Skip to content

📣 Notifications

The notification system provides real-time visibility into GuardDuty-SOAR's operations. It is designed to support both immediate human awareness and automated downstream integration through two configurable channels: Amazon SES and Amazon SNS.

Notification Channels

You can enable one or both of the following channels in your configuration.

  • Amazon SES (Simple Email Service)

    • Purpose: Human-Readable Alerts
    • Use Case: Sending detailed, richly formatted HTML email notifications directly to security analysts or response teams. The format is optimized for quick human comprehension.

  • Amazon SNS (Simple Notification Service)

    • Purpose: Machine-Readable Alerts
    • Use Case: Publishing structured JSON messages to an SNS topic. This is ideal for programmatic integration with other systems like a SIEM, a ticketing system (Jira, ServiceNow), or a chat application (Slack, Microsoft Teams).

Notification Types

The system dispatches two types of notifications during a playbook's lifecycle:

  1. playbook_started: A brief notification sent when a playbook begins, confirming that an automated response is underway.
  2. playbook_completed: A comprehensive report sent after a playbook finishes, including the final status, a summary of all actions performed, and all enriched data gathered during the investigation.

Message Formats

Each channel uses a different format, tailored to its specific purpose.

  • SES Format (HTML) SES notifications are generated from Jinja2 templates that produce HTML. This allows for rich formatting, including headings, lists, and tables for maximum readability in modern email clients.

  • SNS Format (JSON) SNS notifications are generated by building a Python dictionary and serializing it to a clean, pretty-printed JSON string. This provides structured data for automation and is easy for downstream services to parse.