Hello Folks I have come with new cloud Security project. to defend Aws Assets. Aws has GuardDuty service which monitor aws resource and apis and detect potentional security threats. to Detect threat GaurdDuty use Cloudtrail Logs , Dns Logs and Eks Logs. when GuardDuty detect any attack it create finding in dashboard and it contains aws resource , Malicios Ip, Victim Iam User and Type of Threat.

Till Here everything is good. But as a Security Engineer i need to check everyday that is there any finding or not. but this is time consuming and boring task to check everyday. that’s why i came up with this automation. Whenever GuardDuty dectect any attack and create finding on dashboard it will trigeer SNS Topic (which is also a aws service ) and will notify the user via email about the finding.

Lets Build.

Lets Create SNS Topic First.

Go to the Aws Dashbaord Serach SNS Topic -> Create a New Topic

After Creating Topic Create a Suscribtion to Email Service. aws will Send confirmation Mail on that email address by clicking the link we can accept the suscribtion.

Now its time To Create Event on Aws Eventbridge. Go to the aws Eventbridge -> create a new Rule ->

After this we need to create event Pattern → Copy this Pattern and paste in event pattern.

{
  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ],
  "detail": {
    "severity": [
      5,
      5.0,
      5.1,
      5.2,
      5.3,
      5.4,
      5.5,
      5.6,
      5.7,
      5.8,
      5.9,
      6,
      6.0,
      6.1,
      6.2,
      6.3,
      6.4,
      6.5,
      6.6,
      6.7,
      6.8,
      6.9,
      7,
      7.0,
      7.1,
      7.2,
      7.3,
      7.4,
      7.5,
      7.6,
      7.7,
      7.8,
      7.9,
      8,
      8.0,
      8.1,
      8.2,
      8.3,
      8.4,
      8.5,
      8.6,
      8.7,
      8.8,
      8.9
    ]
  }
}

After Creating Event we need to Select the target ->

In Additional Setting Select input Transformer and configure Input Transformer

Put this in Input Path and Template

we will get the email in below template format.

{
    "severity": "$.detail.severity",
    "Account_ID": "$.detail.accountId",
    "Finding_ID": "$.detail.id",
    "Finding_Type": "$.detail.type",
    "region": "$.region",
    "Finding_description": "$.detail.description"
}

"AWS <Account_ID> has a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."
"Finding Description:"
"<Finding_description>. "
"For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>"

After This Review and Create. and we are done with eventbridge.

And Now the Last Step isGuardDuty ->

after Enabling the GuardDuty -> go the settings -> Finding Export Options

This Setting will trigger Eventbridge at every 15 min. now we need some findings in dashboard. we can create this findings in simulation manner by attacking resource in real time or Aws has provided sample finding option for easy way.

GuardDuty generated some sample findings in dashboard lets see we got email alert or not

we got alert through email. now Security Team or SOC team can take action on this.

Happy hacking ……!