Getting Amazon GuardDuty alerts via SNS Endpoint

December 27, 2022
Share this post:
Getting Amazon GuardDuty alerts via SNS Endpoint
Table of Contents:

    Monitoring your infrastructure and safeguarding it against threats is not easy. Setting up the infrastructure, monitoring, collecting and analyzing information for threat detection, is indeed a cumbersome process. This is where a security monitoring service like Amazon GuardDuty can help. In this blog, we will explore Amazon GuardDuty service and discuss how integrating it with Squadcast, a Reliability Workflow Platform, can help you route alerts to the right users for quick and efficient incident response.

    What is Amazon GuardDuty and why is it important?

    Amazon GuardDuty is a threat detection service used to monitor AWS accounts and workloads for malicious activity (threat detection) and to deliver detailed security findings, for quick remediation or response. It helps you in

    • Continuously monitoring AWS accounts, and associated resources like instances, storage, databases, container workloads, and users for potential threats.
    • Quickly exposing threats with anomaly detection, Machine Learning, Threat Intelligence, and Behavioral Modeling.
    • Mitigating, remediating and responding with automated responses.

    What is Amazon Simple Notification Service (SNS)?

    It is a managed service offering message delivery from publishers to subscribers. Publishers use this service to communicate asynchronously with subscribers by sending messages to a 'topic'. A topic is a logical access point and communication channel. To receive published messages, users/consumers can subscribe to an SNS topic, using a supported endpoint type.

    This service can fan out alerts to millions of subscribers, and it offers capabilities like,

    • App-to-app messages
    • App-to-person messages
    • Use of FIFO topics
    • Message archiving, filtering, and analytics

    Let us now go ahead and see how we can integrate Amazon GuardDuty with Squadcast to route alerts via an SNS endpoint.

    How to integrate Amazon GuardDuty with Squadcast

    Step1: Navigate to Services, then to Service Overview. Select or search for your Service. Expand the accordion and in the Alert Sources section, click Add.

    Step2: Select Amazon GuardDuty. Copy the displayed Webhook URL to configure it within Amazon GuardDuty. Finish by clicking Add Alert Source and then Done.

    Important: When an alert source turns Active, it’ll show up under Configured Alert Sources, you can either generate a test alert from the integration or wait for a real-time alert to be generated by the Alert Source. An Alert Source is active if there is a recorded incident via that Alert Source for the Service.

    In AWS: Configure SNS Endpoint

    Step1: Login to your AWS account and proceed to SNS.

    Step2: Click on Create topic.

    Step3: Within the dialog box, fill in the details as per your requirements and then click on Create topic.

    Step4: Inside the topic, click on Create Subscription.

    Step5: Select the protocol as HTTPS and in the endpoint enter the URL you obtained from the previous step.

    Step6: Finally, click on Create subscription to create the subscription.

    Please Note:

    The Subscription ID for the subscription should immediately change to Confirmed from PendingConfirmation. Click on the refresh button to verify the same.

    In AWS: Configure GuardDuty

    Step1: If you have not enabled GuardDuty, please follow Amazon’s documentation (If you have already enabled GuardDuty, skip to Step2).

    Step2: Once you have enabled GuardDuty, you can begin building EventBridge Rules to send alerts to Squadcast. Search and select EventBridge from the Services search bar.

    Step3: Select Rules from the left menu, then click Create Rule. One or more rules can be created to send specific events to Squadcast when a GuardDuty finding is opened.

    Step4: On the next page, perform the following:

    • Name: Enter a name that can be easily identified.
    • Description (optional): Enter a description of the rule, pattern and target(s).
    • Event Bus: Select default.
    • Enable the rule on the selected event bus: Toggle to the on position.
    • Rule with an event pattern: This will automatically be preselected.

    Click Next to continue

    Step5: On the next page, perform the following:

    • Event source: Select AWS events or EventBridge partner events.
    • Sample event (optional): If you would like to view sample events, you may do so in this section.
    • Event Source: Select AWS services.
    • AWS Service: Select GuardDuty.
    • Event type: Select GuardDuty Finding.
    • Click Next to continue.

    Step6: On the next page, perform the following:

    • Target types: Select AWS service
    • Select a target: Search and select SNS topic
    • Topic: Search and select the topic created in previous steps
    • Configure other additional settings to your preference

    Click Next to continue

    Step7: On the next page, optionally add tags to your preference. Click Next to continue.

    Step8: On the final page, review your settings and click Create Rule. If you would like to create more rules, repeat steps 3-7.


    That's it, you are good to go! Your Amazon GuardDuty integration is complete. Now, whenever an event is triggered that matches your Event Rules, an incident will be created in Squadcast for it.

    Amazon GuardDuty is a highly popular threat detection & continuous monitoring service, and integrating it with Squadcast can help you leverage various incident response and SRE features of Squadcast to keep your systems reliable. Do read this blog in case you wish to set up CloudTrail alerts via an SNS endpoint. Do check out other integrations that Squadcast supports.

    Squadcast is an incident management tool that’s purpose-built for SRE. Get rid of unwanted alerts, receive relevant notifications and integrate with popular ChatOps tools. Work in collaboration using virtual incident war rooms and use automation to eliminate toil.

    squadcast
    Written By:
    December 27, 2022
    December 27, 2022
    Share this post:
    Subscribe to our LinkedIn Newsletter to receive more educational content
    Subscribe now

    Subscribe to our latest updates

    Enter your Email Id
    Thank you! Your submission has been received!
    Oops! Something went wrong while submitting the form.
    FAQ
    More from
    Vishal Padghan
    Unlocking Visibility and Control: Introducing Squadcast’s Service Graph Feature
    Unlocking Visibility and Control: Introducing Squadcast’s Service Graph Feature
    November 28, 2023
    RapidSpike + Squadcast: Routing Alerts Made Easy
    RapidSpike + Squadcast: Routing Alerts Made Easy
    October 25, 2023
    Blue Matador + Squadcast: Alert Routing Simplified
    Blue Matador + Squadcast: Alert Routing Simplified
    October 19, 2023
    Learn how organizations are using Squadcast
    to maintain and improve upon their Reliability metrics
    Learn how organizations are using Squadcast to maintain and improve upon their Reliability metrics
    mapgears
    "Mapgears simplified their complex On-call Alerting process with Squadcast.
    Squadcast has helped us aggregate alerts coming in from hundreds...
    bibam
    "Bibam found their best PagerDuty alternative in Squadcast.
    By moving to Squadcast from Pagerduty, we have seen a serious reduction in alert fatigue, allowing us to focus...
    tanner
    "Squadcast helped Tanner gain system insights and boost team productivity.
    Squadcast has integrated seamlessly into our DevOps and on-call team's workflows. Thanks to their reliability...
    Alexandre Lessard
    System Analyst
    Martin do Santos
    Platform and Architecture Tech Lead
    Sandro Franchi
    CTO
    Squadcast is a leader in Incident Management on G2 Squadcast is a leader in Mid-Market IT Service Management (ITSM) Tools on G2 Squadcast is a leader in Americas IT Alerting on G2 Best IT Management Products 2022 Squadcast is a leader in Europe IT Alerting on G2 Squadcast is a leader in Mid-Market Asia Pacific Incident Management on G2 Users love Squadcast on G2
    Squadcast awarded as "Best Software" in the IT Management category by G2 🎉 Read full report here.
    What our
    customers
    have to say
    mapgears
    "Mapgears simplified their complex On-call Alerting process with Squadcast.
    Squadcast has helped us aggregate alerts coming in from hundreds of services into one single platform. We no longer have hundreds of...
    Alexandre Lessard
    System Analyst
    bibam
    "Bibam found their best PagerDuty alternative in Squadcast.
    By moving to Squadcast from Pagerduty, we have seen a serious reduction in alert fatigue, allowing us to focus...
    Martin do Santos
    Platform and Architecture Tech Lead
    tanner
    "Squadcast helped Tanner gain system insights and boost team productivity.
    Squadcast has integrated seamlessly into our DevOps and on-call team's workflows. Thanks to their reliability metrics we have...
    Sandro Franchi
    CTO
    Revamp your Incident Response.
    Peak Reliability
    Easier, Faster, More Automated with SRE.
    Incident Response Mobility
    Manage incidents on the go with Squadcast mobile app for Android and iOS devices
    google playapple store
    Copyright © Squadcast Inc. 2017-2023