Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AWS Guard Duty Alert

Back
Idbf0cde21-0c41-48f6-a40c-6b5bd71fa106
RulenameAWS Guard Duty Alert
DescriptionAmazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.
SeverityMedium
Required data connectorsAWSS3
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml
Version1.0.2
Arm templatebf0cde21-0c41-48f6-a40c-6b5bd71fa106.json
Deploy To Azure
AWSGuardDuty | extend tokens = split(ActivityType,":") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],"/") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),"High",iff(Severity between (4.0..6.9), "Medium", iff(Severity between (1.0..3.9),"Low","Unknown")))
queryFrequency: 5h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Arn
    identifier: Name
  - columnName: AWSAcoundId
    identifier: ObjectGuid
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml
relevantTechniques: []
query: AWSGuardDuty | extend tokens = split(ActivityType,":") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],"/") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),"High",iff(Severity between (4.0..6.9), "Medium", iff(Severity between (1.0..3.9),"Low","Unknown")))
id: bf0cde21-0c41-48f6-a40c-6b5bd71fa106
triggerOperator: gt
version: 1.0.2
requiredDataConnectors:
- connectorId: AWSS3
  dataTypes:
  - AWSGuardDuty
customDetails:
  ResourceTypeAffected: ResourceTypeAffected
  ThreatPurpose: ThreatPurpose
  UniqueFindingId: UniqueFindingId
description: Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.
queryPeriod: 5h
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDescriptionFormat: '{{Description}}'
  alertTacticsColumnName: ThreatPurpose
  alertDisplayNameFormat: '{{Title}}'
status: Available
name: AWS Guard Duty Alert
tactics: []
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf0cde21-0c41-48f6-a40c-6b5bd71fa106')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf0cde21-0c41-48f6-a40c-6b5bd71fa106')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "AWS Guard Duty Alert",
        "description": "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.",
        "severity": "Medium",
        "enabled": true,
        "query": "AWSGuardDuty | extend tokens = split(ActivityType,\":\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\"High\",iff(Severity between (4.0..6.9), \"Medium\", iff(Severity between (1.0..3.9),\"Low\",\"Unknown\")))",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "alertRuleTemplateName": "bf0cde21-0c41-48f6-a40c-6b5bd71fa106",
        "alertDetailsOverride": {
          "alertSeverityColumnName": "Severity",
          "alertDisplayNameFormat": "{{Title}}",
          "alertTacticsColumnName": "ThreatPurpose",
          "alertDescriptionFormat": "{{Description}}"
        },
        "customDetails": {
          "ResourceTypeAffected": "ResourceTypeAffected",
          "ThreatPurpose": "ThreatPurpose",
          "UniqueFindingId": "UniqueFindingId"
        },
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Arn"
              },
              {
                "identifier": "ObjectGuid",
                "columnName": "AWSAcoundId"
              }
            ]
          }
        ],
        "templateVersion": "1.0.2",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml"
      }
    }
  ]
}