Cado Response Integration with Amazon GuardDuty using AWS Lambda

Related tags

DevOps Toolsguardduty-lambda-cado
Overview

Cado Response Integration with Amazon GuardDuty using AWS Lambda

This repository contains a simple example where:

  • An alert is triggered by GuardDuty
  • The alert is then picked up in EventBridge
  • EventBridge then calls an AWS Lambda function which...
  • Triggers Cado Response to perform a full capture and investigation of the compromised EC2 instance

Guard Duty and AWS Lambda

How to Deploy

If you want to try this yourself, you can deploy a free trial of Cado Response here.

In Guard Duty you can increase how often “repeat alarms” are sent - this is useful for testing (GuardDuty > Settings).

Screenshot

To trigger the Guard Duty alarms either click “Generate Sample Findings” (GuardDuty > Settings) or run our tool at https://github.com/cado-security/CloudAndContainerCompromiseSimulator

Screenshot

Create a Lambda function that is triggered by GuardDuty in EventBridge. It’s just a couple of clicks to hook it up - no need to mess around with SNS or WebHooks!

Screenshot

Now we need to create a Lambda function which will get the AWS Instance ID from the event and call the Cado Response API with it.

The code is in this repository (lambda_function.py) - if you run as Python3.7 in Lambda you can simple copy and paste this code. If you run with the latest Python3.9 - the requests library isn't built in anymore so you will need to download this repository as a zip then upload it to AWS Lambda. For ECS Fargate you’ll need the task name, more on that to come.

You will need to set environment variables such as the hostname of the Cado Response installation and API key:

Screenshot

You can test the Lambda function is working correctly by running the test event (test_event.json in this repository):

Screenshot

Which will result in output such as below. The EC2 import will fail as the instance will not exist in your environmet. You can also capture a real event from your own environment for testing:

Screenshot

In total this should take about 15 minutes to set up. And what you get from that is… about 10 minutes after the GuardDuty is triggered - Cado Response goes and collects a full copy of the system before it’s destroyed and hunts through it for logs, malware etc:

Screenshot

Screenshot

You can also enable exporting the GuardDuty logs and the Cado Response output into an S3 bucket. You can then import the Cado Response output into a SIEM such as Splunk or a Ticketing system such as Jira. You can push out thousands of events for a compromised system if you want them all.

Screenshot

What that means is you now get in your SIEM the original Guard Duty alert from AWS detections on the API & Network side of the house - sitting side by side with the on disk detections, logs, even full file strings contents of files if you want it. You can read more on this here.

Learn More

If you want to try this yourself, you can deploy a free trial of Cado Response here.

Owner
Cado Security
We're building a platform to push digital forensics forward into the cloud era.
Cado Security
GitHub Repository
Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

Ning 1 Jan 01, 2022
A tool to convert AWS EC2 instances back and forth between On-Demand and Spot billing models.

ec2-spot-converter This tool converts existing AWS EC2 instances back and forth between On-Demand and 'persistent' Spot billing models while preservin

jcjorel 152 Dec 29, 2022
Automatically capture your Ookla Speedtest metrics and display them in a Grafana dashboard

Speedtest All-In-One Automatically capture your Ookla Speedtest metrics and display them in a Grafana dashboard. Getting Started About This Code This

Aaron Melton 2 Feb 22, 2022
Ingress patch example by Kustomize

Ingress patch example by Kustomize

Jinu 10 Nov 14, 2022
This Docker container is build to run on a server an provide an easy to use interface for every student to vote for their councilors

This Docker container is build to run on a server and provide an easy to use interface for every student to vote for their councilors.

Robin Adelwarth 7 Nov 23, 2022
Manage your azure VM easily!

Azure-manager Manage your VM in Azure using cookies.

Team 1injex 129 Dec 17, 2022
Micro Data Lake based on Docker Compose

Micro Data Lake based on Docker Compose This is the implementation of a Minimum Data Lake

Abel Coronado 15 Jan 07, 2023
Pulumi - Developer-First Infrastructure as Code. Your Cloud, Your Language, Your Way 🚀

Pulumi's Infrastructure as Code SDK is the easiest way to create and deploy cloud software that use containers, serverless functions, hosted services,

Pulumi 14.7k Jan 08, 2023
Tiny Git is a simplified version of Git with only the basic functionalities to gain better understanding of git internals.

Tiny Git is a simplified version of Git with only the basic functionalities to gain better understanding of git internals. Implemented Functi

Ahmed Ayman 2 Oct 15, 2021
A job launching library for docker, EC2, GCP, etc.

doodad A library for packaging dependencies and launching scripts (with a focus on python) on different platforms using Docker. Currently supported pl

Justin Fu 55 Aug 27, 2022
A Habitica Integration with Github Workflows.

Habitica-Workflow A Habitica Integration with Github Workflows. How To Use? Fork (and Star) this repository. Set environment variable in Settings - S

Priate 2 Dec 20, 2021
Ralph is the CMDB / Asset Management system for data center and back office hardware.

Ralph Ralph is full-featured Asset Management, DCIM and CMDB system for data centers and back offices. Features: keep track of assets purchases and th

Allegro Tech 1.9k Jan 01, 2023
Hatch plugin for Docker containers

hatch-containers CI/CD Package Meta This provides a plugin for Hatch that allows

Ofek Lev 11 Dec 30, 2022
A Kubernetes operator that creates UptimeRobot monitors for your ingresses

This operator automatically creates uptime monitors at UptimeRobot for your Kubernetes Ingress resources. This allows you to easily integrate uptime monitoring of your services into your Kubernetes d

Max 49 Dec 14, 2022
Chartreuse: Automated Alembic migrations within kubernetes

Chartreuse: Automated Alembic SQL schema migrations within kubernetes "How to automate management of Alembic database schema migration at scale using

Wiremind 8 Oct 25, 2022
Ansible for DevOps examples.

Ansible for DevOps Examples This repository contains Ansible examples developed to support different sections of Ansible for DevOps, a book on Ansible

Jeff Geerling 6.6k Jan 08, 2023
Dockerized iCloud drive

iCloud-drive-docker is a simple iCloud drive client in Docker environment. It uses pyiCloud python library to interact with iCloud

Mandar Patil 376 Jan 01, 2023
A repository containing a short tutorial for Docker (with Python).

Docker Tutorial for IFT 6758 Lab In this repository, we examine the advtanges of virtualization, what Docker is and how we can deploy simple programs

Arka Mukherjee 0 Dec 14, 2021
Asynchronous parallel SSH client library.

parallel-ssh Asynchronous parallel SSH client library. Run SSH commands over many - hundreds/hundreds of thousands - number of servers asynchronously

1.1k Dec 31, 2022
A basic instruction for Kubernetes setup and understanding.

A basic instruction for Kubernetes setup and understanding Module ID Module Guide - Install Kubernetes Cluster k8s-install 3 Docker Core Technology mo

648 Jan 02, 2023