Connecting to a Amazon GuardDuty data source

Connect the Amazon GuardDuty data source to the platform to enable your applications and dashboards to collect and analyze Amazon GuardDuty security data. Universal Data Insights connectors enable federated search across your security products.

Before you begin

Collaborate with a SentinelOne administrator to obtain an API token and the hostname or IP address of the data source.

If you have a firewall between your cluster and the data source target, use the IBM® Security Edge Gateway to host the containers. The Edge Gateway must be V1.6 or later. For more information, see Edge Gateway.

About this task

Structured Threat Information eXpression (STIX) is a language and serialization format that organizations use to exchange cyberthreat intelligence. The connector uses STIX patterning to query Amazon GuardDuty data and returns results as STIX objects. For more information about how the Amazon GuardDuty data schema maps to STIX, see Amazon GuardDuty stix-shifter repository (https://github.com/opencybersecurityalliance/stix-shifter/tree/develop/stix_shifter_modules/aws_guardduty).

Procedure

  1. Log in to IBM Security QRadar Suite Software.
  2. From the menu, click Connections > Data sources.
  3. On the Data Sources tab, click Connect a data source.
  4. Click Amazon GuardDuty, then click Next.
  5. Configure the connection to allow IBM Security QRadar Suite Software to connect to the data source.
    1. Configure the connection to the data source.
      Table 1. Connection parameters
      Parameter Description
      Data source name Enter a unique name to identify the data source connection. You can create multiple connections to a data source, so it is useful to clearly set them apart by name.

      Only alphanumeric characters and the following special characters are allowed: - . _
      Data source description Enter a description to indicate the purpose of the data source connection. You can create multiple connections to a data source, so it is useful to clearly indicate the purpose of each connection by description.

      Only alphanumeric characters and the following special characters are allowed: - . _
      Edge gateway If you have a firewall between your cluster and the data source target, use the Edge Gateway to host the containers. In the Edge gateway field, specify an Edge Gateway to host the connector.

      It can take up to five minutes for the status of newly deployed data source connections on the Edge Gateway to show as being connected.
      AWS Region Name Enter the Amazon GuardDuty region for the data source.
      Detector Ids (optional) Specify one or more detector ids of the Amazon GuardDuty separated by comma.
    2. Set the query parameters to control the behavior of the federated search query on the data source.
      Table 2. Query parameters
      Query parameter Description
      Concurrent search limit Enter the number of simultaneous connections that can be made to the data source. The default limit for the number of connections is 4. The value must not be less than 1 and must not be greater than 100.
      Query search timeout limit Enter the time limit in minutes for how long the query is run on the data source. The default time limit is 30. When the value is set to zero, no timeout occurs. The value must not be less than 1 and must not be greater than 120.
      Result size limit Enter the maximum number of entries or objects that are returned by search query. The default result size limit is 10,000. The value must not be less than 1 and must not be greater than 500,000.
      Query time range Enter the time range in minutes for the search, represented as the last X minutes. The default is 5 minutes. The value must not be less than 1 and must not be greater than 10,000.
      Custom mapping (Optional) If you need to customize the STIX attributes mapping, click Customize attribute mapping and edit the JSON blob to map new or existing properties to their associated target data source fields.
      Important: If you increase the Concurrent search limit and the Result size limit, a greater amount of data can be sent to the data source, which increases the strain on the data source. Increasing the query time range also increases the amount of data.
  6. Click Add a configuration.
    1. Click Edit access and choose which users can connect to the data source and the type of access.
    2. Configure identity and access.
      Table 3. Configuration parameters
      Parameter Description
      Configuration Name Enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
      Configuration Description Enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
      AWS Access key id Establish AWS authentication to enable access to the AWS search API.

      To establish an AWS key-based authentication, enter values for the AWS Access key id and AWS secret access key parameters.

      To establish an AWS role-based authentication, enter values for the AWS Access key id, AWS secret access key, and AWS IAM Role parameters.
      AWS secret access key
      AWS IAM Role

      For more information about AWS authentication, see Configuring AWS authentication.

    3. Click Add.
    4. To save your configuration and establish the connection, click Done.
  7. To edit your configurations, complete the following steps:
    1. On the Data Sources tab, select the data source connection that you want to edit.
    2. In the Configurations section, click Edit Configuration (Edit configuration icon).
    3. Edit the identity and access parameters and click Save.

Results

You can see the data source connection configuration that you added under Connections > Data Sources page.

Tip: After the data source is connected, it takes some time for the initial data retrieval based on the frequency that is specified in the Frequency parameter. During this time, the data source appears as unavailable. After the data retrieval is complete, the data source shows as connected. To maintain the connection status, a polling mechanism is initiated to verify the connection periodically.

What to do next

Test the connection by searching for an IP address in IBM Security Data Explorer that matches an asset data source. In Data Explorer, click an IP address to view its associated assets and risk.