Comment on page
AWS Intrusion Detection System
This how-to guide will help you go from zero security coverage, to a full blown IDS that can be used to detect anomalous activity within your AWS account.
Follow the Query your Cloudtrail logs guide to make your Cloudtrail logs accessible to RunReveal
Your Cloudtrail logs source will automatically be connected to the triggers from the Cloudtrail trigger pack.
We need somewhere to send alerts to. If you don't want to send them to slack, you can also send it via email, or to a webhook.
You can quickly connect your slack notification to each of your triggers using this command.
Note: this will add the slack notification to ALL of your triggers. This is probably intended if you're just getting started, but if you've written custom triggers you may unintentionally make connections you didn't expect.
for i in $(runreveal triggers list | jq -r '.[].id'); do
runreveal triggers update --notif-name slack "$i"
done
You should now be receiving alerts to your slack channel!