Cloudformation and dashboard as described in the blog post
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs
LICENSE
README.md
cloudformation.yaml
elk.json

README.md

aws-guarddutyvisualizer

Cloudformation and dashboard as described in the blog post

Series

This repository is part of a series which aims to create security monitoring in an AWS account with AWS 'native' solutions.

Setup

The cloudformation template in this repo will deploy a cloudwatch event, sns topic, sns subscription, firehose stream, bucket and two iam roles with policies. It will not create an elasticsearch domain. I assume you will be using a central one for monitoring and have already created it.

The structure (flow) of the application is still the same: infra

Dashboard

To get the visualizations and dashboard as discussed in the blog post you can import the export I made in the management section of your elastic search domain.

I have changed the dashboard layout to better show the status: dashboard

Post Import

Once you have imported the json file you will need to create 2 scripted fields. Go management --> Index Patterns --> GuardDuty index and select the Scripted Fields tab.

scriptedfields

sevLevel

Name: sevLevel Language: painless Type: String Format: default Popularity: default (0) Script:

if (doc['detail.severity'].value < 3.9) {
    return "Low";
}
else {if (doc['detail.severity'].value < 6.9) {
          return "Medium";
       }
return "High";
}

typeCategory

Name: typeCategory Language: painless Type: String Format: default Popularity: default (0) Script:

def path = doc['detail.type.keyword'].value;
if (path != null) {
    int firstColon = path.indexOf(":");
    if (firstColon > 0) {
    return path.substring(0,firstColon);
    }
}
return "";

Dev Tools

In order for the heatmap visualization to work you will need to add the mapping information. Go to Dev Tools and add the API call below in the left text box:

PUT _template/gdt
{
  "template": "gdt*",
  "settings": {},
  "mappings": {
    "_default_": {
      "properties": {
        "detail.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation": {
          "type": "geo_point"
        },
        "detail.service.action.networkConnectionAction.remoteIpDetails.geoLocation": {
          "type": "geo_point"
        }        
      }
    }
  }
}

mapping