Comment on page

AWS Intrusion Detection System

This how-to guide will help you go from zero security coverage, to a full blown IDS that can be used to detect anomalous activity within your AWS account.

Connect your AWS account to RunReveal

Follow the Query your Cloudtrail logs guide to make your Cloudtrail logs accessible to RunReveal
Your Cloudtrail logs source will automatically be connected to the triggers from the Cloudtrail trigger pack.

Add a slack notification

We need somewhere to send alerts to. If you don't want to send them to slack, you can also send it via email, or to a webhook.

Connect notifications to triggers

You can quickly connect your slack notification to each of your triggers using this command.
Note: this will add the slack notification to ALL of your triggers. This is probably intended if you're just getting started, but if you've written custom triggers you may unintentionally make connections you didn't expect.
for i in $(runreveal triggers list | jq -r '.[].id'); do
runreveal triggers update --notif-name slack "$i"
You should now be receiving alerts to your slack channel!