How can I configure a CloudWatch events rule for GuardDuty to send custom SNS notifications if specific AWS service event types trigger?

Last updated: 2019-05-22

I created an Amazon CloudWatch Events rule to trigger on service event types for Amazon GuardDuty, but the responses are in JSON format. How can I receive an email response with a custom notification?  

Short Description

Use a custom event pattern with the CloudWatch Events rule to match a specific finding type. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

This example uses an Amazon GuardDuty event type UnauthorizedAccess:EC2/TorIPCaller.

Note: You can replace the service name and event type for your specific AWS service.

1.    If you haven't already created an Amazon SNS topic, follow the instructions for Getting Started with Amazon SNS.

Note: The Amazon SNS topic must be in the same Region as your AWS GuardDuty service.

2.    Open the CloudWatch console.

3.    In the navigation pane, choose Rules, and then choose Create rule.

4.    From the Service Name menu, choose GuardDuty.

5.    From the Event Type menu, choose GuardDuty Finding.

6.    In Event Pattern Preview, choose Edit.

7.    Copy the following code and paste it in Event Pattern Preview, and then choose Save.

{
  "source": [
    "aws.guardduty"
  ],
  "detail": {
    "type": [
      "UnauthorizedAccess:EC2/TorIPCaller"
     ]
  }
}

8.    In Targets, choose Add target.

9.    In Select Target, choose SNS topic.

10.   In Select Topic, choose your SNS topic.

11.   Expand Configure input, and then choose Input Transformer.

12.   Copy the following code. Then, paste it in Input Path.

{
    "severity": "$.detail.severity",
    "Finding_ID": "$.detail.id",
    "instanceId": "$.detail.resource.instanceDetails.instanceId",
    "port": "$.detail.service.action.networkConnectionAction.localPortDetails.port",
    "eventFirstSeen": "$.detail.service.eventFirstSeen",
    "eventLastSeen": "$.detail.service.eventLastSeen",
    "count": "$.detail.service.count",
    "Finding_Type": "$.detail.type",
    "region": "$.region",
    "Finding_description": "$.detail.description"
}

13.    Copy the following code. Then, paste it in Input Template.

"You have a severity <severity> GuardDuty finding type <Finding_Type> for the EC2 instance <instanceId> in the region <region> as the <Finding_description> on the port <port>. The first attempt was on <eventFirstSeen> and the most recent attempt on <eventLastSeen> . The total occurrence is <count>. For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>"

14.    Choose Configure details.

15.    In Configure rule details, enter a Name and Description for the rule, and then choose Create rule.

16.    If an event type is triggered, you receive an SNS email notification with the custom fields populated from step 13 similar to the following:

"You have a severity 5 GuardDuty finding type UnauthorizedAccess:EC2/TorIPCaller for the EC2 instance EXAMPLEID in the region EXAMPLEREGION as the IP address 192.0.2.0/2 on the Tor Anonymizing Proxy network is communicating with EC2 instance EXAMPLEID. on the port 80. The first attempt was on 2019-04-09T00:01:14.681Z and the most recent attempt on 2019-05-20T06:04:12.593Z . The total occurrence is 5. For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?EXAMPLEREGION"