AWS GuardDuty Plugin for Threat Exchange

This document explains how to configure the AWS GuardDuty integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches URLs (IPv4 and Domain) and Hash (SHA256) from the AWS GuardDuty platform. This plugin does not support pushing indicators to AWS GuardDuty.

Prerequisites

To complete this configuration, you need:

A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
A Netskope Threat prevention subscription for malicious file hash sharing.
A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
Access to your AWS Access Key ID (Public Key), AWS Secret Access Key (Private Key), AWS Session Token (Optional, only for temporary user), Region Name, and Detector ID (Unique Detector ID).

AWS GuardDuty Plugin Support

Fetched indicator types	URLs (IPv4 and Domain), SHA256
Shared indicator types	None

Mappings

Severity Mapping

Netskope Severity	AWS GuardDuty Severity
<1	Unknown
1.0 – 3.9	Low
4.0 – 6.9	Medium
7.0 – 8.9	High
9.0 – 10.0	Critical

Mappings for Pull (Netskope field – AWS GuardDuty fields)

Netskope Cloud Exchange indicator Field	AWS GuardDuty Field
value	EbsVolumeScanDetails Mapping Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FileName.Hash NetworkConnectionAction Mapping Service.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4 PortProbeAction Mapping Service.Action.PortProbeAction.PortProbeDetails.RemoteIpDetails.IpAddressV4 DnsRequestAction Mapping Service.Action.DnsRequestAction.Domain
type	EbsVolumeScanDetails Mapping SHA256 NetworkConnectionAction Mapping URL PortProbeAction Mapping URL DnsRequestAction Mapping URL
firstSeen	EbsVolumeScanDetails Mapping Service.EventFirstSeen NetworkConnectionAction Mapping Service.Action.EventFirstSeen PortProbeAction Mapping Service.Action.EventFirstSeen DnsRequestAction Mapping Service.Action.EventFirstSeen
lastSeen	EbsVolumeScanDetails Mapping Service.EventLastSeen NetworkConnectionAction Mapping Service.Action.EventLastSeen PortProbeAction Mapping Service.Action.EventLastSeen DnsRequestAction Mapping Service.Action.EventLastSeen
severity	EbsVolumeScanDetails Mapping Service.EbsVolumeScanDetails.ScanDetections.HighestSeverityThreatDetails.Severity NetworkConnectionAction Mapping Severity PortProbeAction Mapping Severity DnsRequestAction Mapping Severity
tags	EbsVolumeScanDetails Mapping Service.EbsVolumeScanDetails.Sources }}+ {{GuardDuty-public if PublicIp is present in NetworkInterfaces + GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces NetworkConnectionAction Mapping Resource.InstanceDetails.Tags + NetworkConnectionAction.Blocked=<value> + GuardDuty-public if PublicIp is present in NetworkInterfaces + GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces PortProbeAction Mapping portProbeAction.Blocked= <value> + Resource.InstanceDetails.Tags + GuardDuty-public if PublicIp is present in NetworkInterfaces + GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces DnsRequestAction Mapping DnsRequestAction:Blocked: <value> +Resource.InstanceDetails.Tags +GuardDuty-public if PublicIp is present in NetworkInterfaces +GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces
comments	EbsVolumeScanDetails Mapping Finding Arn: Arn,TriggerFindingId:Service.EbsVolumeScanDetails.TriggerFindingId,Name:Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FileName.Hash.Filename Filepath:Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FilePath,Description:Description NetworkConnectionAction Mapping Finding ARN: Arn, Finding Type: Type, Description: Description PortProbeAction Mapping Finding ARN: Arn, Finding Type: Type, Description: Description DnsRequestAction Mapping Finding ARN: Arn, Finding Type: Type, Description: Description,

Permissions

Below are the permissions needed to be attached to the IAM user for the plugin workflow.

GetFindings
ListFindings

API Details

List of APIs Used

This plugin uses python (Boto3 v1.34.44) library to get findings from the AWS GuardDuty platform.
Library: The AWS SDK for python (Boto3 v1.34.44)
Usage: The AWS SDK for python (Boto3) to create, configure, and manage AWS services,
such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service

Creating a GuardDuty Client Object

guardduty_client = boto3.Session(
    aws_access_key_id=self.aws_public_key,
    aws_secret_access_key=self.aws_private_key,
    region_name=self.configuration["region_name"].strip()
    config=Config(proxies=self.proxy, user_agent=self.useragent),
).client("guardduty")

List Findings

findings = guardduty_client.list_findings(
     DetectorId=detection_id,
     MaxResults=1,
     SortCriteria={"AttributeName": "updatedAt", "OrderBy": "ASC"},
  )

List Findings with Pagination

paginator = guardduty_client.get_paginator("list_findings")
    page_iterator = paginator.paginate(
      DetectorId=self.configuration["aws_detector_id"].strip(),
      FindingCriteria={
        "Criterion": {
          "updatedAt": {
            "Gte": int(checkpoint.timestamp() * 1000),
          }
        }
      },
       SortCriteria={"AttributeName": "updatedAt", "OrderBy": "ASC"},
    )

Get Findings

guardduty_client.get_findings(
         DetectorId=detection_id,
         FindingIds=finding_ids,
)

Performance Matrix

This plugin has been tested by fetching 288 findings from AWS GuardDuty Platform it takes around 15 seconds to fetch and store indicators from these findings in Netskope CE

Stack details

Size: Large

RAM: 32 GB

CPU: 16 Cores

Indicators fetched from AWS GuardDuty

~ 1K per minute

Indicators shared to AWS GuardDuty

User Agent

netskope-ce-5.0.0-cte-aws-guardduty-v1.1.0

Workflow

Get your AWS GuardDuty credentials.
Configure the AWS GuardDuty plugin.
Configure sharing between Netskope and AWS GuardDuty.
Validate the AWS GuardDuty Plugin.

Click play to watch a video.

Create a Policy for AWS GuardDuty

Go to IAM Services in the AWS Console.
Click Create policies.
Select GuardDuty in Services.
Select GetFindings and ListFindings.
Click Next.
Add a Policy Name.
Click Create Policy.

Plugin Authentication Methods

IAM Role Anywhere Configuration

Prerequisites

The AWS Certificate Manager service is required to be enabled to authenticate the plugin using the AWS IAM Roles Anywhere Authentication Method.

Note: Make sure you create the Private Certificate Authority, Trust Anchor, and Profile in the same region in which your AWS S3 Source Bucket resides.

Create an IAM Policy

This Policy contains the required permissions for creating a Private CA Certificate (including Permissions for creating a Trust Anchor and Profile) and using IAM Roles Anywhere.

Go to Policy Generator and click Add Statement to generate a policy.
- Select Type of Policy: IAM Policy
- Effect: Allow
- AWS Service: AWS Private Certificate Authority
- Actions:
  - CreateCertificateAuthority
  - DescribeCertificateAuthority
  - GetCertificate
  - GetCertificateAuthorityCertificate
  - GetCertificateAuthorityCsr
  - ImportCertificateAuthorityCertificate
  - IssueCertificate
  - ListCertificateAuthorities
- ARN: *
Click Add Statement.
- Select Type of Policy: IAM Policy
- Effect: Allow
- AWS Service: AWS Identity and Access Management (IAM)
- Actions:
  - AttachRolePolicy
  - CreateAccessKey
  - CreateRole
  - DeleteRole
  - PassRole
- ARN: *
Click Add Statement.
- Select Type of Policy: IAM Policy
- Effect: Allow
- AWS Service: AWS Certificate Manager
- Actions:
  - DescribeCertificate
  - ExportCertificate
  - GetCertificate
  - ListCertificates
  - ListTagsForCertificate
  - RequestCertificate
- ARN: *
Click Add Statement.
- Select Type of Policy: IAM Policy
- Effect: Allow
- AWS Service: AWS Identity and Access Management Roles Anywhere
- Actions:
  - CreateProfile
  - CreateTrustAnchor
  - GetProfile
  - GetTrustAnchor
  - ListProfiles
  - ListTrustAnchors
- ARN: *
Click Add Statement.
Click Generate Policy.
Copy the Policy as it is used in the next step for creating the policy required for creating the Private CA certificates.
Go to the AWS Console and select IAM from All Services. Click Policies from the left panel, and click Create Policy.
Copy the policy to the JSON tab, and then click on Next: Tags and Next: Review.
Enter a name, like netskope-ce-rolesAnywhere-policy, and click Save Changes.

Create a Private Certificate Authority

Log in to AWS Console.
Search for Certificate Manager.
Click AWS Private CA.
Click Create a private CA.
Select General-purpose for Mode Options.
Select Root for CA type options.
Enter the Organization (O).
Select RSA 2048 for Key algorithm options.
Add tags if any (optional).
Enable the checkbox in the CA permissions options section.
Enable the checkbox in the Pricing section.
Click Create to create the CA certificate.
From Actions, select Install.
Click Confirm and Install.

Create a Trust Anchor

Search for the IAM service, and go to Roles under Access management. Scroll down to Roles Anywhere and select Manage.
Click Create a Trust anchor.
Enter the Trust anchor name, like netskope-ce-trust-anchor.
Select AWS Certificate Manager Private CA (created in the previous steps) as a Certificate authority (CA) source
Add tags if required.
Click Create a trust anchor.
Click on the created Trust Anchor and copy the Trust Anchor ARN.

Create an IAM Role

Go to IAM services in the AWS Console.
Click Role under Access management.
Click Create Role.
For the Trusted entity type, select Custom Trust Policy.
Go to Policy Generator.

Replace the Custom trust Policy with the below Trust Policy; this policy contains the permissions for using the roles anywhere service:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "rolesanywhere.amazonaws.com"
                ]
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession",
                "sts:SetSourceIdentity"
            ]
        }
    ]
}

Click Next.
In the Permissions policies, select the previously created Bucket Policy.
Click Next.
Provide a Role name, like netskope-ce-roleAnywhere, and add a Description for the role.
Click Create role.
Make a note of the Role ARN as this will be required in the Plugin configuration parameter: Role ARN for the authentication method AWS IAM Roles Anywhere.

Create a Profile

Select Roles under Access management.
Scroll down to Roles Anywhere and click Manage.
Expand the Setup steps.
Click Step 2: Configure roles.
Click Configure a profile.
Enter a Profile name, like netskope-ce-profile.
Select the role created in Create IAM Role section: netskope-ce-roleAnywhere.
Remove the Inline Policy.
Click Create profile.
Click on the created Profile and copy the Profile ARN.

Request a Private Certificate

Go to AWS Certificate Manager > Request certificate.
Select Request a private certificate.
Click Next.
Select the Certificate authority created in the previous steps.
Provide a domain name in the Fully qualified domain name field, like netskope-ce.com.
Select RSA 2048 for the Key algorithm.
Add tags if required.
Acknowledge the Certificate renewal permissions.
Click Request.
Go to List certificates from the navigation pane of AWS Certificate Manager.
Select the certificate created previously.
Click Export.
Enter the passphrase. Make a note of the passphrase as it will be required for the Configuration of the AWS S3 Plugin using the AWS IAM Roles Anywhere Authentication method.
Click Generate PEM Encoding.
Download all the Certificates because they won’t be visible again. For new certificates, you will need to Export it again. For More Info visit AWS IAM Role Anywhere

Deployed on AWS Configuration

Create a Role

Go to IAM services in the AWS Console.
Click Create role.
Select the AWS Service.
For Use case, select EC2.
Click Next.
Select the permission policy created in your Bucket Policy.
Click Next.
Enter a Role Name, like netskope-ce-instance-role, and add a Description.
Click Create Role. Note: For this configuration, both Netskope instance and S3 Bucket should be in the same region.

Assign a Role to an EC2 Instance

Open your EC2 instance console.
Click Instances under Instances.
Go to Action > Security > Modify IAM Role.
Select the Role that you created previously (like netskope-ce-instance-role).
Click Update IAM Role.

Configure the AWS GuardDuty Plugin

Log in to your CE instance and go to Settings > Plugins.
Search for and select the AWS GuardDuty plugin box to configure the plugin.
Enter these values:
- Configuration Name: Unique name for the configuration.
- Sync Interval: Leave default.
- Aging Criteria: Expiry time of the plugin in days. (Default: 90)
- Override Reputation: Set a value to override the reputation of indicators received from this configuration.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Enable if the proxy is required for communication.
Click Next.
Enter these values:
- Authentication Method: Select the method to be used for authentication (Deployed on AWS/AWS IAM Roles Anywhere)
- Private Key: Private Key for decrypting the AWS Private CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
- Certificate Body: Certificate Body for AWS Public/Private CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
- Password Phrase: Password Phrase for decrypting the CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
- Profile ARN: AWS Profile ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
- Role ARN: AWS Role ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
- Trust Anchor ARN: AWS Trust Anchor ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
- Region Name: Region in which GuardDuty service is running. Make sure that the region name matches the region in the Profile ARN and Trust Anchor ARN.
- Detector ID: The Unique ID of the detector.
- Initial Range (in days): Number of days to pull the data for the initial run.
Click Save.

Add a Business Rule for AWS GuardDuty

To share indicators fetched from the AWS GuardDuty to the Netskope CE you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:

Go to Threat Exchange > Business Rule and click Create New Rule.
Add the filter according to your requirement in the rule.

Configure Sharing for Netskope and AWS GuardDuty

Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
Click Add Sharing Configuration, and in the Source Configuration dropdown list, select AWS GuardDuty.
Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin.
Select a Target. Each plugin will have a different target or destination for the IoC.
For Add a File Hash List, enter a List Name, List Size, and Default File Hash. The List Name needs to exist in your Netskope UI at Settings > Policies > Profiles. For information about creating a File Profile for hashes, refer to Adding a File Profile
Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.

Note

Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

Edit the rule by clicking on the pencil icon.
Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
Delete the rule by clicking on the garbage can icon.

Validate the AWS Guardduty Plugin

Validate the Pull

Pulled data will be listed on the Threat IoCs page. You can filter the IoCs pulled from the platform using the Filter: sources.source Like “<plugin name>”. You can filter the logs from CE as well with the plugin name.

On the AWS GuardDuty platform the Indicators are pulled from GuardDuty > Findings.

Validate the Push

To validate the push in Cloud Exchange, go to Threat Exchange > Logging and filter shared logs for Netskope.

To verify from the Netskope Tenant:

Log in to your Netskope Tenant.
Click Policies.
Click File (for Sha256).
Enter the File name that you used while configuring Sharing.
For URLs: (IPv4 and Domain).
Click Web > URL Lists.
Click on the URL List which was used while configuring the sharing

Troubleshooting

If you face issue while configuring the plugin with Deployed on AWS

Check the IAM Role attached to your EC2 Machine.

AWS GuardDuty Plugin for Threat Exchange