Validate the AWS GuardDuty Plugin
Validation from netskope CE platform
Open Threat Exchange Module.
Go to Threat IOCs.
 |
You’ll be able to see the page similar to what is shown below.
 |
Now create a filter for GuardDuty.
Select “Source”.
 |
Select “Is equal”.
 |
Enter “GuardDuty” as string in the text box.
 |
Click on the “Apply Filter” button.
 |
Now the only IOCs shown will be those sourced from GuardDuty.
 |
Click the down carrot (“v”) button to explore matching IOC.
 |
Now you’ll see all the mapped fields that apply to each IOC, including tags that match to categories from GuardDuty, including the original source (in this example, from BitDefender and from Private).
The comments field will include other data from GuardDuty associated with each filehash. Any or all of these can be used to create a filter for a business rule. For example, you could match on “Comments” contains “any in” “eicar” and NOT share those IOC use for testing.
 |
Validation from GuardDuty Console
Validate No of Findings
Open the GuardDuty Console. You’ll see a screen similar to that shown below.
 |
See the number of findings (“Showing 113 of 113”).
 |
These findings should be able to match with the number of findings CE is retrieving.
Note: It may vary depending on initial sync. For that you can use filter.