Skip to main content
All CollectionsIntegrate EverythingAWS
Amazon GuardDuty

Amazon GuardDuty

Integrate Amazon GuardDuty with Torq to receive EventBridge events with GuardDuty findings.

Updated over a week ago

Amazon GuardDuty is a threat-detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Use Amazon GuardDuty to Trigger Workflows in Torq

Step One: Create an Amazon GuardDuty Trigger Integration in Torq

  1. Add the Integration: Navigate to Build > Integrations > Triggers > Amazon GuardDuty and click Add Instance.

  2. Configure the Integration: Enter a unique and meaningful name.

  3. Finalize: Click Add and Copy the generated endpoint. You will need the URL to create the subscription in AWS.

Step Two: Create an SNS Topic

  1. Open AWS SNS: Sign in to the AWS Management Console and go to Simple Notification Service.

  2. Create a Topic: Select Topics > Create topic.

    1. Select the Standard type.

    2. Enter a unique and meaningful name.

  3. Finalize: Click Create topic.

Step Three: Subscribe Torq to an SNS Topic

  1. Open AWS SNS: Go to Simple Notification Service in the AWS Management Console.

  2. Create a Subscription: Select Subscriptions > Create subscription.

  3. Select a Topic ARN: This ARN should either be for the topic you created earlier or for a previously created topic containing relevant messages.

  4. Select a Protocol: Select the HTTPS endpoint.

  5. Enter the Endpoint: Paste the URL that you generated earlier in Torq.

  6. Enable raw message delivery: Click enable raw message delivery.

  7. Finalize: Click Create subscription.

Step Four: Create an EventBridge Rule

  1. Open AWS SNS: Go to Amazon EventBridge in the AWS Management Console.

  2. Create a Rule: Select Buses > Rules and click Create rule.

  3. Define the Rule:

    1. Enter a unique and meaningful name.

    2. (Optional) Enter a description of the rule.

    3. Click Next.

  4. Build the Event Pattern:

    1. AWS service: Select GuardDuty.

    2. Event type: Select All Events.

    3. Click Next.

  5. Select a Target:

    1. Select a target: Choose SNS topic.

    2. Topic: Select the topic you created earlier.

    3. Click Next.

  6. (Optional) Configure Tags: Click Add new tag to specify a key and then click Next.

  7. Finalize: Review the rule and click Create rule.

Step Five: Confirm the Subscription

  1. Open the Activity Log in Torq: Navigate to Monitor > Activity Log.

  2. Filter for the Integration: Click Source and select the GuardDuty integration you created earlier in Torq.

  3. Locate the Subscription Confirmation Event: If there is more than one event, locate the one with "Type": "SubscriptionConfirmation" in the Event JSON.

  4. Retrieve the Event's Subscribe URL: Search for the SubscribeURL in the Event JSON and copy it.

  5. Send the HTTP Request: Paste the subscribe URL in your browser. An XML file will be rendered.

  6. Check the Subscription's Status: Open the AWS Management Console and navigate to Amazon SNS > Subscriptions. Search for the subscription and verify the status is Confirmed.

  7. (Optional) Generate Sample GuardDuty Findings: In the AWS Management Console, navigate to GuardDuty > Settings.

    1. In the Sample Findings section, click Generate sample findings.

    2. Return to Monitor > Activity Log in Torq and refresh the page until the new event appears.

    3. Click the event and review the sample GuardDuty findings in the Event JSON.

Now that you've successfully created an Amazon GuardDuty trigger, you can build your first GuardDuty–initiated workflow!

In Torq, go to Build > Workflows > Create a Workflow > New Blank Workflow, and select the trigger type: Integrations > Amazon GuardDuty. Find your new trigger, and automate away!

Related Articles
Amazon Web Services (AWS)
Amazon SNS
Amazon Security Hub
Orca Security
Torq Case Example Descriptions for Different Case Types - Workflow Template
Did this answer your question?