How to Set Up Email Notifications for GuardDuty Findings
Amazon GuardDuty
Let's take the scenario where you deployed your workloads in AWS and
Your IT security team suspects that some malicious requests are coming to your application from different regions. The IT security team requested to investigate and find out from which IP address, port, country, or source these requests were coming.
Amazon GuardDuty is an agentless threat detection service that continuously monitors your AWS account and workloads.
GuardDuty ingests data across multiple AWS services, such as VPC flow logs, CloudTrail, and DNS logs, and uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential attacks.
It also processes features such as Kubernetes audit logs, RDS login activity, S3 logs, EBS volumes, runtime monitoring, and Lambda network activity logs.
In this article, we will be using SNS topics and CloudWatch Events to automatically notify you via email of GuardDuty findings depending on their severity.
Create SNS Topic
Create an SNS topic to receive email notifications for AWS GuardDuty findings.
If you haven’t already created an Amazon SNS topic, follow the instructions for Getting started with Amazon SNS.
Create CloudWatch EventBridge Rule
Create AWS EventBridge Rule
- Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
- Select Rules from the navigation pane and then Create Rule.
- Type Rule Name : AWS-GuardDutyFindings-Rule
- Name: enter a name for your rule. If needed, enter a Description.
Description: EventBridge Rule to send SNS notifications for GuardDuty findings in the Account
5. From the Service Name menu, choose GuardDuty.
6. From the Event Type menu, choose GuardDuty Finding.
7. In the Event Pattern Preview, choose Edit.
8. Paste the below JSON code into Event Pattern Preview and choose Save
{
"source": [
"aws.guardduty"
],
"detail-type": [
"GuardDuty Finding"
],
"detail": {
"severity": [
4,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7,
7.0,
7.1,
7.2,
7.3,
7.4,
7.5,
7.6,
7.7,
7.8,
7.9,
8,
8.0,
8.1,
8.2,
8.3,
8.4,
8.5,
8.6,
8.7,
8.8,
8.9
]
}
}Note: The above code will alert for any medium-to-high finding.
9. In the Targets section, click Add Target.
10. From the Select Targets menu, choose SNS Topic.
11. For Select Topic, select the name of the SNS topic you created in Step 1.
12. Expand additional settings. Then, for Configure target input, choose Input transformer.
13. Choose Configure input transformer. Under Target input transformer, for the Input Path text box, copy and paste the following example path:
{
"severity": "$.detail.severity",
"Account_ID": "$.detail.accountId",
"Finding_ID": "$.detail.id",
"Finding_Type": "$.detail.type",
"region": "$.region",
"Finding_description": "$.detail.description"
}
14. Copy the following code and paste it into the Input Template field to format the email.
"AWS <Account_ID> has a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."
"Finding Description:"
"<Finding_description>. "
"For more details, open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>"
15. Choose Confirm. Then, choose Next.
16. Optionally, you can add a new tag. Then, choose Next.
17. Choose the Create rule.
18. After an event type is triggered, you receive an SNS email notification with the custom fields.
Enable guard duty and test the guard duty findings.
Enable AWS GuardDuty in the Account
- Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
- Choose Get Started.
- Choose Enable GuardDuty.
Once enabled, you will be taken to the findings screen, which should be empty. It is where issues/abnormalities will appear when they occur. If findings are already highlighted here, it is recommended that you review and action each one individually.
A nice feature within the settings screen is an option to generate sample findings, which populates the findings screen and gives you insight into the types of alerts that you are likely to see.
- On GuardDurty console, Select settings
- Under “Sample Findings,” click “Generate Sample Findings.”
- GuardDuty sends a notification within 5 minutes of a finding, or, in this case, you should receive an email after 5 minutes after you generate the sample finding.
4. Select Findings on the left-hand screen to show the sample-generated findings.
5. You will receive an email from AWS regarding the findings of GuardDuty.
Summary:
In this article, we have learned how to setup an email notification for any medium- to high-guard GuardDuty findings using CloudWatch Events and SNS services.
Use the Terraform module in email notifications for GuardDuty findings
resource "aws_guardduty_detector" "guardduty" {
enable = true
datasources {
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = false
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = true
}
}
}
}
}
resource "aws_sns_topic" "sns_topic" {
name = "sns-topic"
delivery_policy = <<EOF
{
"http": {
"defaultHealthyRetryPolicy": {
"minDelayTarget": 20,
"maxDelayTarget": 20,
"numRetries": 3,
"numMaxDelayRetries": 0,
"numNoDelayRetries": 0,
"numMinDelayRetries": 0,
"backoffFunction": "linear"
},
"disableSubscriptionOverrides": false,
"defaultThrottlePolicy": {
"maxReceivesPerSecond": 1
}
}
}
EOF
}
# Create subscription for the SNS topic
resource "aws_sns_topic_subscription" "email_subscription" {
topic_arn = aws_sns_topic.sns_topic.arn
protocol = "email"
endpoint = "example.com" # Replace with your email address
}
# Create CloudWatch Event Rule to forward GuardDuty findings to the SNS topic
resource "aws_cloudwatch_event_rule" "guardduty_event_rule" {
name = "ForwardGuardDutyFindings"
description = "Forward GuardDuty findings to SNS Topic"
event_pattern = <<PATTERN
{
"source": [
"aws.guardduty"
],
"detail-type": [
"GuardDuty Finding"
],
"detail": {
"severity": [
4,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7,
7.0,
7.1,
7.2,
7.3,
7.4,
7.5,
7.6,
7.7,
7.8,
7.9,
8,
8.0,
8.1,
8.2,
8.3,
8.4,
8.5,
8.6,
8.7,
8.8,
8.9
]
}
}
PATTERN
}
# Permission for CloudWatch Events to invoke SNS topic
resource "aws_cloudwatch_event_target" "guardduty_event_target" {
rule = aws_cloudwatch_event_rule.guardduty_event_rule.name
target_id = "sns_target"
arn = aws_sns_topic.sns_topic.arn
input_transformer {
input_paths = {
"severity": "$.detail.severity",
"Account_ID": "$.detail.accountId",
"Finding_ID": "$.detail.id",
"Finding_Type": "$.detail.type",
"region": "$.region",
"Finding_description": "$.detail.description"
}
input_template = <<TEMPLATE
"AWS <Account_ID> has a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."
"Finding Description:"
"<Finding_description>. "
"For more details, open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>"
TEMPLATE
}
}
# Create CloudWatch Event Rule for SNS subscription
resource "aws_cloudwatch_event_rule" "sns_rule" {
name = "GuardDutySNSSubscription"
description = "Subscribe SNS topic to CloudWatch Events"
event_pattern = jsonencode({
source = ["aws.sns"],
detail_type = ["AWS API Call via CloudTrail"],
resources = [aws_sns_topic.sns_topic.arn],
})
}
# Create CloudWatch Event Target for SNS subscription
resource "aws_cloudwatch_event_target" "sns_target" {
rule = aws_cloudwatch_event_rule.sns_rule.name
target_id = "sns_subscription"
arn = aws_sns_topic.sns_topic.arn
}Enjoy it! 🍻 That’s It; we are done...
For seamless Cloud Management incorporating DevOps as the core of the methodology, reach out to us at info@cypik.com
About the author:
My name is Suresh Yadav, and I am an experienced Linux enthusiast and DevOps engineer. I’m passionate about automating and streamlining development processes, and currently, I work as a DevOps Engineer at Cypik. I specialize in cloud technologies, with a focus on the Google Cloud Platform (GCP).
