Connecting to a Amazon GuardDuty data source

Connect the Amazon GuardDuty data source to the platform to enable your applications and dashboards to collect and analyze Amazon GuardDuty security data. Universal Data Insights connectors enable federated search across your security products.

Before you begin

Collaborate with a SentinelOne administrator to obtain an API token and the hostname or IP address of the data source.

If you have a firewall between your cluster and the data source target, use the IBM® Security Edge Gateway to host the containers. The Edge Gateway must be V1.6 or later. For more information, see Edge Gateway.

About this task

Structured Threat Information eXpression (STIX) is a language and serialization format that organizations use to exchange cyberthreat intelligence. The connector uses STIX patterning to query Amazon GuardDuty data and returns results as STIX objects. For more information about how the Amazon GuardDuty data schema maps to STIX, see Amazon GuardDuty stix-shifter repository (https://github.com/opencybersecurityalliance/stix-shifter/tree/develop/stix_shifter_modules/aws_guardduty).

Procedure

  1. Log in to IBM Security QRadar Suite Software.
  2. In the navigation pane, click the Settings icon.
  3. From the menu, click Connections > Data sources.
  4. On the Data Sources tab, click Connect a data source.
  5. Click Amazon GuardDuty, then click Next.
  6. Configure the connection to allow IBM Security QRadar Suite Software to connect to the data source.
    1. In the Configuration name field, enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    2. In the Configuration description field, enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    3. Optional: In the Edge Gateway field, specify if the connection is to run on an Edge Gateway.
    4. In the Region field, set the Amazon GuardDuty region for the data source.
    5. Optional: In the Detector Ids field, specify one or more detector ids of the Amazon GuardDuty separated by comma.
  7. Set the query parameters to control the behavior of the search query on the data source.
    1. In the Concurrent search limit field, set the number of simultaneous connections that can be made between QRadar Suite Software and the data source. The default limit for the number of connections is 4. The value must not be less than 1 and must not be greater than 100.
    2. In the Query search timeout limit field, set the time limit in minutes for how long the query is run on the data source. The default time limit is 30. When the value is set to zero, there is no timeout. The value must not be less than 1 and must not be greater than 120.
    3. In the Result size limit field, set the maximum number of entries or objects that are returned by search query. The default result size limit is 10,000. The value must not be less than 1 and must not be greater than 500,000.
    4. In the Query time range field, set the time range in minutes for the search, represented as the last X minutes. The default is 5 minutes. The value must not be less than 1 and must not be greater than 10,000.
    Important: If you increase the concurrent search limit and the result size limit, a greater amount of data can be sent from QRadar Suite Software, which increases the strain on the data sources. Increasing the query time range also increases the amount of data.
  8. Click Add a Configuration.
  9. Configure identity and access.
    1. In the Configuration name field, enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    2. In the Configuration description field, enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    3. Establish an AWS authentication to enable QRadar Suite Software to access the Amazon GuardDuty API.

      • To establish an AWS key-based authentication, enter values for the AWS Access key id and AWS secret access key parameters.

      • To establish an AWS role-based authentication, enter values for the AWS Access key id, AWS secret access key, and AWS IAM Role parameters.

    4. Click Save
    5. Click Edit access and choose which users can connect to the data source and the type of access.
    6. To save your configuration and establish the connection, click Done.

Results

You can see the data source connection configuration that you added under Connections on the Data source settings page. A message on the card indicates connection with the data source.

What to do next

Test the connection by searching for an IP address in IBM Security Data Explorer that matches an asset data source. In Data Explorer, click an IP address to view its associated assets and risk.