How do I configure EventBridge rules for GuardDuty to send custom SNS notifications for specific service finding types?

Resolution

Prerequisite: Create an Amazon SNS topic. The Amazon SNS topic must be in the same AWS Region as your GuardDuty service.

To configure EventBridge rules for GuardDuty to send custom SNS notifications, complete the following steps:

1. Open the EventBridge console.

2. Under the Buses section, choose Rules.

3. Choose Create rule, and then complete the following steps to configure the rule:
   Enter a name and description.
   For Event bus, choose default.
   For Rule type, choose Rule with an event pattern.

4. Choose Next.

5. Under Event pattern, complete the following steps:
   For Event source, choose AWS services.
   For AWS service, choose GuardDuty.
   For Event type, choose GuardDuty Finding.

6. In the Event pattern preview section, choose Edit pattern.

7. In the JSON text box, enter the following code:

   {
     "source": ["aws.guardduty"],
     "detail": {
       "type": ["Backdoor:EC2/C&CActivity.B!DNS"]
     }
   }

   Note: Replace Backdoor:EC2/C&CActivity.B!DNS with your finding type. To test the Backdoor:EC2/C&CActivity.B!DNS finding type, make a DNS request from an Amazon Elastic Compute Cloud (Amazon EC2) instance to the guarddutyc2activityb.com test domain. You can run the dig command for Linux or nslookup command for Windows. The finding generates within a few minutes.

8. Choose Next.

9. For Target types, choose AWS service.

10. For Select a target, choose SNS topic.

11. For Topic, select your topic.

12. (Optional) Configure an input transformer.
    In the Target input transformer section, for Input path, enter the following JSON path in the text box:

    {
      "severity": "$.detail.severity",
      "Finding_ID": "$.detail.id",
      "instanceId": "$.detail.resource.instanceDetails.instanceId",
      "port": "$.detail.service.action.networkConnectionAction.localPortDetails.port",
      "eventFirstSeen": "$.detail.service.eventFirstSeen",
      "eventLastSeen": "$.detail.service.eventLastSeen",
      "count": "$.detail.service.count",
      "Finding_Type": "$.detail.type",
      "region": "$.region",
      "Finding_description": "$.detail.description"
    }
    

    For Template, enter the following string template in the text box:

    "You have a new GuardDuty alert. View finding in console - https://console.aws.amazon.com/guardduty/home?REGION=#/findings?search=id%3DFINDING_ID "

    Note: In the template, keep the trailing space after FINDING_ID so that the closing quotation mark doesn't break the URL in the SNS notification. The Input path uses specific attributes from the GuardDuty finding. For more information about available filters, see Property filters in GuardDuty.

13. Choose Next.

14. (Optional) Add tags to your rule, and then choose Next.

15. Review the rule details, and then choose Create rule.

When GuardDuty generates the finding type, EventBridge sends the SNS notification to your specified endpoint within 5 minutes. To set up SNS notifications for all GuardDuty finding types, see Processing GuardDuty findings with Amazon EventBridge.

Related information

Creating rules that react to events in Amazon EventBridge

Tutorial: Use input transformers to transform events in EventBridge

How can I troubleshoot GuardDuty custom Amazon SNS notifications that didn't get delivered?