You can leverage your Amazon GuardDuty service within the AWS Sensor to translate the raw log data into normalized events for analysis.

Amazon GuardDuty Setup Process

Amazon GuardDuty service is automatically detected when a new AWS Sensor is deployed. However, it still needs to be enabled for USM Anywhere to receive information from it.

To enable Amazon GuardDuty for your AWS Sensor

1. Go to Settings > Scheduler.
2. Search for GuardDuty in the Job Scheduler Filter By field.
3. In the row for the GuardDuty job, click the enable switch ( ).

Important: For users with AWS Sensors deployed prior to the 6.0.117 release, you must manually enable Amazon GuardDuty on your AWS Sensor in your USM Anywhere instance. Then, edit the Amazon GuardDuty Policy in your AWS Management Console to send information to your AWS Sensor.

To configure your GuardDuty policy

These instructions are for users who deployed their AWS Sensor prior to version 6.0.117.

1. Log in to your AWS Management Console and go to CloudFormation.
2. Select the AWS Sensor in your stack in the top frame of the page and click Resources in the details section below it.

3. In the Types column of the Resources tab there is an ID type labeled AWS::IAM::Role. Click on the Physical ID link to the left of the role to open that role's summary page.

   

4. In the role's summary page, expand the Policy Name dropdown and click Edit Policy .

5. Click JSON and enter the following two lines to the "Action" array

   "guardduty:Get*",
   "guardduty:List*",
6. Click Review Changes after the code is entered and click Save.