This article describes connecting AWS GuardDuty to Workbench.

Note

You need an AWS account with permissions to create and change IAM roles.

  1. We have an onboarding wizard that uses Cloudformation templates to perform all of the following steps in Workbench.

  2. If you prefer not to use the wizard, click Connect Manually to access the manual form and follow the instructions below.

  3. If you are using an AWS GuardDuty Delegated Admin account, the following steps only need to be completed in that account. Only 1 device needs to be added to the Expel Workbench using the Delegated Admin account's primary region. If you are not using a Delegated Admin account, complete the following steps for each account you want monitored and add 1 device in Workbench per account.

Step 1: Create an AWS IAM policy

In this step, we create a permissions policy to assign to the IAM Role.

  1. Log into the AWS console and navigate to the IAM service.

  2. Go to Policies and click Create Policy.

  3. Add the following permissions using the JSON tab.

    {
       "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "guardduty:GetFindings",
                    "guardduty:ListDetectors",
                    "ec2:DescribeRegions",
                    "guardduty:ListFindings",
                    "guardduty:GetDetector"
                ],
                 "Resource": "*"
            }      
        ]
    }
  4. Review and name the policy.

Step 2: Create an IAM role

Create an IAM role to connect to your AWS GuardDuty Service.

  1. From within the IAM service, navigate to Roles and click Create Role.

  2. Select Another AWS account and fill out the required fields.

    • Account ID: 012205512454 (the ExpelAWS account ID).

    • External ID: Provided to you by Expel.

  3. Attach the IAM policy from Step 1 to the Role.

  4. Give the Role a name and click Create Role.

  5. Navigate to the role you just created and copy the following information for onboarding in Workbench.

    • Role ARN.

    • External ID Value on the Trust relationships tab.

Step 3: Onboard AWS GuardDuty in Workbench

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=aws_guardduty.

  2. The Add Security Device page for AWS GuardDuty appears. Use the wizard or click Connect Manually to add your AWS GuardDuty installation to Workbench manually.

    mceclip1.png
  3. Complete the following information:

    • For Name type the host name of the AWS GuardDuty device.

    • For Location type the geographic location of the appliance.

    • Role ARN: type the Role ARN from Step 2.

    • Role session name: Use a unique name to identify the role.

    • External ID: type the External ID from Step 2 if it's not automatically populated for you.

    • Region: type region of Primary AWS GuardDuty account. For example us-east-1

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!