Monitoring GuardDuty Findings with Amazon CloudWatch Events

Large scale cyber attacks are now becoming normal in this age of interconnectivity. As we rely more and more on cloud technologies, companies are looking to tap into digital innovations to improve their businesses. Cyber attacks are costing companies millions of dollars of downtime not to mention the possibility of lawsuits whenever an attack occurs. It is imperative that security teams have the means to prevent, detect, and take actions to ensure that the security of their workloads in AWS are airtight.

Amazon GuardDuty was released during the 2017 re:Invent conference. Amazon GuardDuty is an agentless threat detection service that continuously monitors your AWS account and workloads. GuardDuty ingests data across multiple AWS services such as VPC flow logs, CloudTrail, and DNS logs, and uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential attacks.

In this article, we will be using SNS topics and CloudWatch Events to automatically notify you via email of GuardDuty findings depending on their severity. 

Monitoring GuardDuty Findings with Amazon CloudWatch Events

1. To start, we need to go to the GuardDuty console and click  “Enable GuardDuty”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events1

2. Your GuardDuty console will probably be empty especially if you launch GuardDuty on a fresh account. We will
populate it later by using sample findings. 

Monitoring GuardDuty Findings with Amazon CloudWatch Events2

3. We need to create an SNS topic that will allow us to send notifications.

    1. Head over to SNS. 
    2. Create a topic and name your topic. 
    3. Click “Create topic”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events3

4. Create an SNS subscription for your topic.

IT Certification Category (English)728x90
    1. Specify the SNS topic you just created.
    2. Under protocol, choose Email.
    3. Enter the email address where you want to receive the CloudWatch events.
    4. Click “Create subscription”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events4

5. Now we need to create a CloudWatch Events rule to send events to the SNS topic.

    1. Head over to CloudWatch
    2. Look for the “Rules” tab and click it

Monitoring GuardDuty Findings with Amazon CloudWatch Events5

6. Create a CloudWatch Events Rule

Monitoring GuardDuty Findings with Amazon CloudWatch Events6

    1. Click “Create Rule”
    2. Toggle “Event Pattern”
    3. For the service name, look for GuardDuty
    4. For the event type, select GuardDuty finding
    5. Click “Edit” to modify the Event Pattern Preview and paste this JSON code. The code block will only alert you for findings with medium to high finding

{
 “source”: [
 “aws.guardduty”
 ],
 “detail-type”: [
 “GuardDuty Finding”
 ],
 “detail”: {
 “severity”: [
 4,
 4.0,
 4.1,
 4.2,
 4.3,
 4.4,
 4.5,
 4.6,
 4.7,
 4.8,
 4.9,
 5,
 5.0,
 5.1,
 5.2,
 5.3,
 5.4,
 5.5,
 5.6,
 5.7,
 5.8,
 5.9,
 6,
 6.0,
 6.1,
 6.2,
 6.3,
 6.4,
 6.5,
 6.6,
 6.7,
 6.8,
 6.9,
 7,
 7.0,
 7.1,
 7.2,
 7.3,
 7.4,
 7.5,
 7.6,
 7.7,
 7.8,
 7.9,
 8,
 8.0,
 8.1,
 8.2,
 8.3,
 8.4,
 8.5,
 8.6,
 8.7,
 8.8,
 8.9
 ]  }
}

Monitoring GuardDuty Findings with Amazon CloudWatch Events7

7. Create Target

    1. On the “Targets” section, click “Add target” and specify the SNS topic you created.
    2. Under “Configure Input”, click on Input Transfer.
    3. Paste the following code for Input path and Input template then click “Configure Details”.

INPUT PATH

{
 “severity”: “$.detail.severity”, 
 “Finding_ID”: “$.detail.id”,
 “Finding_Type”: “$.detail.type”,
 “region”: “$.region”,
 “Finding_description”: “$.detail.description”
}

INPUT TEMPLATE

“You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region.”
“Finding Description:”
“<Finding_description>. “
“For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>”

Monitoring GuardDuty Findings with Amazon CloudWatch Events8

8. Configure Rule Details

    1. Name your Rule definition.
    2. Tick the “Enabled” box under state. 
    3. Create Rule.

Monitoring GuardDuty Findings with Amazon CloudWatch Events9

9. Populating your GuardDuty

    1. Head over to settings
    2. Under “Sample Findings” click “Generate Sample Findings”
    3. GuardDuty sends a notification within 5 minutes of a finding or in this case, you should receive an email after 5 minutes after you generate the sample finding

Monitoring GuardDuty Findings with Amazon CloudWatch Events10

10. You will receive an email from AWS regarding the findings of GuardDuty.

Monitoring GuardDuty Findings with Amazon CloudWatch Events11

In this tutorial, you have enabled Amazon GuardDuty, created an SNS topic and subscription, and configured a CloudWatch Events rule that will send a message to the SNS topic depending on the results of GuardDuty. You can adjust the CloudWatch rule and the target SNS configuration depending on your requirements. 

In the next tutorial, we will discuss how to manage Amazon GuardDuty security findings across multiple accounts.

Sources:
https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-create-subscribe-endpoint-to-topic.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

Pass your AWS, Azure, and Google Cloud Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

error: Content is protected !!