Articles → AWS → Send An Email If Any Finding Is Logged In AWS Guard Duty

Send An Email If Any Finding Is Logged In AWS Guard Duty






Steps




  1. Create a topic and a subscription
  2. Create a rule in CloudWatch
  3. Enable Guard Duty
  4. Create a role
  5. Create a new security group
  6. Launch an EC2 instance
  7. Assign role to the EC2 instance
  8. Download tor browser and open the site



Create A Topic And A Subscription




Picture showing the topic created in aws console
Click to Enlarge


Create A Rule In CloudWatch




Picture showing the Rules menu in AWS cloudwatch
Click to Enlarge



Picture showing the Go to Amazon EventBridge button in Cloudwatch
Click to Enlarge



Picture showing the Rules screen in Cloudwatch
Click to Enlarge



Picture showing the create rule screen in Cloudwatch
Click to Enlarge



{
  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ],
  "detail": {
    "severity": [
      4,
      4.0,
      4.1,
      4.2,
      4.3,
      4.4,
      4.5,
      4.6,
      4.7,
      4.8,
      4.9,
      5,
      5.0,
      5.1,
      5.2,
      5.3,
      5.4,
      5.5,
      5.6,
      5.7,
      5.8,
      5.9,
      6,
      6.0,
      6.1,
      6.2,
      6.3,
      6.4,
      6.5,
      6.6,
      6.7,
      6.8,
      6.9,
      7,
      7.0,
      7.1,
      7.2,
      7.3,
      7.4,
      7.5,
      7.6,
      7.7,
      7.8,
      7.9,
      8,
      8.0,
      8.1,
      8.2,
      8.3,
      8.4,
      8.5,
      8.6,
      8.7,
      8.8,
      8.9
    ]
  }
}


Picture showing adding the JSON for event pattern
Click to Enlarge



Picture showing specifying the target as SNS topic
Click to Enlarge



Picture showing the Configure target input button for specifying the input json
Click to Enlarge



{
  "severity": "$.detail.severity",
  "Finding_ID": "$.detail.id",
  "Finding_Type": "$.detail.type",
  "region": "$.region",
  "Finding_description": "$.detail.description"
}


Picture showing pasting the input transformer json
Click to Enlarge



"You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."


Picture showing pasting the xml of template
Click to Enlarge



Picture showing the screen for adding Tags
Click to Enlarge



Picture showing the review screen before the rule is created
Click to Enlarge




Enable Guard Duty





Create A Role




Picture showing the role is created in IAM
Click to Enlarge


Create A New Security Group




Picture showing the new security group created in AWS console
Click to Enlarge


Launch An EC2 Instance





Assign Role To The EC2 Instance




Picture showing assigning the role to EC2 instance
Click to Enlarge


Download Tor Browser And Open The Site




Picture showing the findings logged in Guard Duty
Click to Enlarge



Picture showing an email triggered when a finding is logged in Guard Duty
Click to Enlarge


Posted By  -  Karan Gupta
 
Posted On  -  Thursday, June 16, 2022

Query/Feedback


Your Email Id  
 
Subject 
 
Query/FeedbackCharacters remaining 250