How can I use InsightConnect to alert me when GuardDuty detects a finding either via Slack or email?
There are a few different ways to do this.
I will send along a basic workflow that shows you how to do it.
Essentially you need to decide how you want to trigger the workflow. You can trigger from a detection rule in IDR. This happens before an alert or an Investigation is created. You choose ‘Third Party Alerts’, then in the rules type GuardDuty and select the rules you want it to fire for.
You would then select a ChatOps Step to send that to Slack. In the Slack input you would pick the various variables that you want to send. You can see in the screenshot below how to modify what variables are sent. It is the blue + icon.
That is a basic and simple method.
If you don’t already have the alerts feeding into InsightIDR you can add them following this document:
https://docs.rapid7.com/insightidr/aws-guardduty/
I have attached a simple workflow that accomplishes what you want. You just need to modify what variables are important to you, and how you want your message formatted. You can download the attached ICON file. Within the workflows page in InsightConnect select ‘Add Workflow’, ‘Import From File’, then upload the attached .icon file.
The configuration needed to get it running would be:
Setup Connections on the “Workflow Setup” Tab
Configure the name of the Slack Channel you would like to send it to on the “Parameters” Tab
and then Activate.
Let me know if you have further questions.
GuardDuty.icon (6.3 KB)
Hi Darrick,
Is it possible to do this without the detection rule in IDR? For example, setting up GuardDuty to sending data to an SQS queue and have InsightConnect very frequently but periodically check said queue for a message?
Thanks!
I am not fluent with the AWS suite so my knowledge is limited to the understanding of what I have googled.
I think you can send your Guard Duty alerts/events to AWS Cloud Watch, and that has more capabilities for exporting to other systems. We do have a plugin for Cloud Watch, and it has a trigger. I am not sure if that would pull the information you are looking for or not. The Cloud Watch Trigger would be the first place to start with. You could just set up the trigger with no other steps to see what data is pulled in.
Next we have our API trigger. You would setup the API Trigger, when you save the API trigger it provides a URL that you would give as the target for AWS to send to. The API Trigger is an HTTP listener, so any of your systems that have the ability to send data out to a url via a webhook would be able to send to the API trigger.
Configure your API Trigger. Once configured you will hit save and it gives a page of instructions as seen in the screenshot. You need to copy that trigger URL and provide that as the destination for Cloud Watch, and follow the other steps to activate and begin.
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
Let me know if this helps, or if you need additional guidance.