Input Transformer usage results in `Event received is not supported` errors.

0

Hello, we are trying to use the Input Transformer to transform Amazon Inspector2 events that are then sent to our Slack. Without input transformer everything works as expected and we receive Notifications in Slack. As soon as I enable it our CloudWatch logs throw Event received is not supported errors.

Our Input path looks like this:

{
  "description": "$.detail.description",
  "findingArn": "$.detail.findingArn",
  "remediation": "$.detail.remediation.recommendation.text",
  "severity": "$.detail.packageVulnerabilityDetails.vendorSeverity",
  "sourceUrl": "$.detail.packageVulnerabilityDetails.sourceUrl"
}

And here is our Template:

{
  "ALERT": "An Inspector2 finding has been detected.",
  "Severity": "<severity>",
  "Desription": "<description>",
  "View the finding": "https://console.aws.amazon.com/inspector/v2/home#/findings/<findingArn>",
  "Source URL": "<sourceUrl>",
  "Remediation": <remediation>
}

Is there anything we are doing wrong here? Thanks!

2 Answers
3
Accepted Answer

Hello.

I believe you need to use the Amazon EventBridge input transformer to change existing EventBridge events to an AWS Chatbot compatible format.
Required parameters are "version", "source", and "description".
Set up custom notifications to send custom messages using AWS Chatbot.
https://docs.aws.amazon.com/chatbot/latest/adminguide/custom-notifs.html

You can generate custom notifications from Lambda functions, your applications, or by using Amazon EventBridge input transformers to modify existing EventBridge events into an AWS Chatbot compatible format. If using EventBridge, you map the Amazon SNS topic to the EventBridge rule target and map the topic to a channel used in your AWS Chatbot configuration. Custom notifications use the same Amazon Simple Notificatio

Below is an example of a detection event.
https://docs.aws.amazon.com/inspector/latest/user/eventbridge-integration.html#event-finding


{
    "version": "0",
    "id": "66a7a279-5f92-971c-6d3e-c92da0950992",
    "detail-type": "Inspector2 Finding",
    "source": "aws.inspector2",
    "account": "111122223333",
    "time": "2023-01-19T22:46:15Z",
    "region": "us-east-1",
    "resources": ["i-0c2a343f1948d5205"],
    "detail": {
        "awsAccountId": "111122223333",
        "description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).",
        "exploitAvailable": "YES",
        "exploitabilityDetails": {
            "lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM"
        },
        "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID",
        "firstObservedAt": "Jan 19, 2023, 10:46:15 PM",
        "fixAvailable": "YES",
        "lastObservedAt": "Jan 19, 2023, 10:46:15 PM",
        "packageVulnerabilityDetails": {
            "cvss": [{
                "baseScore": 4.7,
                "scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "source": "NVD",
                "version": "3.1"
            }],
            "referenceUrls": ["https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/", "https://ubuntu.com/security/notices/USN-5792-1", "https://ubuntu.com/security/notices/USN-5791-2", "https://ubuntu.com/security/notices/USN-5791-1", "https://ubuntu.com/security/notices/USN-5793-2", "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "https://ubuntu.com/security/notices/USN-5793-1", "https://ubuntu.com/security/notices/USN-5792-2", "https://ubuntu.com/security/notices/USN-5791-3", "https://ubuntu.com/security/notices/USN-5793-4", "https://ubuntu.com/security/notices/USN-5793-3", "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"],
            "relatedVulnerabilities": [],
            "source": "UBUNTU_CVE",
            "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html",
            "vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM",
            "vendorSeverity": "medium",
            "vulnerabilityId": "CVE-2022-3303",
            "vulnerablePackages": [{
                "arch": "X86_64",
                "epoch": 0,
                "fixedInVersion": "0:5.15.0.1027.31~20.04.16",
                "name": "linux-image-aws",
                "packageManager": "OS",
                "remediation": "apt update && apt install --only-upgrade linux-image-aws",
                "version": "5.15.0.1026.30~20.04.16"
            }]
        },
        "remediation": {
            "recommendation": {
                "text": "None Provided"
            }
        },
        "resources": [{
            "details": {
                "awsEc2Instance": {
                    "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup",
                    "imageId": "ami-0b7ff1a8d69f1bb35",
                    "ipV4Addresses": ["172.31.85.212", "44.203.45.27"],
                    "ipV6Addresses": [],
                    "launchedAt": "Jan 19, 2023, 7:53:14 PM",
                    "platform": "UBUNTU_20_04",
                    "subnetId": "subnet-8213f2a3",
                    "type": "t2.micro",
                    "vpcId": "vpc-ab6650d1"
                }
            },
            "id": "i-0c2a343f1948d5205",
            "partition": "aws",
            "region": "us-east-1",
            "type": "AWS_EC2_INSTANCE"
        }],
        "severity": "MEDIUM",
        "status": "ACTIVE",
        "title": "CVE-2022-3303 - linux-image-aws",
        "type": "PACKAGE_VULNERABILITY",
        "updatedAt": "Jan 19, 2023, 10:46:15 PM"
    }
}
          

Assuming the input path you are using is:

{
  "description": "$.detail.description",
  "findingArn": "$.detail.findingArn",
  "remediation": "$.detail.remediation.recommendation.text",
  "severity": "$.detail.packageVulnerabilityDetails.vendorSeverity",
  "sourceUrl": "$.detail.packageVulnerabilityDetails.sourceUrl"
}

In this case, I think the input template should be like this:

{
  "version": "1.0",
  "source": "custom",
  "content": {
    "description": "description: <description> \nfindingArn: <findingArn>\nremediation: <remediation>\nseverity: <severity>\nsourceUrl: <sourceUrl>"
  }
}
profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile pictureAWS
EXPERT
reviewed a month ago
  • I tried using the following event pattern in my AWS account, and was able to notify events of "HIGH" or higher. Please try the following event pattern just to be sure. If this does not resolve your issue, I recommend creating a new thread and asking a new question.

    {
      "source": ["aws.inspector2"],
      "detail-type": ["Inspector2 Finding"],
      "detail": {
        "status": ["ACTIVE"],
        "severity": ["HIGH", "CRITICAL"]
      }
    }
    
  • Yes, that did it thank you! For some reason I now get alerts for every single finding no matter what severity even though my Event Rule Pattern looks like this:

    {
      "detail-type": ["Inspector2 Finding"],
      "source": ["aws.inspector2"],
      "detail": {
        "severity": ["HIGH", "CRITICAL"],
        "status": ["ACTIVE"],
        "type": ["PACKAGE_VULNERABILITY"]
      }
    }
    

    Do you know what might cause this? I would expect Event Bridge to do the filtering based on that pattern and then send the ones that pass the filter in my custom format to Chatbot.

  • Can you confirm that using the event pattern below, you can narrow down and notify only events of "HIGH" or higher? I recommend that you create a new thread and post your question so that others can hear their opinions.

    {
      "source": ["aws.inspector2"],
      "detail-type": ["Inspector2 Finding"],
      "detail": {
        "status": ["ACTIVE"],
        "severity": ["HIGH", "CRITICAL"]
      }
    }
    
  • Unfortunately your event pattern doesn't work either. I created a follow-up thread. Thank you for your solution!

    https://repost.aws/questions/QUCuDeMsccTpeKlwwkAslg1A/eventbridge-rule-pattern-does-not-seem-to-get-applied-to-custom-chatbot-alerts

1

Hello,

The issue might be a mismatch between the format of the transformed event and what your target Slack notification expects.

Current Issue:

In the Template, <remediation> is used directly without any quotes or conversion.

Corrected Format:

{
  "ALERT": "An Inspector2 finding has been detected.",
  "Severity": "<severity>",
  "Description": "<description>",
  "View the finding": "https://console.aws.amazon.com/inspector/v2/home#/findings/<findingArn>",
  "Source URL": "<sourceUrl>",
  "Remediation": "<remediation>" // This needs correction
}
profile picture
EXPERT
answered a month ago
  • I thought so too, but unfortunately the quotes don't change anything.

  • actually in your code having "Remediation": <remediation> like this

    but you need to change "Remediation": "<remediation>" , you need to change this way remaining all good

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions