This article describes connecting Amazon GuardDuty to Workbench using the manual setup process. If you would like to use our wizard to assist in the creation of your stack, you can do so in Step 3 .
Quick Links
Before You Start
You need an AWS account with permissions to create and change IAM roles.
- We have an onboarding wizard that uses Cloudformation templates to perform all of the following steps in Workbench.
- If you prefer not to use the wizard, click Connect Manually to access the manual form, and follow the instructions below.
- If you are using an Amazon GuardDuty Delegated Admin account, the following steps only need to be completed in that account. Only one device needs to be added to the Expel Workbench using the Delegated Admin account's primary region.
- If you are not using a Delegated Admin account, complete the following steps for each account you want monitored and add one device in Workbench per account.
About Console Permissions in Your Devices
As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from 1 device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench.
Without minimum permissions to your devices, the SOC analysts are limited in their insight into your technology. This can mean they surface more benign alerts to your team for further investigation, resulting in increasing the workload for your team, and resulting in alert fatigue.
If you grant Read access to your devices, we can investigate the device and the logs more deeply and surface relevant alerts to you in Workbench. Allowing Expel visibility into the console of your security devices helps our SOC analysts make better decisions on whether an alert is benign or malicious. It also allows our SOC analysts to perform health checks to make sure Workbench is not missing alerts from your security devices. Depending on what your organization purchased from Expel, the SOC analysts may even be able to contain and/or remediate the issues on your behalf.
Ultimately, the more permissions you can grant Workbench, the better and faster the SOC analysts can find and investigate alerts in your environment.
Step 1: Create an AWS IAM Policy
In this step, we create a permissions policy to assign to the IAM Role.
-
Log into the AWS console and navigate to the IAM service.
-
Go to Policies and click Create Policy.
-
Add the following permissions using the JSON tab.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "guardduty:GetFindings", "guardduty:ListDetectors", "ec2:DescribeRegions", "guardduty:ListFindings", "guardduty:GetDetector" ], "Resource": "*" } ] }
-
Review and name the policy.
Step 2: Create an IAM Role
Create an IAM role to connect to your Amazon GuardDuty Service.
-
From within the IAM service, navigate to Roles, and click Create Role.
-
Select Another AWS account and fill out the required fields.
-
Account ID: 012205512454 (the ExpelAWS account ID).
-
External ID: Provided to you by Expel.
-
-
Attach the IAM policy from Step 1 to the Role.
-
Give the Role a name and select Create Role.
-
Navigate to the role you just created and copy the following information for onboarding in Workbench.
-
Role ARN.
-
External ID Value on the Trust relationships tab.
-
Step 3: Onboard Amazon GuardDuty in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=aws_guardduty.
-
The Add Security Device page for Amazon GuardDuty appears. Do one of the following:
-
Select Connect Manually >> to add your Amazon GuardDuty installation to Workbench, then continue with these instructions.
- Use the wizard to create your stack, and follow all instructions presented.
-
-
Complete the following information:
-
Name - enter the host name of the Amazon GuardDuty device.
-
Location - enter the geographic location of the appliance.
-
Role ARN - enter the Role ARN from Step 2.
-
Role session name - enter a unique name to identify the role.
-
External ID - enter the External ID from Step 2 if it's not automatically populated for you.
-
Region - enter the region of Primary Amazon GuardDuty account. For example, us-east-1.
-
- Click Save.
You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.
To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.
Note
This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.