. If a fatal error, SDK error, like wrong credentials, no connection to the server, other: "Error executing action "Delete Threat Intelligence Sets". Reason: {0}''.format(error.Stacktrace) |
General |
Connector
AWS GuardDuty - Findings Connector
Description
Pull findings from AWS GuardDuty.
Configure AWS GuardDuty - Findings Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | Type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| AWS Access Key ID | String | N/A | Yes | AWS Access Key ID to use in integration. |
| AWS Secret Key | Password | N/A | Yes | AWS Secret Key to use in integration. |
| AWS Default Region | String | N/A | Yes | AWS default region to use in integration. Example: us-west-2 |
| Detector ID | String | N/A | Yes | ID of the detector. It can be found in the Settings tab. |
| Lowest Severity To Fetch | Integer | 1 | Yes | The lowest severity that is used to fetch findings. Possible values are in range from 1 to 8. Note: AWS GuardDuty maps the integer value in the following order:
|
| Fetch Max Hours Backwards | Integer | 1 | No | Number of hours from where to fetch findings. |
| Max Findings To Fetch | Integer | 50 | No | Number of findings to process per one connector iteration. Maximum: 50 This is a GuardDuty limitation. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist is used as a blacklist. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports Proxy.