Amazon GuardDuty Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Amazon GuardDuty integration provides threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. When you search for an observable in Amazon GuardDuty, it investigates it in Amazon Detective.

This integration allows you to query IPv4 and IPv6 data types and it returns indicators and sightings.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Amazon GuardDuty integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Amazon GuardDuty integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Amazon GuardDuty integration in Cisco XDR.

You can perform the following tasks after you integrate Amazon GuardDuty with Cisco XDR:

  • Investigations - Start a new investigation into any combination of IP and IPv6 addresses and the results will include any records of them found in your Amazon GuardDuty. To verify that this integration is working, and to see what kind of data is returned, investigate one or more observables about which you know Amazon GuardDuty has recent information. For details, see Investigate.