Articles → AWS → Send An Email If Any Finding Is Logged In AWS Guard Duty

Send An Email If Any Finding Is Logged In AWS Guard Duty






Steps




  1. Create a topic and a subscription
  2. Create a rule in Cloudwatch
  3. Enable Guard Duty
  4. Create a role
  5. Create a new security group
  6. Launch an EC2 instance
  7. Assign role to the EC2 instance
  8. Download tor browser and open site

Create A Topic And A Subscription




Picture showing the topic created in aws console

Click to Enlarge


Create A Rule In Cloudwatch




Picture showing the Rules menu in AWS cloudwatch

Click to Enlarge



Picture showing the Go to Amazon EventBridge button in Cloudwatch

Click to Enlarge



Picture showing the Rules screen in Cloudwatch

Click to Enlarge



Picture showing the create rule screen in Cloudwatch

Click to Enlarge



{
  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ],
  "detail": {
    "severity": [
      4,
      4.0,
      4.1,
      4.2,
      4.3,
      4.4,
      4.5,
      4.6,
      4.7,
      4.8,
      4.9,
      5,
      5.0,
      5.1,
      5.2,
      5.3,
      5.4,
      5.5,
      5.6,
      5.7,
      5.8,
      5.9,
      6,
      6.0,
      6.1,
      6.2,
      6.3,
      6.4,
      6.5,
      6.6,
      6.7,
      6.8,
      6.9,
      7,
      7.0,
      7.1,
      7.2,
      7.3,
      7.4,
      7.5,
      7.6,
      7.7,
      7.8,
      7.9,
      8,
      8.0,
      8.1,
      8.2,
      8.3,
      8.4,
      8.5,
      8.6,
      8.7,
      8.8,
      8.9
    ]
  }
}


Picture showing adding the JSON for event pattern

Click to Enlarge



Picture showing specifying the target as SNS topic

Click to Enlarge



Picture showing the Configure target input button for specifying the input json

Click to Enlarge



{
  "severity": "$.detail.severity",
  "Finding_ID": "$.detail.id",
  "Finding_Type": "$.detail.type",
  "region": "$.region",
  "Finding_description": "$.detail.description"
}


Picture showing pasting the input transformer json

Click to Enlarge



"You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."


Picture showing pasting the xml of template

Click to Enlarge



Picture showing the screen for adding Tags

Click to Enlarge



Picture showing the review screen before the rule is created

Click to Enlarge




Enable Guard Duty





Create A Role




Picture showing the role is created in IAM

Click to Enlarge


Create A New Security Group




Picture showing the new security group created in AWS console

Click to Enlarge


Launch An EC2 Instance





Assign Role To The EC2 Instance




Picture showing assigning the role to EC2 instance

Click to Enlarge


Download Tor Browser And Open Site




Picture showing the findings logged in Guard Duty

Click to Enlarge



Picture showing an email triggered when a finding is logged in Guard Duty

Click to Enlarge


Posted By  -  Karan Gupta
 
Posted On  -  Thursday, June 16, 2022

Query/Feedback


Your Email Id  
 
Subject 
 
Query/FeedbackCharacters remaining 250