Populating Threat Feeds with GuardDuty
AWS GuardDuty is a managed threat detection service that monitors malicious or unauthorized behaviors/activities related to AWS resources. GuardDuty provides visibility of logs called "findings", and Fortinet provides a Lambda script called "aws-lambda-guardduty", which translates feeds from AWS GuardDuty findings into a list of malicious IP addresses in an S3 location, which a FortiGate can consume as an external threat feed after being configured to point to the list's URL. To use this feature, you must subscribe to GuardDuty, CloudWatch, S3, and DynamoDB.
This feature is available with FortiOS 6.0.0+. See Setting up the FortiGate(s).
Installing and configuring GuardDuty requires knowledge of:
- AWS Lambda function, DynamoDB, S3 bucket, and IAM
The Lambda script is available to download on GitHub.