Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

---

Capabilities

• Automated Ingestion: Fetches GuardDuty findings directly from your AWS account.
• Incident Enrichment: Findings are enriched and mapped to Arcanna’s model.
• AI-Powered Triage: Leverage Arcanna’s AI to prioritize and respond to GuardDuty alerts.
• Custom Workflows: Integrate GuardDuty findings into your existing Arcanna playbooks.

---

Arcanna - Amazon GuardDuty integration

Integrating Amazon GuardDuty with Arcanna allows you to automatically ingest findings and alerts in real time, enabling advanced analysis, triage, and response workflows.

Steps to configure Amazon GuardDuty integration:

Prerequisites

• A valid Arcanna instance - for setup, follow this user guide.
• An active Amazon Web Services account with Amazon GuardDuty enabled. Sufficient IAM permissions to access GuardDuty findings.

How to connect

1. Create an Access Key

1. Log in to the AWS Management Console.

2. Go to your account on top right and select Security Credentials.

3. Scroll down to the Access keys section and click Create access key to generate an Access Key ID, Secret Access Key. Select the option that suits you:

   

---

2. Add the Integration in Arcanna

1. Log in to your Arcanna platform.
2. Navigate to Integrations > Amazon GuardDuty.
3. Click Add Integration.
4. Enter the following information:
   • Integration Name: (e.g., "AWS GuardDuty Production")
   • AWS Access Key ID
   • AWS Secret Access Key
   • AWS Region (e.g., us-east-1)
5. Click Confirm. Arcanna will test the connectivity and verify the credentials and permissions.
6. If the connection is successful, the integration will be saved.

---

3. Create the Arcanna Use Case

After adding the integration, you need to create a use case to start ingesting GuardDuty findings.

1. Go to Use Cases in the Arcanna platform.
2. Click Create Use Case.
3. Enter a name and description for your use case.
4. In the Input Integrations section, select your configured Amazon GuardDuty integration.
5. Configure the following parameters:
   • Time Range: Specify the start and end dates for the time window for which GuardDuty findings should be fetched.
   • Batch Size: Set the number of findings to fetch in each batch (e.g., 10, 20, 50). This controls how many alerts are ingested per API call and can help influence performance. The maximum is 50.
6. Click Confirm to save the input integration. The integration will perform a healthcheck and fetch sample events.
7. (Optional) Configure additional enrichments, extra processing (code blocks) or other actions as needed.
8. Click Save and run to activate the use case.

---

How it Works

Once configured, Arcanna will periodically connect to the GuardDuty API using the provided credentials and region. It will fetch new findings according to the specified time range and batch size, ingesting them as incidents in Arcanna, where they can be triaged, enriched, and acted upon using your configured workflows.

---

Troubleshooting

Issue	Solution
Connection failed	Double-check AWS credentials and region.
No findings ingested	Ensure GuardDuty is enabled and findings exist in the selected region.
Not all expected findings are ingested.	Check and adjust the GuardDuty parameters used in the use case (start time, date time, batch size).
Other	Contact Arcanna support for assistance.

---

Additional Resources

• Amazon GuardDuty Documentation
• Arcanna Integrations Overview
• AWS IAM Policies

---

Need help?
If you encounter any issues or have questions about the integration, please contact us.