1. Expel Support Center
  2. Connect your technology
  3. Cloud integrations

AWS GuardDuty setup for Workbench

  • Updated

This article describes connecting AWS GuardDuty to Workbench.

In this article

Before you start

Note

You need an AWS account with permissions to create and change IAM roles.

  1. We have an onboarding wizard that uses Cloudformation templates to perform all of the following steps in Workbench.

  2. If you prefer not to use the wizard, click Connect Manually to access the manual form and follow the instructions below.

  3. If you are using an AWS GuardDuty Delegated Admin account, the following steps only need to be completed in that account. Only 1 device needs to be added to the Expel Workbench using the Delegated Admin account's primary region. If you are not using a Delegated Admin account, complete the following steps for each account you want monitored and add 1 device in Workbench per account.

About console permissions in your devices

As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from 1 device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench.

Without minimum permissions to your devices, the SOC analysts are limited in their insight into your technology. This can mean they surface more benign alerts to your team for further investigation, resulting in increasing the workload for your team, and resulting in alert fatigue.

If you grant Read access to your devices, we can investigate the device and the logs more deeply and surface relevant alerts to you in Workbench. Allowing Expel visibility into the console of your security devices helps our SOC analysts make better decisions on whether an alert is benign or malicious. It also allows our SOC analysts to perform health checks to make sure Workbench is not missing alerts from your security devices. Depending on what your organization purchased from Expel, the SOC analysts may even be able to contain and/or remediate the issues on your behalf.

Ultimately, the more permissions you can grant Workbench, the better and faster the SOC analysts can find and investigate alerts in your environment.

Step 1: Create an AWS IAM policy

In this step, we create a permissions policy to assign to the IAM Role.

  1. Log into the AWS console and navigate to the IAM service.

  2. Go to Policies and click Create Policy.

  3. Add the following permissions using the JSON tab.

    {
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "guardduty:GetFindings",
                "guardduty:ListDetectors",
                "ec2:DescribeRegions",
                "guardduty:ListFindings",
                "guardduty:GetDetector"
            ],
             "Resource": "*"
        }      
    ]
}

  4. Review and name the policy.

Step 2: Create an IAM role

Create an IAM role to connect to your AWS GuardDuty Service.

  1. From within the IAM service, navigate to Roles and click Create Role.

  2. Select Another AWS account and fill out the required fields.

    • Account ID: 012205512454 (the ExpelAWS account ID).

    • External ID: Provided to you by Expel.

  3. Attach the IAM policy from Step 1 to the Role.

  4. Give the Role a name and click Create Role.

  5. Navigate to the role you just created and copy the following information for onboarding in Workbench.

    • Role ARN.

    • External ID Value on the Trust relationships tab.

Step 3: Onboard AWS GuardDuty in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=aws_guardduty.

  2. The Add Security Device page for AWS GuardDuty appears. Use the wizard or click Connect Manually to add your AWS GuardDuty installation to Workbench manually.

    mceclip1.png

  3. Complete the following information:

    • For Name type the host name of the AWS GuardDuty device.

    • For Location type the geographic location of the appliance.

    • Role ARN: type the Role ARN from Step 2.

    • Role session name: Use a unique name to identify the role.

    • External ID: type the External ID from Step 2 if it's not automatically populated for you.

    • Region: type region of Primary AWS GuardDuty account. For example us-east-1

  4. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 1 found this helpful

Related articles