{"id":1273,"date":"2022-06-09T10:25:25","date_gmt":"2022-06-09T10:25:25","guid":{"rendered":"https:\/\/www.checkmateq.com\/blog\/?p=1273"},"modified":"2023-08-07T08:40:30","modified_gmt":"2023-08-07T08:40:30","slug":"amazon-guardduty","status":"publish","type":"post","link":"https:\/\/www.checkmateq.com\/blog\/amazon-guardduty","title":{"rendered":"How to configure Amazon GuardDuty"},"content":{"rendered":"<p><strong>AWS Amazon GuardDuty<\/strong> is a <strong>threat detection\u00a0service<\/strong> provided by <a href=\"https:\/\/www.checkmateq.com\/aws-cloud\">AWS cloud<\/a> that analyzes various logs and events and identifies <strong>unauthorized<\/strong> and <strong>malicious<\/strong> activities in our AWS environment. The data sources from which GuardDuty extracts information are:<\/p>\n<ul>\n<li>AWS CloudTrail event logs<\/li>\n<li>AWS CloudTrail management events<\/li>\n<li>AWS CloudTrail data events for s3<\/li>\n<li>Kubernetes audit logs<\/li>\n<li>VPC flow logs<\/li>\n<li>DNS logs<\/li>\n<\/ul>\n<h3>Steps to enable AWS Amazon GuardDuty:<\/h3>\n<ul>\n<li>Login to your AWS cloud account and then go to the GuardDuty console.<\/li>\n<li>After that click on <strong>Get Started<\/strong>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1297\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140637-300x92.png\" alt=\"Amazon GuardDuty\" width=\"737\" height=\"226\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140637-300x92.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140637-1024x316.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140637-768x237.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140637-1536x473.png 1536w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140637-1200x370.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140637.png 1687w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Click on <strong>Enable GuardDuty<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1296\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140658-300x138.png\" alt=\"Amazon GuardDuty\" width=\"743\" height=\"342\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140658-300x138.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140658-1024x470.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140658-768x353.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140658-1200x551.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-140658.png 1426w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>GuardDuty is now enabled.<\/li>\n<\/ul>\n<p><strong>Finding:<\/strong> These are the potential security threats identified by GuardDuty. These can be seen in the console with detailed information about the threat.<\/p>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1301\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-152436-300x42.png\" alt=\"Amazon GuardDuty\" width=\"736\" height=\"103\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-152436-300x42.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-152436-1024x142.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-152436-768x107.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-152436-1536x213.png 1536w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-152436-1200x167.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-152436.png 1885w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<p>Finding types by resources:<\/p>\n<ul>\n<li>EC2 finding types<\/li>\n<li>IAM finding types<\/li>\n<li>S3 finding types<\/li>\n<li>Kubernetes finding types<\/li>\n<\/ul>\n<p><strong>Suppression Rule<\/strong>: A suppression rule is a set of criteria consisting of a filter attribute and a value that is used to filter discoveries by automatically archiving fresh findings that meet the requirements. Suppression rules can be used to filter threats that you don&#8217;t intend to act on, making it easier to identify the security threats that have the most impact on your environment.<\/p>\n<p>To add a suppression rule follow these steps:<\/p>\n<ul>\n<li>Go to the <strong>Findings\u00a0<\/strong>page and then click on<strong> Suppress findings<\/strong>.<\/li>\n<li>After that Select filter criteria.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1306\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161024-300x138.png\" alt=\"\" width=\"743\" height=\"342\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161024-300x138.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161024-1024x472.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161024-768x354.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161024-1200x553.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161024.png 1212w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Give a value for criteria. For example, if the selected criteria is Instance Id, then write the instance id and <strong>Apply<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1307\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161311-300x74.png\" alt=\"Amazon GuardDuty\" width=\"722\" height=\"178\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161311-300x74.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161311-768x190.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-161311.png 877w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Give name and description and then click on <strong>Save<\/strong>.<\/li>\n<\/ul>\n<p><strong>Export Findings: <\/strong>GuardDuty automatically exports findings to CloudWatch Events within 5 minutes after the finding is generated. We can configure it to export active findings to the S3 bucket.<\/p>\n<h3><strong>Steps to export findings to s3 bucket:<\/strong><\/h3>\n<ul>\n<li>Go to<strong> Settings-&gt;Findings export options<\/strong>.<\/li>\n<li>Next, Click on <strong>configure now<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1311\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-170553-300x147.png\" alt=\"\" width=\"731\" height=\"358\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-170553-300x147.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-170553-1024x501.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-170553-768x375.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-170553-1200x587.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-170553.png 1254w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Either select an existing bucket or create a new one.<\/li>\n<li>AWS encrypts finding data with KMS key. We will create a KMS create, so click on the link for the KMS console.<\/li>\n<li>Click on create a key.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1316\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190734-300x154.png\" alt=\"\" width=\"748\" height=\"384\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190734-300x154.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190734-1024x524.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190734-768x393.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190734-1200x614.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190734.png 1315w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Create an alias and click on <strong>Next<\/strong>.<\/li>\n<li>Select GuardDuty service and your user account as key administrator and give key usage permission to service and user.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1317\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190956-300x108.png\" alt=\"\" width=\"739\" height=\"266\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190956-300x108.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190956-1024x370.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190956-1200x434.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-190956.png 1471w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Review the key policy and click on finish.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1318\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-191341-300x155.png\" alt=\"\" width=\"691\" height=\"357\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-191341-300x155.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-191341-1024x528.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-191341-768x396.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-191341-1200x619.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-09-191341.png 1323w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Now in the GuardDuty console select the KMS key and click on <strong>Save<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1320\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-015745-300x87.png\" alt=\"\" width=\"734\" height=\"213\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-015745-300x87.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-015745-1024x298.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-015745-768x223.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-015745-1200x349.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-015745.png 1272w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<p><strong>How to configure the AWS CloudWatch Events rule to notify you of Amazon GuardDuty findings:<\/strong><\/p>\n<ul>\n<li>First, we need to create an SNS topic. For that go to the SNS console and click on<strong> Create topic<\/strong>.<\/li>\n<li>Select Standard type and give name and description and then click on<strong> Create topic<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1322\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-150345-300x119.png\" alt=\"\" width=\"739\" height=\"293\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-150345-300x119.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-150345-1024x407.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-150345-768x305.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-150345-1536x611.png 1536w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-150345-1200x477.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-150345.png 1564w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Go to<strong> Subscriptions-&gt;Create Subscription<\/strong>.<\/li>\n<li>Select your <strong>Topic ARN and protocol<\/strong>. We will be using email.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1323\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-08-025206-1-300x69.png\" alt=\"\" width=\"743\" height=\"171\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-08-025206-1-300x69.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-08-025206-1-1024x234.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-08-025206-1-768x176.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-08-025206-1-1536x351.png 1536w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-08-025206-1-1200x274.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-08-025206-1.png 1749w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Click on C<strong>reate subscription<\/strong>.<\/li>\n<li>Go to your email and confirm the subscription.<\/li>\n<li>Now go to the <strong>Amazon Eventbridge<\/strong> console and click on <strong>Create Rule<\/strong>.<\/li>\n<li>Enter the name for your rule and click next.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1325\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-154555-300x183.png\" alt=\"\" width=\"746\" height=\"455\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-154555-300x183.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-154555-1024x625.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-154555-768x468.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-154555-1200x732.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-154555.png 1215w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Select AWS events as event source,<\/li>\n<li>In <strong>Event Pattern<\/strong> select <strong>GuardDuty<\/strong> as AWS service and <strong>GuardDuty Finding<\/strong> as the Event type.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1326\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-161117-300x186.png\" alt=\"\" width=\"740\" height=\"459\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-161117-300x186.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-161117-1024x635.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-161117-768x476.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-161117.png 1195w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Click on Edit pattern and paste the following code there.<\/li>\n<\/ul>\n<pre>{\r\n\"source\": [\r\n      \"aws.guardduty\"\r\n         ],\r\n\"detail-type\": [\r\n      \"GuardDuty Finding\"\r\n        ],\r\n\"detail\": {\r\n      \"severity\": [\r\n           4,\r\n           4.0,\r\n           4.1,\r\n           4.2,\r\n           4.3,\r\n           4.4,\r\n           4.5,\r\n           4.6,\r\n           4.7,\r\n           4.8,\r\n           4.9,\r\n           5,\r\n           5.0,\r\n           5.1,\r\n           5.2,\r\n           5.3,\r\n           5.4,\r\n           5.5,\r\n           5.6,\r\n           5.7,\r\n           5.8,\r\n           5.9,\r\n           6,\r\n           6.0,\r\n           6.1,\r\n           6.2,\r\n           6.3,\r\n           6.4,\r\n           6.5,\r\n           6.6,\r\n           6.7,\r\n           6.8,\r\n           6.9,\r\n           7,\r\n           7.0,\r\n           7.1,\r\n           7.2,\r\n           7.3,\r\n           7.4,\r\n           7.5,\r\n           7.6,\r\n           7.7,\r\n           7.8,\r\n           7.9,\r\n           8,\r\n           8.0,\r\n           8.1,\r\n           8.2,\r\n           8.3,\r\n           8.4,\r\n           8.5,\r\n           8.6,\r\n           8.7,\r\n           8.8,\r\n           8.9\r\n         ]\r\n     }\r\n}\r\n<\/pre>\n<ul>\n<li>Select the SNS topic as the target and topic that we created.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1327\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-163219-300x122.png\" alt=\"Amazon GuardDuty\" width=\"718\" height=\"292\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-163219-300x122.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-163219-1024x417.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-163219-768x313.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-163219.png 1180w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Now go to<strong> additional settings<\/strong> and select <strong>Input transformer<\/strong> in <strong>configure target input<\/strong>.<\/li>\n<li>Copy the following code in the<strong> Input<\/strong> field.<\/li>\n<\/ul>\n<pre>{\r\n   \"severity\": \"$.detail.severity\",\r\n   \"Account_ID\": \"$.detail.accountId\",\r\n   \"Finding_ID\": \"$.detail.id\",\r\n   \"Finding_Type\": \"$.detail.type\",\r\n   \"region\": \"$.region\",\r\n   \"Finding_description\": \"$.detail.description\"\r\n}\r\n<\/pre>\n<ul>\n<li>Copy the following code in Input template field.<\/li>\n<\/ul>\n<pre>\"AWS &lt;Account_ID&gt; has a severity &lt;severity&gt; GuardDuty finding type &lt;Finding_Type&gt; in the &lt;region&gt; region.\"\r\n\"Finding Description:\"\r\n\"&lt;Finding_description&gt;. \"\r\n\"For more details open the GuardDuty console at https:\/\/console.aws.amazon.com\/guardduty\/home?region=&lt;region&gt;#\/findings?search=id=&lt;Finding_ID&gt;\"\r\n<\/pre>\n<ul>\n<li>Click confirm and next.<\/li>\n<li>Create tags.<\/li>\n<li>Review and click on create rule.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-1328\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-164425-300x123.png\" alt=\"Amazon GuardDuty\" width=\"739\" height=\"303\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-164425-300x123.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-164425-1024x421.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-164425-768x316.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-164425-1200x493.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-10-164425.png 1243w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<p><a href=\"https:\/\/www.checkmateq.com\/contact-us\">Please contact<\/a> Checkmate Global Technologies cloud consultants to learn more about Infrastructure monitoring and Observability. You can also hire <a href=\"https:\/\/www.checkmateq.com\/devops-engineering\">DevOps engineer<\/a> to transform entire infrastructure monitoring stack.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>AWS Amazon GuardDuty is a threat detection\u00a0service provided by AWS cloud that analyzes various logs and events and identifies unauthorized and malicious activities in our AWS environment. The data sources from which GuardDuty extracts information are: AWS CloudTrail event logs AWS CloudTrail management events AWS CloudTrail data events for s3 Kubernetes audit logs VPC flow &hellip; <a href=\"https:\/\/www.checkmateq.com\/blog\/amazon-guardduty\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How to configure Amazon GuardDuty&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":1191,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[15,3,2,7,8,14,6],"_links":{"self":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts\/1273"}],"collection":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/comments?post=1273"}],"version-history":[{"count":16,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts\/1273\/revisions"}],"predecessor-version":[{"id":4316,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts\/1273\/revisions\/4316"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/media\/1191"}],"wp:attachment":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/media?parent=1273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/categories?post=1273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/tags?post=1273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}