AWS GuardDuty Plugin for Threat Exchange

AWS GuardDuty Plugin for Threat Exchange

This document explains how to configure the AWS GuardDuty integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches URLs (IPv4 and Domain) and Hash (SHA256) from the AWS GuardDuty platform. This plugin does not support pushing indicators to AWS GuardDuty.


To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Threat prevention subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • Access to your AWS Access Key ID (Public Key), AWS Secret Access Key (Private Key), AWS Session Token (Optional, only for temporary user), Region Name, and Detector ID (Unique Detector ID).
AWS GuardDuty Plugin Support
Fetched indicator typesURLs (IPv4 and Domain), SHA256
Shared indicator typesNone
Severity Mapping
Netskope Severity AWS GuardDuty Severity
<1 Unknown
1.0 – 3.9 Low
4.0 – 6.9 Medium
7.0 – 8.9 High
9.0 – 10.0 Critical
Mappings for Pull (Netskope field – AWS GuardDuty fields)
Netskope Cloud Exchange indicator Field AWS GuardDuty Field

EbsVolumeScanDetails Mapping

NetworkConnectionAction Mapping


PortProbeAction Mapping


DnsRequestAction Mapping



EbsVolumeScanDetails Mapping

NetworkConnectionAction Mapping

PortProbeAction Mapping


DnsRequestAction Mapping



EbsVolumeScanDetails Mapping

NetworkConnectionAction Mapping


PortProbeAction Mapping


DnsRequestAction Mapping



EbsVolumeScanDetails Mapping

NetworkConnectionAction Mapping

PortProbeAction Mapping


DnsRequestAction Mapping



EbsVolumeScanDetails Mapping

NetworkConnectionAction Mapping


PortProbeAction Mapping


DnsRequestAction Mapping



EbsVolumeScanDetails Mapping
Service.EbsVolumeScanDetails.Sources }}+ {{GuardDuty-public if PublicIp is present in NetworkInterfaces +

GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces

NetworkConnectionAction Mapping
Resource.InstanceDetails.Tags +



GuardDuty-public if PublicIp is present in NetworkInterfaces +

GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces

PortProbeAction Mapping
portProbeAction.Blocked= <value> + Resource.InstanceDetails.Tags + GuardDuty-public if PublicIp is present in NetworkInterfaces + GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces

DnsRequestAction Mapping
DnsRequestAction:Blocked: <value> +Resource.InstanceDetails.Tags +GuardDuty-public if PublicIp is present in NetworkInterfaces +GuardDuty-private if PrivateIpAddress is present in NetworkInterfaces


EbsVolumeScanDetails Mapping
Finding Arn: Arn,TriggerFindingId:Service.EbsVolumeScanDetails.TriggerFindingId,Name:Service.EbsVolumeScanDetails.ScanDetections.ThreatDetectedByName.ThreatNames.FilePaths.FileName.Hash.Filename 


NetworkConnectionAction Mapping
Finding ARN: Arn, Finding Type: Type, Description: Description

PortProbeAction Mapping
Finding ARN: Arn, Finding Type: Type, Description: Description

DnsRequestAction Mapping
Finding ARN: Arn, Finding Type: Type, Description: Description,



Below are the permissions needed to be attached to the IAM user for the plugin workflow.

  • GetFindings
  • ListFindings
API Details
List of APIs Used

This plugin uses python (Boto3 v1.34.44) library to get findings from the AWS GuardDuty platform.
Library: The AWS SDK for python (Boto3 v1.34.44)
Usage: The AWS SDK for python (Boto3) to create, configure, and manage AWS services,
such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service

Creating a GuardDuty Client Object
guardduty_client = boto3.Session(
    config=Config(proxies=self.proxy, user_agent=self.useragent),
List Findings
findings = guardduty_client.list_findings(
     SortCriteria={"AttributeName": "updatedAt", "OrderBy": "ASC"},
List Findings with Pagination
paginator = guardduty_client.get_paginator("list_findings")
    page_iterator = paginator.paginate(
        "Criterion": {
          "updatedAt": {
            "Gte": int(checkpoint.timestamp() * 1000),
       SortCriteria={"AttributeName": "updatedAt", "OrderBy": "ASC"},
Get Findings
Performance Matrix

This plugin has been tested by fetching 288 findings from AWS GuardDuty Platform it takes around 15 seconds to fetch and store indicators from these findings in Netskope CE

Stack details

Size: Large

RAM: 32 GB

CPU: 16 Cores

Indicators fetched from AWS GuardDuty

~ 1K per minute

Indicators shared to AWS GuardDuty


User Agent
  • netskope-ce-5.0.0-cte-aws-guardduty-v1.1.0


  1. Get your AWS GuardDuty credentials.
  2. Configure the AWS GuardDuty plugin.
  3. Configure sharing between Netskope and AWS GuardDuty.
  4. Validate the AWS GuardDuty Plugin.

Click play to watch a video.


Create a Policy for AWS GuardDuty

  1. Go to IAM Services in the AWS Console.
  2. Click Create policies.
  3. Select GuardDuty in Services.
    A screenshot of a computer

Description automatically generated
  4. Select GetFindings and ListFindings.
  5. Click Next.
  6. Add a Policy Name.
    A screenshot of a computer

Description automatically generated
  7. Click Create Policy.
    A screenshot of a computer

Description automatically generated

Plugin Authentication Methods

IAM Role Anywhere Configuration


The AWS Certificate Manager service is required to be enabled to authenticate the plugin using the AWS IAM Roles Anywhere Authentication Method.

Note: Make sure you create the Private Certificate Authority, Trust Anchor, and Profile in the same region in which your AWS S3 Source Bucket resides.

Create an IAM Policy

This Policy contains the required permissions for creating a Private CA Certificate (including Permissions for creating a Trust Anchor and Profile) and using IAM Roles Anywhere.

  1. Go to Policy Generator and click Add Statement to generate a policy.
    • Select Type of Policy: IAM Policy
    • Effect: Allow
    • AWS Service: AWS Private Certificate Authority
    • Actions:
      • CreateCertificateAuthority
      • DescribeCertificateAuthority
      • GetCertificate
      • GetCertificateAuthorityCertificate
      • GetCertificateAuthorityCsr
      • ImportCertificateAuthorityCertificate
      • IssueCertificate
      • ListCertificateAuthorities
    • ARN: *
  2. Click Add Statement.
    • Select Type of Policy: IAM Policy
    • Effect: Allow
    • AWS Service: AWS Identity and Access Management (IAM)
    • Actions:
      • AttachRolePolicy
      • CreateAccessKey
      • CreateRole
      • DeleteRole
      • PassRole
    • ARN: *
  3. Click Add Statement.
    • Select Type of Policy: IAM Policy
    • Effect: Allow
    • AWS Service: AWS Certificate Manager
    • Actions:
      • DescribeCertificate
      • ExportCertificate
      • GetCertificate
      • ListCertificates
      • ListTagsForCertificate
      • RequestCertificate
    • ARN: *
  4. Click Add Statement.
    • Select Type of Policy: IAM Policy
    • Effect: Allow
    • AWS Service: AWS Identity and Access Management Roles Anywhere
    • Actions:
      • CreateProfile
      • CreateTrustAnchor
      • GetProfile
      • GetTrustAnchor
      • ListProfiles
      • ListTrustAnchors
    • ARN: *
  5. Click Add Statement.
  6. Click Generate Policy.
  7. Copy the Policy as it is used in the next step for creating the policy required for creating the Private CA certificates.
  8. Go to the AWS Console and select IAM from All Services. Click Policies from the left panel, and click Create Policy.
  9. Copy the policy to the JSON tab, and then click on Next: Tags and Next: Review.
  10. Enter a name, like netskope-ce-rolesAnywhere-policy, and click Save Changes.
Create a Private Certificate Authority
  1. Log in to AWS Console.
  2. Search for Certificate Manager.
  3. Click AWS Private CA.
  4. Click Create a private CA.
  5. Select General-purpose for Mode Options.
  6. Select Root for CA type options.
  7. Enter the Organization (O).
  8. Select RSA 2048 for Key algorithm options.
  9. Add tags if any (optional).
  10. Enable the checkbox in the CA permissions options section.
  11. Enable the checkbox in the Pricing section.
  12. Click Create to create the CA certificate.
  13. From Actions, select Install.
  14. Click Confirm and Install.
Create a Trust Anchor
  1. Search for the IAM service, and go to Roles under Access management. Scroll down to Roles Anywhere and select Manage.
  2. Click Create a Trust anchor.
  3. Enter the Trust anchor name, like netskope-ce-trust-anchor.
  4. Select AWS Certificate Manager Private CA (created in the previous steps) as a Certificate authority (CA) source
  5. Add tags if required.
  6. Click Create a trust anchor.
  7. Click on the created Trust Anchor and copy the Trust Anchor ARN.
Create an IAM Role
  1. Go to IAM services in the AWS Console.
  2. Click Role under Access management.
  3. Click Create Role.
  4. For the Trusted entity type, select Custom Trust Policy.
  5. Go to Policy Generator.
  6. Replace the Custom trust Policy with the below Trust Policy; this policy contains the permissions for using the roles anywhere service:
        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                "Action": [
  7. Click Next.
  8. In the Permissions policies, select the previously created Bucket Policy.
  9. Click Next.
  10. Provide a Role name, like netskope-ce-roleAnywhere, and add a Description for the role. 
  11. Click Create role.
  12. Make a note of the Role ARN as this will be required in the Plugin configuration parameter: Role ARN for the authentication method  AWS IAM Roles Anywhere.
Create a Profile
  1. Select Roles under Access management.
  2. Scroll down to Roles Anywhere and click Manage.
  3. Expand the Setup steps.
  4. Click Step 2: Configure roles.
  5. Click Configure a profile.
  6. Enter a Profile name, like netskope-ce-profile.
  7. Select the role created in Create IAM Role section: netskope-ce-roleAnywhere.
  8. Remove the Inline Policy.
  9. Click Create profile.
  10. Click on the created Profile and copy the Profile ARN.
Request a Private Certificate
  1. Go to AWS Certificate Manager > Request certificate.
  2. Select Request a private certificate.
  3. Click Next.
  4. Select the Certificate authority created in the previous steps.
  5. Provide a domain name in the Fully qualified domain name field, like
  6. Select RSA 2048 for the Key algorithm.
  7. Add tags if required.
  8. Acknowledge the Certificate renewal permissions.
  9. Click Request.
  10. Go to List certificates from the navigation pane of AWS Certificate Manager.
  11. Select the certificate created previously.
  12. Click Export.
  13. Enter the passphrase. Make a note of the passphrase as it will be required for the Configuration of the AWS S3 Plugin using the AWS IAM Roles Anywhere Authentication method.
  14. Click Generate PEM Encoding.
  15. Download all the Certificates because they won’t be visible again. For new certificates, you will need to Export it again. For More Info visit AWS IAM Role Anywhere

Deployed on AWS Configuration

Create a Role
  1. Go to IAM services in the AWS Console.
  2. Click Create role.
  3. Select the AWS Service.
  4. For Use case, select EC2.
  5. Click Next.
  6. Select the permission policy created in your Bucket Policy.
  7. Click Next.
  8. Enter a Role Name, like netskope-ce-instance-role, and add a Description. 
  9. Click Create Role. Note: For this configuration, both Netskope instance and S3 Bucket should be in the same region.
Assign a Role to an EC2 Instance
  1. Open your EC2 instance console.
  2. Click Instances under Instances.
  3. Go to Action > Security > Modify IAM Role.
  4. Select the Role that you created previously (like netskope-ce-instance-role).
  5. Click Update IAM Role.

Configure the AWS GuardDuty Plugin

  1. Log in to your CE instance and go to Settings > Plugins.
  2. Search for and select the AWS GuardDuty plugin box to configure the plugin.
  3. Enter these values:
    • Configuration Name: Unique name for the configuration.
    • Sync Interval: Leave default.
    • Aging Criteria: Expiry time of the plugin in days. (Default: 90)
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication.
  4. Click Next.
  5. Enter these values:
    • Authentication Method: Select the method to be used for authentication (Deployed on AWS/AWS IAM Roles Anywhere)
    • Private Key: Private Key for decrypting the AWS Private CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
    • Certificate Body: Certificate Body for AWS Public/Private CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
    • Password Phrase: Password Phrase for decrypting the CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
    • Profile ARN: AWS Profile ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
    • Role ARN: AWS Role ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
    • Trust Anchor ARN: AWS Trust Anchor ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
    • Region Name: Region in which GuardDuty service is running. Make sure that the region name matches the region in the Profile ARN and Trust Anchor ARN.
    • Detector ID: The Unique ID of the detector.
    • Initial Range (in days): Number of days to pull the data for the initial run.
  6. Click Save.

Add a Business Rule for AWS GuardDuty

To share indicators fetched from the AWS GuardDuty to the Netskope CE you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:

  1. Go to Threat Exchange > Business Rule and click Create New Rule.
  2. Add the filter according to your requirement in the rule.

Configure Sharing for Netskope and AWS GuardDuty

  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select AWS GuardDuty.
  3. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin.
  4. Select a Target. Each plugin will have a different target or destination for the IoC.
  5. For Add a File Hash List, enter a List Name, List Size, and Default File Hash. The List Name needs to exist in your Netskope UI at Settings > Policies > Profiles. For information about creating a File Profile for hashes, refer to Adding a File Profile
  6. Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.


Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

  • Edit the rule by clicking on the pencil icon.
  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
  • Delete the rule by clicking on the garbage can icon.

Validate the AWS Guardduty Plugin

Validate the Pull

Pulled data will be listed on the Threat IoCs page. You can filter the IoCs pulled from the platform using the Filter: sources.source Like “<plugin name>”. You can filter the logs from CE as well with the plugin name.

On the AWS GuardDuty platform the Indicators are pulled from GuardDuty > Findings.

Validate the Push

To validate the push in Cloud Exchange, go to Threat Exchange > Logging and filter shared logs for Netskope.

To verify from the Netskope Tenant:

  1. Log in to your Netskope Tenant.
  2. Click Policies.
  3. Click File (for Sha256).
  4. Enter the File name that you used while configuring Sharing.
  5. For URLs: (IPv4 and Domain).
  6. Click Web > URL Lists.
  7. Click on the URL List which was used while configuring the sharing


If you face issue while configuring the plugin with Deployed on AWS

Check the IAM Role attached to your EC2 Machine.

Share this Doc

AWS GuardDuty Plugin for Threat Exchange

Or copy link

In this topic ...