AWS

The Amazon GuardDuty Playbook enables the ingestion and processing of findings from Amazon GuardDuty into ThreatConnect TI Ops. The Playbook is triggered each time a new Finding is generated by a GuardDuty Detector. The Finding details and context are saved as a Case and the relevant Indicators are parsed and saved as Artifacts. The Amazon GuardDuty Service App is required to be installed and configured prior to activating this Playbook.

Using this App, analysts can manipulate Threat Intel Sets and Trusted IP Sets to their requirements. Threat Intel Sets consist of known malicious IP/CIDR addresses. GuardDuty generates findings based on Threat Intel Sets.

The following actions are supported:

• Create Intel Set - This action creates a new Intel Set (Threat Intel Set or Trusted IP Set.)
• Update Intel Set - Updates the Intel Set specified by the its Intel Set ID.
• Delete Intel Set - This action deletes a Threat Intel Set.
• List Findings - List Amazon GuardDuty findings for a detector ID.
• Get Finding - Describe Amazon GuardDuty findings specified by finding IDs.
• Update Finding Feedback - Mark the specified GuardDuty findings as useful or not useful and optionally add comments.
• Archive Finding - Archive a finding by its Threat Intel Set ID.

This Playbook can be found in the ThreatConnect App Catalog under the name: Amazon GuardDuty (Playbook)

The EC2 Playbook App allows analysts to perform various investigation and incident response actions on EC2 infrastructure directly from ThreatConnect TI Ops Platform. The following actions are available:

• List Instances - List instances with filters or by instance ID to get details about the instances.
• Describe Instance - Get details for an instance.
• Create Tags - Create tags and attach the tags to AWS Resources.
• Delete Tags - Delete tags and remove the tags from AWS Resources.
• Monitor Instances - Activate monitoring for selected instances.
• Unmonitor Instances - Deactivate monitoring for selected instances.
• Describe Snapshots - List existing snapshots based on IDs or filters.
• Create Snapshot - Create a disk snapshot based on an existing EBS Snapshot ID.

This app can be found in the ThreatConnect App Catalog under the name: Amazon Elastic Compute Cloud (EC2)

Amazon Simple Storage Service (S3) provides object storage through a web service interface. The S3 Playbook App for the TI OPs Platform allows analysts to take automated actions with Amazon S3 buckets and objects so that analysts can more easily manage security policies and configurations. The following actions are available:

• Create Bucket - Creates a new S3 bucket.
• Tag Bucket - Sets the supplied tag-set to a bucket that already exists in S3.
• List Objects - Returns some or all (up to 1,000) of the objects in a bucket.
• Get Object - Retrieves objects from Amazon S3.
• Create Object - Adds an object to a bucket.
• Tag Object - Sets the supplied tag-set to an object that already exists in a bucket.

This Playbook App can be found in the ThreatConnect App Catalog under the name: Amazon Simple Storage Service (S3) (Playbook)

ThreatConnect has several Apps to integrate seamlessly with Amazon GuardDuty. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts, workloads, and data stored in Amazon S3. With these apps, analysts can easily set up monitoring and alerting for any known IP addresses (both good and bad). This integration consists of 2 different apps performing different functions.

• Service App - allows Findings from GuardDuty to be ingested on a schedule and trigger a Playbook for each Finding
• Job App - allows Indicators to be added and removed on Threat Intel Sets on a schedule

With the Job App, analysts can automatically deploy and delete Address and CIDR Indicators in bulk on a schedule to AWS Guard Duty for blocking. It also deploys indicators that have been modified after the last time the job ran and matches the filter criteria and delete any indicators that no longer match the criteria or have been removed from ThreatConnect.

These apps can be found in the ThreatConnect App Catalog under the names: Amazon GuardDuty (Organization) and Amazon GuardDuty Service (Custom Trigger)

The Polarity - AWS DynamoDB integration enables analysts to quickly search against any information contained in their DynamoDB. Allowing analysts to quickly take actions based on the information they are querying in DynamoDB.

Examples

AWS DynamoDB Data Overview

• Summary Tags: The summary tags are determined by the admin who set up the integration. To see the summary tags, navigate to the integrations options and check out the Summary Attribute section.

• DynamoDB Details: The integration details are determined by the admin who set up the integration. To see the summary tags, navigate to the integrations options and check out the Details Attribute section.

The Polarity - AWS EC2 integration enables analysts to get quick insights into assets that are in their different EC2 environments. The integration searches a specified EC2 region for EC2 DNS names and IPs to let analysts know if an asset is in a certain region and what it is.

The integration searches the following information:

Examples

AWS EC2 Data Overview

• Summary Tags: When looking up information in AWS EC2 analysts can quickly determine what the server is related to.
• General Details: When clicking into the details of the AWS EC2 integration analysts can get more information about the indicator. When looking at the general information they can see what instance type, the platform, name of the server and the instance id.
• Network Details: Analysts can also quickly see the network details ranging from related public and private IPs and DNS.
• Security Groups: Analysts can also quickly understand the security groups applied to the server, to understand the scope of how the server is managed.
• Tags: Finally, analysts can also understand if any tags have been applied to the server to understand how it is managed.