https://github.com/ventz/guardduty-slack-notify

Lambda for AWS GuardDuty Slack Notifications
https://github.com/ventz/guardduty-slack-notify

amazon amazon-web-services aws-lambda cloudwatch guardduty javascript logs nodejs notifications security slack slack-webhook sns-topic

Last synced: 25 days ago
JSON representation

Lambda for AWS GuardDuty Slack Notifications

• Host: GitHub
• URL: https://github.com/ventz/guardduty-slack-notify
• Owner: ventz
• License: apache-2.0
• Created: 2019-09-27T03:25:49.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2022-12-16T13:47:04.000Z (about 2 years ago)
• Last Synced: 2024-12-07T08:29:39.387Z (27 days ago)
• Topics: amazon, amazon-web-services, aws-lambda, cloudwatch, guardduty, javascript, logs, nodejs, notifications, security, slack, slack-webhook, sns-topic
• Language: JavaScript
• Size: 1.06 MB
• Stars: 4
• Watchers: 2
• Forks: 4
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Amazon Lambda for GuardDuty Slack Notifications

/*

  Copyright (Apache License 2.0): Ventz Petkov

  Repository: https://github.com/ventz/guardduty-slack-notify

  Initial Release: 9-15-2019                                                       

*/

Configure in 4 easy steps, and make sure to edit Lambda function with

your own Slack Incoming Webhook URL.

## Guard Duty

1.) Enable GuardDuty and configure 5-minute subsequent findings:

Notifications for subsequent finding occurrences – By default, for

every finding with a unique finding ID, GuardDuty aggregates all

subsequent occurrences of a particular finding that take place in

6-hour intervals into a single event. GuardDuty then sends a

notification about these subsequent occurrences based on this event.

In other words, by default, for the subsequent occurrences of the

existing findings, GuardDuty sends notifications based on CloudWatch

events every 6 hours. You can configure this for: 15 minutes, 1 hour,

or the default 6 hours. It is recommended to use 15 minutes (via GuardDuty

Console -> Settings)!

## CloudWatch -> SNS -> Lambda Handler (Slack Notifications)

You can enable the next three steps in the Console via point-and-click, or via the CLI:

2.) Enable CloudWatch rule to send events for all GuardDuty findings:

```

aws events put-rule --name GuardDuty --event-pattern "{\"source\":[\"aws.guardduty\"]}"

```

3.) Attach the Lambda function as a target foro the rule:

```

aws events put-targets --rule GuardDuty --targets Id=1,Arn=arn:aws:lambda:us-east-1:111122223333:function:

```

4.) Add permissions to invoke the target:

```

aws lambda add-permission --function-name  --statement-id 1 --action 'lambda:InvokeFunction' --principal events.amazonaws.com

```

# Useful Documents:

### Examples:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html

### See about format:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html#guardduty_findings_cloudwatch_format

### One example (for EC2):

https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-cloudwatch-sns-rule/

### This is the Full Documentation/JSON explanation:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-ug.pdf

(For CLI Automation of Cloud Watch, SNS, and Lambda)