Configure AWS Guard Duty

Qualys Cloud Detection and Response now supports AWS GuardDuty findings.

CDR's GuardDuty support can push alerts related to key AWS services, such as:

  1. IAM Users
  2. EC2 Instances
  3. S3 Buckets
  4. Lambda Functions

Pre-requisites

  1. Set up a TotalCloud AWS Connector for the resources you want to view GuardDuty threats on the TotalCloud Inventory. Click here to learn how to set up a TotalCloud AWS connector.
  2. Generate a Subscription Token to use when configuring the CFT stack.
  3. Enable Guard Duty on your AWS environment.

Generate a Subscription Token

A subscription token is required to authenticate yourself when running the CFT stack for GuardDuty configuration. Follow the steps below to generate the required Subscription Token.

Run the Following Command to Generate AuthToken 

curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'

Run the Following Command to Generate SubscriptionToken 

curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}'

Store the generated SubscriptionToken for later.

Configure the CloudFormation Stack

Let's begin with the Guard Duty setup for CDR.

  1. Before we begin, you need to download the CFT template to deploy on AWS. Click here to download the template. 
  2. Next, navigate to AWS CFT > Create Stack with new resources.
  3.  Upload a template file > Upload the earlier downloaded YAML file.
  4. Click Next.
  5. Now, provide the necessary inputs.
    1. Stack name.
    2. APIGatewayURL - You can find your Gateway URL for your Qualys POD from the Platform Identification.
    3. Select the required AWS regions from the dropdown to receive GuardDuty alerts in TotalCloud.
    4. Provide the subscription token created at Generate a Subscription Token.
    5. Click Next. Move on to Step 4 and click Launch stack.

View Guard Duty Events on the Inventory

Once your GuardDuty configuration is setup for CDR. You can view the findings on the TotalCloud Inventory.

  1. Navigate to TotalCloud > Inventory > Navigate to any required resource type (for example, IAM Users).
  2. Click on the With Threats card on the top right. The QQL Token filters the resources with threats > Click a resource.
  3. Click the Cloud Detection and Response tab on the left side panel. 
  4. Here, you can view the CDR and GuardDuty findings with the total count.
  5. Click the three dots on any of the findings to view more details. These details contain the GuardDuty findings.

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.