Add rule and test for GuardDuty

rules/community/guardduty/guardduty.py

@@ -0,0 +1,25 @@
+"""Alert on GuardDuty"""
+from helpers.base import in_set
+from stream_alert.rule_processor.rules_engine import StreamRules
+
+rule = StreamRules.rule
+disable = StreamRules.disable()
+
+
+@rule(logs=['cloudwatch:events'],
+      matchers=[],
+      outputs=['slack:sample-channel'])
+def guardduty(rec):
+    """
+    author:         spiper
+    description:    Alert on GuardDuty events
+    playbook:       (a) identify the AWS account in the log
+                    (b) identify what resource(s) are impacted
+                    (c) contact the point-of-contact for the account
+    testing:        From the GuardDuty AWS page (https://console.aws.amazon.com/guardduty/home)
+                    click the button to "Generate Sample Findings"
+    """
+
+    if rec['detail-type'] == 'GuardDuty Finding':
+        return True
+    return False

tests/integration/rules/guardduty/guardduty.json

@@ -0,0 +1,24 @@
+{
+  "records": [
+    {
+      "data": {
+          "version": "0",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "detail-type": "GuardDuty Finding",
+          "source": "aws.guardduty",
+          "account": "111111111111",
+          "time": "2018-02-13T18:25:01Z",
+          "region": "us-east-1",
+          "resources": [],
+          "detail": {}
+      },
+      "description": "GuardDuty",
+      "log": "cloudwatch:events",
+      "service": "kinesis",
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "trigger_rules": [
+        "guardduty"
+      ]
+    }
+  ]
+}