Filter duplicate CVE alerts with EventBridge

0

Hello, I'd like to know if it's possible to filter duplicate CVE findings that get sent to ChatBot, preferably without any Lambda functionality. Right now we get tons of duplicates in our Slack Channels daily with the following Event Pattern:

{
  "source": ["aws.inspector2"],
  "detail-type": ["Inspector2 Finding"],
  "detail": {
    "status": ["ACTIVE"],
    "fixAvailable": ["YES"],
    "packageVulnerabilityDetails": {
      "vendorSeverity": ["HIGH", "CRITICAL"]
    }
  }
}

After some research I tried different patterns like these but without success:

{
  "source": ["aws.inspector2"],
  "detail-type": ["Inspector2 Finding"],
  "detail": {
    "status": ["ACTIVE"],
    "fixAvailable": ["YES"],
    "packageVulnerabilityDetails": {
      "vendorSeverity": ["HIGH", "CRITICAL"]
    },
    "findingId": [{
      "exists": true
    }],
    "createdAt": [{
      "exists": true
    }],
    "updatedAt": [{
      "exists": true,
      "anything-but": [{
        "equals": "${$.detail.createdAt}"
      }]
    }]
  }
}

Is it possible to achieve what we are trying to do without writing functions manually or are we out of luck?

1 Answer
2
Accepted Answer

Hello.

As far as I know, I don't think it can be done with EventBridge alone.
Therefore, I think you will need a configuration that combines Lambda and DynamoDB (anything other than DynamoDB is fine as long as it can record the notification once), etc., so that vulnerabilities that have been notified once will not be notified.

The AWS configuration will look like this:
a

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions