I have recently setup aws guardduty with slack notification using this guide right https://medium.com/@damitj07/how-to-create-a-slack-alert-for-guardduty-49d542927529, there were a few issues with the code regarding how to read the json, but i fixed them, and i finally worked when i sent the samples findings through aws guardduty, the alerts came to the slack channel, but i noticed that a findings like Backdoor:EC2/DenialOfService.Udp or Backdoor:EC2/DenialOfService.tcp, does not get sent for some reason, i noticed that in cloudwatch these alerts take too much time to show (up to 5 minutes), also, i had to change from using :
{
"source": [
"aws.guardduty"
]
}
to using :
{
"source": [
"aws.guardduty"
],
"detail-type": [
"GuardDuty Finding"
]
}
Because there some errors in cloudwatch, it appears that for some reason the cloudwatch rule will also capture not only findings but also aws cloudtrail activities, and will therefore error because these cases are not treated in the code, and they are needed to be anyway.
Any idea why these types of finidings i mentioned above, do not get sent to slack and are really slow to show in cloudwatch logs ?
Thank you,
