AWS GuardDuty Integration

AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

In ilert: Create an AWS GuardDuty alert source

  1. Go to Alert sources --> Alert sources and click on Create new alert source

  2. Search for AWS GuardDuty in the search field, click on the AWS GuardDuty tile and click on Next.

  3. Give your alert source a name, optionally assign teams and click Next.

  4. Select an escalation policy by creating a new one or assigning an existing one.

  5. Select you Alert grouping preference and click Continue setup. You may click Do not group alerts for now and change it later.

  6. The next page show additional settings such as customer alert templates or notification prioritiy. Click on Finish setup for now.

  7. On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.​

In AWS Dashboard

  1. Use the search bar and select Simple Notification Service (SNS). Select Topics and click Create Topic in the SNS Dashboard.

  2. Input a Topic name and Display name and Create topic. After the topic has been created, Select Subscriptions in the left hand menu and click Create Subscription.

  1. Select HTTPS Protocol and put the URL that was received from ilert side into the Endpoint field, keep the Enable raw message delivery checkbox unchecked and Create Subscription.

  2. The subscription would be confirmed automatically on ilert side, but make sure the Subscription ID is not in PendingConfirmation state.

  3. Search and select the Amazon GuardDuty console in the Service Search. Search for GuardDuty click Enable GuardDuty if this is the first time enabling Amazon GuardDuty.

  4. If the GuardDuty is enabled, CloudWatch Event Rules can be configured to send alerts to ilert and please navigate to the CloudWatch console.

  5. To create a rule, select Rules under Events and then click Create Rules. Select GuardDuty as the Service Name and then choose GuardDuty Finding as the Event Type.

  1. Click Add a target and select SNS topic, select Your Topic Name that has been created earlier and then click Configure Details.

  2. Assign a Name like ilert-incidents and click Create Rule.

  1. In order to test this, go back to the Amazon GuardDuty console and generate sample findings, to create event in ilert.

  1. Select Settings, then select Generate Sample Findings and then click Findings in the left navigation bar.

  2. The sample findings should have been generated, and it will create the event in the ilert automatically.

Last updated