Integrate Prisma Cloud with Amazon GuardDuty

Learn how to integrate Prisma™ Cloud with Amazon GuardDuty.
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes Virtual Private Cloud (VPC) Flow Logs and AWS CloudTrail event logs. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity.
Prisma™ Cloud integrates with GuardDuty and extends its threat visualization capabilities. Prisma Cloud starts ingesting GuardDuty data, correlates it with the other information that Prisma Cloud already collects, and presents contextualized and actionable information through the Prisma Cloud app.
  1. Enable Amazon GuardDuty on your AWS instances(see Amazon Documentation).
  2. Enable read-access permissions to Amazon GuardDuty on the IAM Role policy.
    The Prisma Cloud IAM Role policy you use to onboard your AWS setup needs to include these permissions:
    guardduty:List*, guardduty:Get*
    If you used the CFT templates to onboard your AWS account, the Prisma Cloud IAM Role policy already has the permissions required for Amazon GuardDuty.
  3. After Prisma Cloud has access to the Amazon GuardDuty findings, use the following RQL queries for visibility into the information collected from Amazon GuardDuty.
    Config Query:
    config where hostfinding.type = 'AWS GuardDuty Host'
    Network Query:
    network where dest.resource IN ( resource where hostfinding.type = 'AWS GuardDuty Host' )
    Click on the resource to see the
    Audit Trail
    .
    guardduty-audit-trail.png
    Click
    Host Findings
    for information related to vulnerabilities. Select
    AWS GuardDuty Host
    or
    AWS GuardDuty IAM
    in the filter to view vulnerabilities detected by AWS GuardDuty.
    guardduty-host-findings.png

Related Documentation