4

I want to edit my CloudWatch rule so that it only triggers an SNS topic for "GuardDuty findings" that fall in the High severy range, defined by AWS as the value of the severity parameter in the GetFindings response falls within the 7.0 to 8.9 range.

The sample Event Pattern in the documentation only shows how to create a trigger for severities 5 and 8 as follows:

{
  "source": [ "aws.guardduty" ],
  "detail-type": [ "GuardDuty Finding" ],
  "detail": {  "severity": [ 5, 8 ]  }
}

How do I change this { "severity": [ 5, 8 ] } to be a range between 7.0 to 8.9?

Dan Cornilescu
  • 6,780
  • 2
  • 21
  • 45
Danny Schoemann
  • 451
  • 5
  • 19

2 Answers2

3

I used this post to get our Guard Duty alerts working, thanks! But a recent change at AWS caused us to stop getting any alerts. Turns out we needed to add the integer values along with floating point numbers. We used a CLI command like the following to do that:

aws events put-rule --name Test --event-pattern "{\"source\":[\"aws.guardduty\"],\"detail-type\":[\"GuardDuty Finding\"],\"detail\":{\"severity\":[7.0,7.1,7.2,7.3,7.4,7.5,7.6,7.7,7.8,7.9,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8,8.9,7,8]}}"

Note the "7" and "8" at the end. Alerts are working again.

chicks
  • 1,911
  • 1
  • 13
  • 29
Gregory Rupp
  • 46
  • 2
2

Here's the answer I got from AWS Support, slightly edited. (I would downvote them, if I could).

By design, CloudWatch events do not support ranges, so you need to explicitly set the values that are in that range. Additionally, the console has an issue that we are currently addressing, regarding the .0 values.

So, the way to achieve this at the moment is only via the CLI. For more information regarding the CLI command, you can read this documentation.

The workaround is this:

  1. Create the rule through the console by selecting as a service name : Guard Duty and as an Event type: Gard duty finding.
  2. Add the targets
  3. Configure details
  4. Use the AWS CLI to run the following command. I took the initiative and added all the values in the range you mentioned. You can change it if needed:

aws events put-rule --name Test --event-pattern "{\"source\":[\"aws.guardduty\"],\"detail-type\":[\"GuardDuty Finding\"],\"detail\":{\"severity\":[7.0,7.1,7.2,7.3,7.4,7.5,7.6,7.7,7.8,7.9,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8,8.9]}}"

In case you need further assistance regarding the above please let me know.

Best regards,

Amazon Web Services

Danny Schoemann
  • 451
  • 5
  • 19