Monitoring GuardDuty Findings with Amazon CloudWatch Events

Large scale cyber attacks are now becoming normal in this age of interconnectivity. As we rely more and more on cloud technologies, companies are looking to tap into digital innovations to improve their businesses. Cyber attacks are costing companies millions of dollars of downtime not to mention the possibility of lawsuits whenever an attack occurs. It is imperative that security teams have the means to prevent, detect, and take actions to ensure that the security of their workloads in AWS are airtight.

Amazon GuardDuty was released during the 2017 re:Invent conference. Amazon GuardDuty is an agentless threat detection service that continuously monitors your AWS account and workloads. GuardDuty ingests data across multiple AWS services such as VPC flow logs, CloudTrail, and DNS logs, and uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential attacks.

In this article, we will be using SNS topics and CloudWatch Events to automatically notify you via email of GuardDuty findings depending on their severity. 

Monitoring GuardDuty Findings with Amazon CloudWatch Events

1. To start, we need to go to the GuardDuty console and click  “Enable GuardDuty”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events1

2. Your GuardDuty console will probably be empty especially if you launch GuardDuty on a fresh account. We will
populate it later by using sample findings. 

Monitoring GuardDuty Findings with Amazon CloudWatch Events2

3. We need to create an SNS topic that will allow us to send notifications.

    1. Head over to SNS. 
    2. Create a topic and name your topic. 
    3. Click “Create topic”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events3

4. Create an SNS subscription for your topic.

    1. Specify the SNS topic you just created.
    2. Under protocol, choose Email.
    3. Enter the email address where you want to receive the CloudWatch events.
    4. Click “Create subscription”.
  1. IT Certification Category (English)728x90

Monitoring GuardDuty Findings with Amazon CloudWatch Events4

5. Now we need to create a CloudWatch Events rule to send events to the SNS topic.

    1. Head over to CloudWatch
    2. Look for the “Rules” tab and click it

Monitoring GuardDuty Findings with Amazon CloudWatch Events5

6. Create a CloudWatch Events Rule

Monitoring GuardDuty Findings with Amazon CloudWatch Events6

    1. Click “Create Rule”
    2. Toggle “Event Pattern”
    3. For the service name, look for GuardDuty
    4. For the event type, select GuardDuty finding
    5. Click “Edit” to modify the Event Pattern Preview and paste this JSON code. The code block will only alert you for findings with medium to high finding

{
 “source”: [
 “aws.guardduty”
 ],
 “detail-type”: [
 “GuardDuty Finding”
 ],
 “detail”: {
 “severity”: [
 4,
 4.0,
 4.1,
 4.2,
 4.3,
 4.4,
 4.5,
 4.6,
 4.7,
 4.8,
 4.9,
 5,
 5.0,
 5.1,
 5.2,
 5.3,
 5.4,
 5.5,
 5.6,
 5.7,
 5.8,
 5.9,
 6,
 6.0,
 6.1,
 6.2,
 6.3,
 6.4,
 6.5,
 6.6,
 6.7,
 6.8,
 6.9,
 7,
 7.0,
 7.1,
 7.2,
 7.3,
 7.4,
 7.5,
 7.6,
 7.7,
 7.8,
 7.9,
 8,
 8.0,
 8.1,
 8.2,
 8.3,
 8.4,
 8.5,
 8.6,
 8.7,
 8.8,
 8.9
 ]  }
}

Monitoring GuardDuty Findings with Amazon CloudWatch Events7

7. Create Target

    1. On the “Targets” section, click “Add target” and specify the SNS topic you created.
    2. Under “Configure Input”, click on Input Transfer.
    3. Paste the following code for Input path and Input template then click “Configure Details”.

INPUT PATH

{
 “severity”: “$.detail.severity”, 
 “Finding_ID”: “$.detail.id”,
 “Finding_Type”: “$.detail.type”,
 “region”: “$.region”,
 “Finding_description”: “$.detail.description”
}

INPUT TEMPLATE

“You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region.”
“Finding Description:”
“<Finding_description>. “
“For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>”

Monitoring GuardDuty Findings with Amazon CloudWatch Events8

8. Configure Rule Details

    1. Name your Rule definition.
    2. Tick the “Enabled” box under state. 
    3. Create Rule.

Monitoring GuardDuty Findings with Amazon CloudWatch Events9

9. Populating your GuardDuty

    1. Head over to settings
    2. Under “Sample Findings” click “Generate Sample Findings”
    3. GuardDuty sends a notification within 5 minutes of a finding or in this case, you should receive an email after 5 minutes after you generate the sample finding

Monitoring GuardDuty Findings with Amazon CloudWatch Events10

10. You will receive an email from AWS regarding the findings of GuardDuty.

Monitoring GuardDuty Findings with Amazon CloudWatch Events11

In this tutorial, you have enabled Amazon GuardDuty, created an SNS topic and subscription, and configured a CloudWatch Events rule that will send a message to the SNS topic depending on the results of GuardDuty. You can adjust the CloudWatch rule and the target SNS configuration depending on your requirements. 

In the next tutorial, we will discuss how to manage Amazon GuardDuty security findings across multiple accounts.

Sources:
https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-create-subscribe-endpoint-to-topic.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

BLACK FRIDAY Sale FINAL Week! Biggest Discounts on Practice Test + eBook Bundles

tutorials dojo black friday sale

NEW Course – AWS Certified Data Analytics Specialty Practice Exams

AWS Certified Data Analytics Sepcialty

Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Tutorials Dojo Study Guide and Cheat Sheets eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

FREE Intro to Cloud Computing for Beginners

FREE AWS Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts