Enhancing AWS GuardDuty Alerts with GuardDutyInsightfulAlerts

In my previous articles, I’ve explored various AWS services from an attacker’s viewpoint, discussing potential post-exploitation attacks and diving into services like CloudFront, AppSync, ALBs, and Lambda. In this article, I’ll focus on a crucial AWS security service: Amazon GuardDuty.

“Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.”

Figure 1. GuardDuty’s features and integration with different AWS workloads and resource types

GuardDuty analyzes services such as S3, EC2, Lambdas, and containers using machine learning, anomaly detection, and integrated threat intelligence and generates alerts for us to take action. This last part is the one that it’s critical because enabling GuardDuty is straightforward, but we’ll need notifications that have enough information for us to take action.

AWS recommends using CloudWatch event notifications to manage GuardDuty findings, typically sending these alerts to an SNS topic (AWS Documentation). Subscribers can then receive email alerts. However, these default alerts are often limited in information and lack easy readability.

Here’s an example of a standard GuardDuty alert:

Figure 2. Simple GuardDuty notification via SNS following AWS Documentation

Recognizing the need for more actionable alerts, I developed GuardDutyInsightfulAlerts. This small tool enhances the way GuardDuty findings are delivered. Instead of simple text emails from SNS, it processes the events through a Lambda function, enriches them with additional information, and sends them as formatted HTML emails via Amazon SES.

Here’s how GuardDutyInsightfulAlerts changes the game:

Figure 3. GuardDuty notification using GuardDutyInsightfulAlerts

Key features of GuardDutyInsightfulAlerts include:

• GuardDuty Event Processing: Extracting the essentials from GuardDuty findings.
• IP Information Enrichment: An optional module enriching alerts with IP details (requires a free API key from vpnapi.io).
• CloudTrail Data Lake Querying: An optional module that enriches alerts with user and IP history from AWS CloudTrail Lake (requires CloudTrail Lake setup in your AWS account).
• Formatted Email Notifications: Enriched findings are sent as easy-to-read HTML emails, enhancing readability and facilitating response.

Moreover, GuardDutyInsightfulAlerts is designed for adaptability. It can be customized to include additional details from GuardDuty events, perform more in-depth queries from AWS CloudTrail Data Lake, or integrate other data sources for a more comprehensive analysis.

While AWS’s default SNS notifications for GuardDuty are straightforward to set up, they lack detailed context. GuardDutyInsightfulAlerts addresses this gap, offering a solution that not only provides enhanced information but does so in a format that helps decision-making.

GuardDutyInsightfulAlerts is available on GitHub, and I welcome contributions and feedback to further improve its capabilities.