AWS

The Amazon GuardDuty Playbook enables the ingestion and processing of findings from Amazon GuardDuty into ThreatConnect TI Ops. The Playbook is triggered each time a new Finding is generated by a GuardDuty Detector. The Finding details and context are saved as a Case and the relevant Indicators are parsed and saved as Artifacts. The Amazon GuardDuty Service App is required to be installed and configured prior to activating this Playbook.

Using this App, analysts can manipulate Threat Intel Sets and Trusted IP Sets to their requirements. Threat Intel Sets consist of known malicious IP/CIDR addresses. GuardDuty generates findings based on Threat Intel Sets.

The following actions are supported:

• Create Intel Set - This action creates a new Intel Set (Threat Intel Set or Trusted IP Set.)
• Update Intel Set - Updates the Intel Set specified by the its Intel Set ID.
• Delete Intel Set - This action deletes a Threat Intel Set.
• List Findings - List Amazon GuardDuty findings for a detector ID.
• Get Finding - Describe Amazon GuardDuty findings specified by finding IDs.
• Update Finding Feedback - Mark the specified GuardDuty findings as useful or not useful and optionally add comments.
• Archive Finding - Archive a finding by its Threat Intel Set ID.

This Playbook can be found in the ThreatConnect App Catalog under the name: Amazon GuardDuty (Playbook)

The EC2 Playbook App allows analysts to perform various investigation and incident response actions on EC2 infrastructure directly from ThreatConnect TI Ops Platform. The following actions are available:

• List Instances - List instances with filters or by instance ID to get details about the instances.
• Describe Instance - Get details for an instance.
• Create Tags - Create tags and attach the tags to AWS Resources.
• Delete Tags - Delete tags and remove the tags from AWS Resources.
• Monitor Instances - Activate monitoring for selected instances.
• Unmonitor Instances - Deactivate monitoring for selected instances.
• Describe Snapshots - List existing snapshots based on IDs or filters.
• Create Snapshot - Create a disk snapshot based on an existing EBS Snapshot ID.

This app can be found in the ThreatConnect App Catalog under the name: Amazon Elastic Compute Cloud (EC2)

Amazon Simple Storage Service (S3) provides object storage through a web service interface. The S3 Playbook App for the TI OPs Platform allows analysts to take automated actions with Amazon S3 buckets and objects so that analysts can more easily manage security policies and configurations. The following actions are available:

• Create Bucket - Creates a new S3 bucket.
• Tag Bucket - Sets the supplied tag-set to a bucket that already exists in S3.
• List Objects - Returns some or all (up to 1,000) of the objects in a bucket.
• Get Object - Retrieves objects from Amazon S3.
• Create Object - Adds an object to a bucket.
• Tag Object - Sets the supplied tag-set to an object that already exists in a bucket.

This Playbook App can be found in the ThreatConnect App Catalog under the name: Amazon Simple Storage Service (S3) (Playbook)

ThreatConnect has several Apps to integrate seamlessly with Amazon GuardDuty. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts, workloads, and data stored in Amazon S3. With these apps, analysts can easily set up monitoring and alerting for any known IP addresses (both good and bad). This integration consists of 2 different apps performing different functions.

• Service App - allows Findings from GuardDuty to be ingested on a schedule and trigger a Playbook for each Finding
• Job App - allows Indicators to be added and removed on Threat Intel Sets on a schedule

With the Job App, analysts can automatically deploy and delete Address and CIDR Indicators in bulk on a schedule to AWS Guard Duty for blocking. It also deploys indicators that have been modified after the last time the job ran and matches the filter criteria and delete any indicators that no longer match the criteria or have been removed from ThreatConnect.

These apps can be found in the ThreatConnect App Catalog under the names: Amazon GuardDuty (Organization) and Amazon GuardDuty Service (Custom Trigger)