How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications if specific AWS service event types trigger?

Last updated: 2022-01-10

I created an Amazon EventBridge rule to trigger on service event types for Amazon GuardDuty, but the responses are in JSON format. How can I receive an email response with a custom notification?

Short description

Use a custom event pattern with the EventBridge rule to match a specific finding type. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

This example uses an Amazon GuardDuty event type UnauthorizedAccess:EC2/MaliciousIPCaller.Custom.

Note: You can replace the service name and event type for your specific AWS service.

1.    If you haven't already created an Amazon SNS topic, follow the instructions for Getting started with Amazon SNS.

Note: The Amazon SNS topic must be in the same Region as your Amazon GuardDuty service.

2.    Open the EventBridge console.

3.    Select Create rule.

4.    Enter a Name for your rule. You can optionally enter a Description.

5.    In Define pattern, select Event pattern.

6.    Select Pre-defined pattern by service.

7.    For Service provider, choose AWS.

8.    For Service name, choose GuardDuty.

9.    For Event type, choose GuardDuty Finding.

10.    In the Event pattern preview section, select Edit.

11.    Copy the following code, paste it in Event pattern preview section, and then choose Save.

{
  "source": [
    "aws.guardduty"
  ],
  "detail": {
    "type": [
      "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom"
     ]
  }
}

12.    In Select event bus, select AWS default event bus.

13.    In Select targets, choose SNS topic, and then choose your previously created SNS topic.

14.    Expand Configure input, and then choose Input Transformer.

15.    Copy the following code. Then, paste it in Input Path.

{
    "severity": "$.detail.severity",
    "Finding_ID": "$.detail.id",
    "instanceId": "$.detail.resource.instanceDetails.instanceId",
    "port": "$.detail.service.action.networkConnectionAction.localPortDetails.port",
    "eventFirstSeen": "$.detail.service.eventFirstSeen",
    "eventLastSeen": "$.detail.service.eventLastSeen",
    "count": "$.detail.service.count",
    "Finding_Type": "$.detail.type",
    "region": "$.region",
    "Finding_description": "$.detail.description"
}

16.    Copy the following code. Then, paste it in Input Template.

"You have a severity <severity> GuardDuty finding type <Finding_Type> for the EC2 instance <instanceId> in the region <region> as the <Finding_description> on the port <port>. The first attempt was on <eventFirstSeen> and the most recent attempt on <eventLastSeen> . The total occurrence is <count>. For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>"

17.    Scroll to the bottom of the page, and then select Create.

18.    If an event type is triggered, you receive an SNS email notification with the custom fields populated from step 16 similar to the following:

"You have a severity 5 GuardDuty finding type UnauthorizedAccess:EC2/MaliciousIPCaller.Custom for the EC2 instance EXAMPLEID in the region EXAMPLEREGION as the EC2 instance EXAMPLE is communicating with a disallowed IP address EXAMPLEREMOTEIP on the EXAMPLELIST on the port EXAMPLEPORT. The first attempt was on EXAMPLEDATE1 and the most recent attempt on EXAMPLEDATE2. The total occurrence is COUNTEXAMPLE. For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?EXAMPLEREGION"