Sources
S3 Sources
AWS
Guardduty

GuardDuty

The GuardDuty source requires that you've done the following:

  1. Created an s3 bucket that guardduty streams it's logs to.
  2. Provide RunReveal with access to a role
  3. Set up an event notification from your s3 bucket receiving GuardDuty logs that notifies RunReveal.

Initial Setup

Consult the docs on setting up a role and how to provide RunReveal with access to that role on the S3 Sources page.

Event Notifications

Ensure that your event notifications are being forwarded to this sns topic in your region.

arn:aws:sns:<REGION>:253602268883:runreveal_guardduty

Dashboard setup

Create a GuardDuty source in the dashboard, and provide RunReveal with your bucket-name, IAM role name, and IAM external ID.

CloudtrailVpc DNS Logs