Amazon GuardDuty, announced at re:invent 2017, is a continuous security monitoring service that requires no customer-managed hardware or software. GuardDuty analyzes and processes Amazon VPC Flow Logs and Amazon CloudTrail event logs. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains.
GuardDuty informs you of the status of your AWS infrastructure and applications by producing security findings that you can view in the GuardDuty console or through Amazon CloudWatch
events.
A short video that walks through pushing CloudWatch Events generated by GuardDuty to Splunk is available here. Note that these events are delivered to Splunk over HTTP Event Collector
The "TA" is purely for storing KOs to make the specific dashboards work - it does not handle data collection. Since these are CloudWatch Events, both the AWS Lambda Blueprints and SQS-based Mod-Input in Splunk_TA_aws are sufficient.
Both simplexml dashboards (guard_duty.xml and guard_duty2.xml) are examples that can be integrated into the existing splunk_app_aws or extended for your own use.
Minor updates to props.conf to resolve dashboard issues resulting from field name collisions,
Minor fix to example dashboards.
Updates to props, tags and eventtypes to support the "Alerts" and "Intrusion Detection" datamodels.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.