EventBridge and SNS Setup for GuardDuty Alerts

Amazon GuardDuty is a comprehensive threat detection service that continuously scans for malicious activities and unauthorized behaviors within your AWS environment. Leveraging machine learning (ML), anomaly detection, and malicious file identification, GuardDuty uses a combination of AWS data and leading third-party sources to safeguard your AWS accounts, workloads, and data. It efficiently processes billions of events from various AWS data sources, such as AWS CloudTrail logs, Amazon VPC Flow Logs, and DNS query logs. Additionally, GuardDuty monitors data events from Amazon S3, login events from Amazon Aurora, and runtime activities across Amazon EKS, Amazon EC2, and Amazon ECS, including serverless workloads on AWS Fargate.

However, detecting threats is only part of the equation. To respond effectively, you need timely and actionable alerts. This is where Amazon EventBridge and Amazon Simple Notification Service (SNS) come in. EventBridge is a serverless event bus that allows you to connect and route data from various sources, including AWS services like GuardDuty. By setting up EventBridge to capture GuardDuty findings, you can create rules that trigger specific actions or workflows based on those findings.

Amazon SNS, a fully managed messaging service, makes it easy to send notifications from the cloud. By integrating SNS with EventBridge, you can ensure that your security team receives immediate alerts via email, SMS, or other messaging channels. This integration is crucial for enabling swift and efficient incident response, helping you address potential security threats as soon as they're detected.

In this guide, I will walk you through the process of configuring EventBridge and SNS to enhance your GuardDuty alerts. By following these steps, you'll be able to set up a system that delivers timely and customized notifications, allowing you to stay ahead of potential security incidents and respond proactively.

Step 1: To begin, log in to your AWS Management Console using your credentials. Once logged in, navigate to the search bar at the top of the console, type "SNS" into the search tab, and select it from the results. Next, click on the “Create topic” button to start setting up your SNS topic.

Step 2: Choose “Standard” as the topic type, then enter the required details for your SNS topic. Once you’ve filled in the necessary information, click the “Create topic” button at the bottom of the page.

Step 3: To receive email alerts for GuardDuty findings, you need to create a subscription for your SNS topic. Click on the topic you just created, then navigate to the "Subscriptions" tab. Click on “Create subscription” and choose “Email” as the protocol. Enter your email address in the "Endpoint" field and click “Create subscription.”

Step 3: To receive email alerts for GuardDuty findings, you need to create a subscription for your SNS topic. Click on the topic you just created, then navigate to the "Subscriptions" tab. Click on “Create subscription” and choose “Email” as the protocol. Enter your email address in the "Endpoint" field and click “Create subscription.”

Once confirmed, the status on the SNS console will change to "Confirmed”.

Step 5: Now, navigate to Amazon EventBridge in the AWS Management Console and click on the "default" event bus under the "Event buses" section. Then, click on "Create rule" to set up a rule that will trigger GuardDuty findings to be sent to your security team via SNS email.

Step 6: Fill in the required details and select the Rule type as “Rule with an event pattern“.

Step 7: Now, let's build the event pattern for GuardDuty findings. This step ensures that the rule triggers only for specific GuardDuty events.

1. Event Source:

   • In the EventBridge rule creation page, under the "Event Source" section, select "AWS events or EventBridge partner events."

2. Creation Method:

   • Scroll down to the "Creation Method" section and select "Use pattern form."

3. Edit Pattern:

   • Click on the "Edit pattern" button. This will open a JSON editor where you can define the specific event pattern.

Please visit AWS Website Link to copy the JSON.

Note: The above code will alert for any Medium to High GuardDuty finding.

Step 8: Next, choose your configured SNS topic as the target. This will enable email alerts for GuardDuty findings to be sent directly to your specified recipients.

Step 9: Next, click on "Additional settings" and select "Input transformer" under "Configure target input". Then, click on "Configure input transformer". This will allow you to customize the content of the notifications sent by the SNS topic.

Please visit AWS Website Link to copy the JSON and paste it into “input path“ of Target input transformer. The provided JSON snippet is used within an input transformer in Amazon EventBridge to customize the content of the notifications sent by the SNS topic.

Please visit AWS Website Link to copy the JSON for Input Template. This JSON template is used to create a custom message format for notifications sent via SNS. When the input transformer processes the event, it substitutes placeholders with actual values from the event data to generate a readable and informative message.

Step 10: In the next step, review the details of your rule to ensure everything is configured correctly. Once you’ve verified the settings, click on “Create rule” to finalize and activate it.

With this configuration, you will receive SNS email notifications for any medium to high GuardDuty findings. This ensures timely alerts, enabling you to take prompt action and eliminating the need for manual monitoring of GuardDuty alerts.

An example of such an alert is shown in the screenshot below for one of the GuardDuty findings.

Conclusion:

In this blog post, we've explored how to configure Amazon EventBridge to trigger SNS notifications based on GuardDuty findings. By setting up this integration, you ensure that you receive timely alerts for critical security issues, which enables you to act swiftly and mitigate potential threats. This automated approach significantly reduces the need for manual monitoring and enhances your overall security posture.

By leveraging EventBridge and SNS, you can streamline your alerting process, ensuring that high-priority findings are promptly addressed. Implementing these steps will not only improve your incident response times but also contribute to a more proactive and efficient security management strategy.

Disclaimer

This blog provides a general guide for configuring EventBridge and SNS to receive notifications for GuardDuty findings. It is important to note that each AWS environment and security requirement may vary. While this setup can streamline alerting and improve response times, it is essential to review and customize the configuration according to your specific needs and security policies.

Before deploying these settings in a production environment, thoroughly test them in a staging or development environment to ensure they meet your operational and security standards. The information provided should be used as a reference, and final implementations should align with your organization’s objectives and compliance requirements. Always perform due diligence and consider seeking professional advice if needed.

Happy securing!