Scenario
A financial services company wanted to enhance their security surveillance to detect and respond to potential security threats in real-time. They decided to leverage Amazon Guard Duty and OpenSearch to analyze and visualize their security findings.
Solution
The company used the following services to set up their real-time security surveillance system:
- Amazon Guard Duty: Amazon Guard Duty is a threat detection service that continuously monitors AWS accounts for malicious activity and unauthorized behavior. The company enabled Guard Duty in their AWS account to detect any suspicious activity.
- Amazon S3: The company created an S3 bucket to store Guard Duty findings. They configured Guard Duty to export findings to the S3 bucket every 15 minutes.
- AWS Lambda: The company created a Lambda function to extract Guard Duty findings from the S3 bucket and send them to OpenSearch. The Lambda function was triggered by S3 events and used CloudWatch Logs to monitor its execution results.
- Amazon OpenSearch: The company created an OpenSearch cluster to analyze and search their security findings. They configured OpenSearch to index and store the Guard Duty findings sent by the Lambda function.
- Amazon QuickSight: The company used QuickSight to visualize their security findings. They connected QuickSight to their OpenSearch cluster and created dashboards to monitor their security findings in real-time.
Summary
Step 1: Create an OpenSearch Cluster In AWS:
The company created an OpenSearch domain in AWS with version 2.3 and an instance of t3.small. They used the default settings for the domain and configured it to be publicly accessible.
Step 2: Collect Guard Duty findings and export them to an Amazon S3:
The company enabled Guard Duty in their AWS account and configured it to export findings to an S3 bucket every 15 minutes. They created an S3 bucket with the correct bucket policies to store the Guard Duty findings.
Step 3: Send the logs that are delivered to the S3 bucket to Amazon OS Using Lambda:
The company created a Lambda function using Python to extract Guard Duty findings from the S3 bucket and send them to OpenSearch. They gave the Lambda function an IAM execution role to access the S3 bucket data, OpenSearch, KMS Key, and CloudWatch Logs. The Lambda function was triggered by S3 input events and used CloudWatch Logs to monitor its execution results.
Step 4: Analyze, search, or aggregate your findings in Amazon OpenSearch:
The company created an index and index pattern for Guard Duty findings in OpenSearch. They configured the time filter and selected the event Last Seen as the Time Filter field. They added the index pattern and used keywords to query specific data.
Step 5: Visualize your data using Amazon QuickSight by integrating to OpenSearch:
The company connected QuickSight to their OpenSearch cluster and created dashboards to monitor their security findings in real-time. They used QuickSight’s visualization capabilities to analyze their security findings and take appropriate actions in response to any security threats.
Conclusion
The company was able to set up a real-time security surveillance system using Amazon Guard Duty and OpenSearch. They were able to detect and respond to potential security threats in real-time, which enhanced their security posture and reduced the risk of security breaches. The use of QuickSight to visualize their security findings allowed them to monitor their security posture in real-time and take appropriate actions in response to any security threats.