AWS GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment.
With GuardDuty’s Integration, Zenduty sends new GuardDuty alerts to the right team and notifies them based on on-call schedules via email, text messages (SMS), phone calls(Voice), Slack, Microsoft Teams and iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed. Zenduty provides your NOC, SRE and application engineers with detailed context around the GuardDuty alert along with playbooks and a complete incident command framework to triage, remediate and resolve incidents with speed.
You can also use Alert Rules to custom route specific GuardDuty alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.
- To add a new AWS GuardDuty integration, go to “Teams” on Zenduty and click on the “Manage” button corresponding to the team you want to add the integration to.
- Next, go to “Services” and click on the “Manage” button corresponding to the relevant Service.
- Go to “Integrations” and then “Add New Integration”. Give it a name and select the application “AWS GuardDuty” from the dropdown menu.
- Go to “Configure” under your integrations and copy the webhooks URL generated.
Login to your AWS account. Go to your SNS dashboard. On the left panel, click on “Topics”. Click on “Create topic”. For topic and display names, enter “Zenduty”.
- Go back to the SNS dashboard and click on “Create Subscription”.
- In the Topic ARN, choose the topic created in Step 1. Select the protocol as HTTPS. In the endpoint field, paste the URL you copied earlier.
- Keep the “Enable raw message delivery” as unchecked.
- Click on “Create subscription” to find a list of your subscriptions. Refresh this page to confirm.
- Go to the AWS EventBridge dashboard. On the left panel, click on “Rules”. Click on “Create rule”. For name enter “Zenduty” and description you can give as per your prefrence.
- In the Build event pattern step “AWS events or EventBridge partner events” as Event source. In the Event pattern select “AWS services” as Event source and then select “GuardDuty” in AWS service. Set “All Events” in Event type.
- In Select targets, choose AWS service as Target types, choose SNS Topic target from the Target menu and select Topic that you have created earlier steps.
- Zenduty will create an incident for each finding.
Looking for a better way to get real-time alerts from AWS GuardDuty Integration, setup a solid incident escalation and incident response pipeline and minimize response and resolution times for AWS GuardDuty Integration incidents?