AWS Guardduty to Slack

AWS Account Data flow

I. First off

II. Modules

III. Lambda function

$ virtualenv -p python3 venv
Running virtualenv with interpreter /usr/local/bin/python3
Using base prefix '/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7'
New python executable in /Users/oli/Documents/venv/bin/python3.7
Also creating executable in /Users/oli/Documents/venv/bin/python
Installing setuptools, pip, wheel...
done.
$ source venv/bin/activate

IV. Slack configuration

Create a new App
Enable Incoming Webhooks
Once you select your channel, you’ll receive this message

V. SSM parameters

AWS System Manager

VI. Deploy!

21:50 $ ./python_packages.sh
Collecting pylint
Downloading pylint-2.4.4-py3-none-any.whl (302 kB)
|████████████████████████████████| 302 kB 1.4 MB/s
Collecting mccabe<0.7,>=0.6
Using cached mccabe-0.6.1-py2.py3-none-any.whl (8.6 kB)
Collecting astroid<2.4,>=2.3.0
Downloading astroid-2.3.3-py3-none-any.whl (205 kB)
|████████████████████████████████| 205 kB 1.9 MB/s
Collecting isort<5,>=4.2.5
Using cached isort-4.3.21-py2.py3-none-any.whl (42 kB)
Processing /Users/oli/Library/Caches/pip/wheels/d7/de/2e/efa132238792efb6459a96e85916ef8597fcb3d2ae51590dfd/wrapt-1.11.2-cp37-cp37m-macosx_10_14_x86_64.whl
Collecting six~=1.12
Downloading six-1.14.0-py2.py3-none-any.whl (10 kB)
Collecting typed-ast<1.5,>=1.4.0; implementation_name == "cpython" and python_version < "3.8"
Downloading typed_ast-1.4.1-cp37-cp37m-macosx_10_9_x86_64.whl (223 kB)
|████████████████████████████████| 223 kB 9.4 MB/s
Collecting lazy-object-proxy==1.4.*
Using cached lazy_object_proxy-1.4.3-cp37-cp37m-macosx_10_13_x86_64.whl (19 kB)
Installing collected packages: mccabe, wrapt, six, typed-ast, lazy-object-proxy, astroid, isort, pylint
Successfully installed astroid-2.3.3 isort-4.3.21 lazy-object-proxy-1.4.3 mccabe-0.6.1 pylint-2.4.4 six-1.14.0 typed-ast-1.4.1 wrapt-1.11.2
~/Documents/AWS_Guardduty_Slack_integration/modules/sns-guardduty-slack ~/Documents/AWS_Guardduty_Slack_integration/modules
------------------------------------
Your code has been rated at 10.00/10
~/Documents/AWS_Guardduty_Slack_integration/modules
~/Documents/AWS_Guardduty_Slack_integration/modules/sns-guardduty-slack ~/Documents/AWS_Guardduty_Slack_integration/modules
adding: sns_guardduty_slack.py (deflated 68%)
~/Documents/AWS_Guardduty_Slack_integration/modules
17:17 $ terraform init
Initializing modules...
- aws_guardduty_invite_member in modules/guardduty-invitation
- aws_guardduty_master in modules/guardduty-master
- aws_guardduty_member in modules/guardduty-member
- aws_guardduty_sns_notifications in modules/sns-guardduty-slack
Initializing the backend...Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.55.0...
Terraform has been successfully initialized!You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
17:39 $ terraform apply
module.aws_guardduty_sns_notifications.data.aws_ssm_parameter.slack_incoming_webhook: Refreshing state...
module.aws_guardduty_invite_member.data.aws_ssm_parameter.email: Refreshing state...
module.aws_guardduty_sns_notifications.data.aws_ssm_parameter.slack_channel: Refreshing state...
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:# module.aws_guardduty_invite_member.aws_guardduty_member.members will be created
+ resource "aws_guardduty_member" "members" {
+ account_id = "123456789012"
+ detector_id = (known after apply)
+ email = "whatever@example.com"
+ id = (known after apply)
+ invitation_message = "please accept guardduty invitation"
+ invite = true
+ relationship_status = (known after apply)
}
# module.aws_guardduty_master.aws_cloudwatch_event_rule.main will be created
+ resource "aws_cloudwatch_event_rule" "main" {
+ arn = (known after apply)
+ description = "AWS GuardDuty event findings"
+ event_pattern = jsonencode(
{
+ detail = {
+ severity = [
+ 3,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
[..]
Apply complete! Resources: 0 added, 16 changed, 0 destroyed.
Terraform state file appears after applying the plan

VII. Testing your deployment

Generate finding for testing your deployment

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store