Configure Webhook for Amazon GuardDuty
Configure the webhook to your preferred topic subscription on Amazon SNS and associate it with an EventBridge rule. This enables you to receive any Amazon GuardDuty findings directly in Collaborate.
Before you Start
Ensure that you have generated the webhook for Amazon GuardDuty in Integrations. For more information about generating the webhook URL, see Configure Detect Integrations.
In the AWS console, go to Amazon Simple Notification Service (SNS).
In Amazon SNS, select Topics and select the ACD-related topic.
Alternatively, you can also create a topic for ACD. Ensure that the topic type is Standard.
In Subscriptions, click Create Subscription.
Protocol: Select the protocol as HTTPS.
Endpoint: Enter the webhook you generated Collaborate.
Select Enable raw message delivery.
After entering all the required details, click Create subscription.
After adding the webhook to the ACD-related topic, you must confirm the subscription to ensure that GuardDuty findings are available in Collaborate.
Sign in to the Collaborate Member Portal.
Go to Intel Repository > My Collection > All Detected.
Select the ingested confirmation URL from Amazon SNS.
Copy the confirmation URL. This URL consists of the SubscribeURL, used to confirm the subscription.
The following example is a confirmation URL:
https://sns.us-east-1.amazonaws.com/SimpleNotificationService-60eadc530605d63b8e62a523676ef735.pem","SubscribeURL":"https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:161196368830:sample-topic&Token=2x0x****************************************9x","Timestamp":"2024-02-12T10:50:17.686Z","Token":"*****************","TopicArn":"arn:aws:sns:us-east-1:161196368830:acd-topic","Type":"SubscriptionConfirmation"
In this example, the SubscribeURL is https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:161196368830:sample-topic&Token=2x0x****************************************9x.
Copy and enter the SubscribeURL in any browser to confirm your subscription. Alternatively, you can enter the URL in the subscription confirmation in AWS.
After confirming your subscription, you can associate the topic with an Amazon EventBridge rule.
Use the search bar to search and select Amazon EventBridge.
In Get Started, select EventBrigde Rule, and click Create Rule. Use the following information while creating the rule:
Name: Enter the name of the rule. For example, GuardDuty-ACD Rule.
Rule type: Select Rule with an event pattern. This ensures that the rule runs when there is an event that matches the event pattern.
Click Next.
Event source: Select AWS events or EventBridge partner events. This ensures that the rule will process events generated by AWS services, which includes GuardDuty events.
Sample event type: Select AWS events.
Creation method: Select Use pattern form.
In Event pattern,
Event source: Select AWS services as the event source.
AWS Service: Select GuardDuty as the AWS service provider.
Event type: Select GuardDuty Finding as the event type.
Retry policy: It is recommended to configure the retry policy in EventBridge based on your organization's policies.
After making the required changes, click Next.
In Targets,
Target type: Select the target type as AWS service.
Target: Select the target as an SNS topic.
Topic: Select the ACD-related topic for which you previously configured the webhook.
Click Next.
After reviewing the details, click Create rule.
Results
The rule is now associated with the topic, which consists of the webhook. Whenever there are any findings in GuardDuty, they will automatically be available in Automated Collective Defense > Intel Repository > My Collection.