AWS GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment.
With GuardDuty’s Integration, Zenduty sends new GuardDuty alerts to the right team and notifies them based on on-call schedules via email, text messages(SMS), phone calls(Voice), Slack, Microsoft Teams and iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed. Zenduty provides your NOC, SRE and application engineers with detailed context around the GuardDuty alert along with playbooks and a complete incident command framework to triage, remediate and resolve incidents with speed.
You can also use Alert Rules to custom route specific GuardDuty alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.
- To add a new AWS GuardDuty integration, go to Teams on Zenduty and click on the team you want to add the integration to.
- Next, go to Services and click on the relevant Service.
- Go to Integrations and then Add New Integration. Give it a name and select the application GuardDuty from the dropdown menu.
- Go to Configure under your integrations and copy the Webhook URL generated.
Login to your AWS account. Go to your SNS dashboard. On the left panel, click on Topics. Click on Create topic. For topic and display names, enter Zenduty.
- Go back to the SNS dashboard and click on Create Subscription.
- In the Topic ARN, choose the topic created in Step 1. Select the protocol as HTTPS. In the endpoint field, paste the URL you copied earlier.
- Keep the Enable raw message delivery as unchecked.
- Click on Create subscription to find a list of your subscriptions. Refresh this page to confirm.
- Go to the AWS EventBridge dashboard. On the left panel, click on Rules. Click on Create rule. For name enter Zenduty and description you can give as per your prefrence.
- In the Build event pattern step AWS events or EventBridge partner events as Event source. In the Event pattern select AWS services as Event source and then select GuardDuty in AWS service. Set All Events in Event type.
- In Select targets, choose AWS service as Target types, choose SNS Topic target from the Target menu and select Topic that you have created earlier steps.
- Zenduty will create an incident for each finding.
Looking for a better way to get real-time alerts from AWS GuardDuty Integration, setup a solid incident escalation and incident response pipeline and minimize response and resolution times for AWS GuardDuty Integration incidents?