Configure the webhook in AWS GuardDuty

Subscribe your endpoint webhook to a topic so that the endpoint receives messages published to that topic.

Before you begin

Ensure you have an account in AWS and have created a topic.

Role required: Responder, Manager, or Administrator

About this task

Note: While this integration with a third-party product is supported, the documentation here is based upon information provided by that third-party. More current information about the operation of that third-party’s system may be available from them directly.

Procedure

  1. Log in to the AWS console.
  2. Search for Simple Notification Service.
    Simple Notification Service.
  3. Open Simple Notification Service (SNS).
    Simple Notification Service.
  4. On the navigation pane, click Topics.
    Click to open the Topics option.
  5. Create or select a topic of type Standard, to create a subscription.
    Open topic for subscription.
  6. Click the Subscriptions tab.
    The Create subscription option.
  7. Click Create subscription.
    Figure 1. Create subscription form
    Create subscription form.
  8. From the Protocol list, select HTTPS.
  9. In the Endpoint field, enter the webhook copied from Incident Response.
    Enter the remaining fields depending on your requirements.
    Create subscription form.
  10. Click Create subscription.
    If the subscription is successful, the subscription status is changed to confirmed from pending.
    Message for a successful subscription.

    You are ready to subscribe to messages on the topic.

  11. Optional: To test the integration:
    1. From the left navigation pane, click Topics and from the existing Topics list, click to open the topic.
    2. Click Publish message.

      Publish messages through webhook.

    3. In the Message body section, enter the sample alert payload given at Sample alert for AWS GuardDuty to test the integration.

      The Publish message to topic page.

    4. Click Publish message.

      This creates a sample alert in Lightstep Incident Response.

What to do next

Create Rule in EventBridge and add SNS Topic as a Target.
  1. Navigate to AWS > Amazon EventBridge.
  2. On the left navigation pane, select Events > Rules.
  3. In the Rules section, click Create rule.
    1. In the Name field, enter the name of the rule.
    2. Ensure Rule type is Rule with an event pattern.
    3. Click Next.
    4. Ensure Event Source is AWS events or EventBridge partner events.
    5. In the Event Pattern section, do the following:
      1. Select Event Source as AWS services.
      2. Select AWS Service as GuardDuty.
      3. Select Event type as GuardDuty Findings.

      If you want to make any changes to the Event pattern, click Custom patterns (JSON editor).

    6. Click Next.
  4. Under Target types, select AWS service.
  5. Under Select a target, select SNS topic.
  6. Under Topic, select the topic for which you have created the subscription.
  7. Click Next and then click Create Rule.

    GuardDuty findings are automatically sent to EventBridge. Depending on the rules, EventBridge will filter out the findings coming from GuardDuty and forward them to create alerts in Incident Response via SNS.