A Serverless Security Orchestration Automation and Response (SOAR) Framework for AWS GuardDuty. The GDPatrol Lambda function receives the GuardDuty findings through the CloudWatch Event Rule and executes the appropriate actions to mitigate the threats according to their types and severity. The deployment script will enable GuardDuty and deploy the GDPatrol Lambda function in all supported regions.
- blacklist_ip(at the VPC level, using a Network ACL)
- quarantine_instance (deny all traffic ingress and egress to the EC2 instance)
- disable_account (disable every action for a particular account)
- disable_sg_access (Disable Security Group Access)
- asg_detach_instance (detach instance from an auto-scaling group)
The actions to be executed are configured in the config.json file:
- Python 3.6 (should be compatible with 2.7 as well but I didn’t test it)
git clone https://github.com/ansorren/GDPatrol.git
You can easily create your own playbooks by just adding or removing the actions and changing the reliability in the config.json for the desired finding type.
By default, all findings are assigned a reliability value of 5: the reliability is then added to the “severity” value found in the finding JSON, and the actions are only executed if the sum of the two values is higher than 10.
This ensures that, by default, only the playbooks for the GuardDuty findings with a severity of 6 or higher will be executed, while providing a way to effectively yet simply modify the behaviour by modifying the reliability value of the config file.
After any change to the config file locally, run deploy.py again and the script will recreate the Lambda function with the updated config.json file. The GuardDuty findings types are documented here.
The deployment script makes the following calls, make sure your account has the appropriate permissions:
Copyright (c) 2018 Antonio Sorrentino