Articles → AWS → Send An Email If Any Finding Is Logged In AWS Guard Duty

Send An Email If Any Finding Is Logged In AWS Guard Duty

In this article, we will send an email if any finding is logged in AWS Guard Duty.

Steps

For this article, we will work on the following steps: -

Create a topic and a subscription
Create a rule in CloudWatch
Enable Guard Duty
Create a role
Create a new security group
Launch an EC2 instance
Assign role to the EC2 instance
Download tor browser and open the site

Let us get started.

Create A Topic And A Subscription

First, create a topic and a subscription.

Picture showing the topic created in aws console

Click to Enlarge

Create A Rule In CloudWatch

For creating the rule, go to the CloudWatch service. From the left-hand side menu, click on the Rules menu.

Picture showing the Rules menu in AWS cloudwatch

Click to Enlarge

The CloudWatch screen will appear. On the CloudWatch screen, click on the Go to Amazon EventBridge button.

Picture showing the Go to Amazon EventBridge button in Cloudwatch

Click to Enlarge

The rule screen will appear. Click on the Create rule button.

Picture showing the Rules screen in Cloudwatch

Click to Enlarge

In the create rule screen, enter the Name and click on the Next button.

Picture showing the create rule screen in Cloudwatch

Click to Enlarge

In the next screen, enter the following JSON in the Event Pattern section.

{
  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ],
  "detail": {
    "severity": [
      4,
      4.0,
      4.1,
      4.2,
      4.3,
      4.4,
      4.5,
      4.6,
      4.7,
      4.8,
      4.9,
      5,
      5.0,
      5.1,
      5.2,
      5.3,
      5.4,
      5.5,
      5.6,
      5.7,
      5.8,
      5.9,
      6,
      6.0,
      6.1,
      6.2,
      6.3,
      6.4,
      6.5,
      6.6,
      6.7,
      6.8,
      6.9,
      7,
      7.0,
      7.1,
      7.2,
      7.3,
      7.4,
      7.5,
      7.6,
      7.7,
      7.8,
      7.9,
      8,
      8.0,
      8.1,
      8.2,
      8.3,
      8.4,
      8.5,
      8.6,
      8.7,
      8.8,
      8.9
    ]
  }
}

Picture showing adding the JSON for event pattern

Click to Enlarge

Scroll down to the bottom and click on the Next screen. In the next screen, select Target as the SNS topic created in the previous section.

Picture showing specifying the target as SNS topic

Click to Enlarge

Expand the Additional settings section. In the Additional settings section, select the Configure target input as Input transformer. Then, click on the Configure input transformer button.

Picture showing the Configure target input button for specifying the input json

Click to Enlarge

A popup window will appear. In the Input path section, enter the following JSON.

{
  "severity": "$.detail.severity",
  "Finding_ID": "$.detail.id",
  "Finding_Type": "$.detail.type",
  "region": "$.region",
  "Finding_description": "$.detail.description"
}

Picture showing pasting the input transformer json

Click to Enlarge

Scroll down to the Template section and add the following XML.

"You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."

Picture showing pasting the xml of template

Click to Enlarge

Click on the Confirm button to close the window. In the parent window, click on the Next button. In the next screen, you can add tags.