Large scale cyber attacks are now becoming normal in this age of interconnectivity. As we rely more and more on cloud technologies, companies are looking to tap into digital innovations to improve their businesses. Cyber attacks are costing companies millions of dollars of downtime not to mention the possibility of lawsuits whenever an attack occurs. It is imperative that security teams have the means to prevent, detect, and take actions to ensure that the security of their workloads in AWS are airtight.

Amazon GuardDuty was released during the 2017 re:Invent conference. Amazon GuardDuty is an agentless threat detection service that continuously monitors your AWS account and workloads. GuardDuty ingests data across multiple AWS services such as VPC flow logs, CloudTrail, and DNS logs, and uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential attacks.

In this article, we will be using SNS topics and CloudWatch Events to automatically notify you via email of GuardDuty findings depending on their severity. 

Monitoring GuardDuty Findings with Amazon CloudWatch Events

1. To start, we need to go to the GuardDuty console and click  “Enable GuardDuty”.

2. Your GuardDuty console will probably be empty especially if you launch GuardDuty on a fresh account. We will
    populate it later by using sample findings. 

3. We need to create an SNS topic that will allow us to send notifications.

1. 1. Head over to SNS. 
   2. Create a topic and name your topic. 
   3. Click “Create topic”.

4. Create an SNS subscription for your topic.

1. 1. Specify the SNS topic you just created.
   2. Under protocol, choose Email.
   3. Enter the email address where you want to receive the CloudWatch events.
   4. Click “Create subscription”.

5. Now we need to create a CloudWatch Events rule to send events to the SNS topic.

1. 1. Head over to CloudWatch
   2. Look for the “Rules” tab and click it

6. Create a CloudWatch Events Rule

1. 1. Click “Create Rule”
   2. Toggle “Event Pattern”
   3. For the service name, look for GuardDuty
   4. For the event type, select GuardDuty finding
   5. Click “Edit” to modify the Event Pattern Preview and paste this JSON code. The code block will only alert you for findings with medium to high finding

{
   “source”: [
     “aws.guardduty”
  ],
  “detail-type”: [
    “GuardDuty Finding”
  ],
  “detail”: {
    “severity”: [
      4,
      4.0,
      4.1,
      4.2,
      4.3,
      4.4,
      4.5,
      4.6,
      4.7,
      4.8,
      4.9,
      5,
      5.0,
      5.1,
      5.2,
      5.3,
      5.4,
      5.5,
      5.6,
      5.7,
      5.8,
      5.9,
      6,
      6.0,
      6.1,
      6.2,
      6.3,
      6.4,
      6.5,
      6.6,
      6.7,
      6.8,
      6.9,
      7,
      7.0,
      7.1,
      7.2,
      7.3,
      7.4,
      7.5,
      7.6,
      7.7,
      7.8,
      7.9,
      8,
      8.0,
      8.1,
      8.2,
      8.3,
      8.4,
      8.5,
      8.6,
      8.7,
      8.8,
      8.9
    ]   }
}

7. Create Target

1. 1. On the “Targets” section, click “Add target” and specify the SNS topic you created.
   2. Under “Configure Input”, click on Input Transfer.
   3. Paste the following code for Input path and Input template then click “Configure Details”.

INPUT PATH

{
   “severity”: “$.detail.severity”,  
   “Finding_ID”: “$.detail.id”,
   “Finding_Type”: “$.detail.type”,
   “region”: “$.region”,
   “Finding_description”: “$.detail.description”
}

INPUT TEMPLATE

“You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region.”
“Finding Description:”
“<Finding_description>. “
“For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>”

8. Configure Rule Details

1. 1. Name your Rule definition.
   2. Tick the “Enabled” box under state. 
   3. Create Rule.

9. Populating your GuardDuty

1. 1. Head over to settings
   2. Under “Sample Findings” click “Generate Sample Findings”
   3. GuardDuty sends a notification within 5 minutes of a finding or in this case, you should receive an email after 5 minutes after you generate the sample finding

10. You will receive an email from AWS regarding the findings of GuardDuty.

In this tutorial, you have enabled Amazon GuardDuty, created an SNS topic and subscription, and configured a CloudWatch Events rule that will send a message to the SNS topic depending on the results of GuardDuty. You can adjust the CloudWatch rule and the target SNS configuration depending on your requirements. 

In the next tutorial, we will discuss how to manage Amazon GuardDuty security findings across multiple accounts.

Sources:

https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-create-subscribe-endpoint-to-topic.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html