- Newest
- Most votes
- Most comments
Hello.
I believe you need to use the Amazon EventBridge input transformer to change existing EventBridge events to an AWS Chatbot compatible format.
Required parameters are "version", "source", and "description".
Set up custom notifications to send custom messages using AWS Chatbot.
https://docs.aws.amazon.com/chatbot/latest/adminguide/custom-notifs.html
You can generate custom notifications from Lambda functions, your applications, or by using Amazon EventBridge input transformers to modify existing EventBridge events into an AWS Chatbot compatible format. If using EventBridge, you map the Amazon SNS topic to the EventBridge rule target and map the topic to a channel used in your AWS Chatbot configuration. Custom notifications use the same Amazon Simple Notificatio
Below is an example of a detection event.
https://docs.aws.amazon.com/inspector/latest/user/eventbridge-integration.html#event-finding
{
"version": "0",
"id": "66a7a279-5f92-971c-6d3e-c92da0950992",
"detail-type": "Inspector2 Finding",
"source": "aws.inspector2",
"account": "111122223333",
"time": "2023-01-19T22:46:15Z",
"region": "us-east-1",
"resources": ["i-0c2a343f1948d5205"],
"detail": {
"awsAccountId": "111122223333",
"description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).",
"exploitAvailable": "YES",
"exploitabilityDetails": {
"lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM"
},
"findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID",
"firstObservedAt": "Jan 19, 2023, 10:46:15 PM",
"fixAvailable": "YES",
"lastObservedAt": "Jan 19, 2023, 10:46:15 PM",
"packageVulnerabilityDetails": {
"cvss": [{
"baseScore": 4.7,
"scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"source": "NVD",
"version": "3.1"
}],
"referenceUrls": ["https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/", "https://ubuntu.com/security/notices/USN-5792-1", "https://ubuntu.com/security/notices/USN-5791-2", "https://ubuntu.com/security/notices/USN-5791-1", "https://ubuntu.com/security/notices/USN-5793-2", "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "https://ubuntu.com/security/notices/USN-5793-1", "https://ubuntu.com/security/notices/USN-5792-2", "https://ubuntu.com/security/notices/USN-5791-3", "https://ubuntu.com/security/notices/USN-5793-4", "https://ubuntu.com/security/notices/USN-5793-3", "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"],
"relatedVulnerabilities": [],
"source": "UBUNTU_CVE",
"sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html",
"vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM",
"vendorSeverity": "medium",
"vulnerabilityId": "CVE-2022-3303",
"vulnerablePackages": [{
"arch": "X86_64",
"epoch": 0,
"fixedInVersion": "0:5.15.0.1027.31~20.04.16",
"name": "linux-image-aws",
"packageManager": "OS",
"remediation": "apt update && apt install --only-upgrade linux-image-aws",
"version": "5.15.0.1026.30~20.04.16"
}]
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"resources": [{
"details": {
"awsEc2Instance": {
"iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup",
"imageId": "ami-0b7ff1a8d69f1bb35",
"ipV4Addresses": ["172.31.85.212", "44.203.45.27"],
"ipV6Addresses": [],
"launchedAt": "Jan 19, 2023, 7:53:14 PM",
"platform": "UBUNTU_20_04",
"subnetId": "subnet-8213f2a3",
"type": "t2.micro",
"vpcId": "vpc-ab6650d1"
}
},
"id": "i-0c2a343f1948d5205",
"partition": "aws",
"region": "us-east-1",
"type": "AWS_EC2_INSTANCE"
}],
"severity": "MEDIUM",
"status": "ACTIVE",
"title": "CVE-2022-3303 - linux-image-aws",
"type": "PACKAGE_VULNERABILITY",
"updatedAt": "Jan 19, 2023, 10:46:15 PM"
}
}
Assuming the input path you are using is:
{
"description": "$.detail.description",
"findingArn": "$.detail.findingArn",
"remediation": "$.detail.remediation.recommendation.text",
"severity": "$.detail.packageVulnerabilityDetails.vendorSeverity",
"sourceUrl": "$.detail.packageVulnerabilityDetails.sourceUrl"
}
In this case, I think the input template should be like this:
{
"version": "1.0",
"source": "custom",
"content": {
"description": "description: <description> \nfindingArn: <findingArn>\nremediation: <remediation>\nseverity: <severity>\nsourceUrl: <sourceUrl>"
}
}
Hello,
The issue might be a mismatch between the format of the transformed event and what your target Slack notification expects.
Current Issue:
In the Template, <remediation> is used directly without any quotes or conversion.
Corrected Format:
{
"ALERT": "An Inspector2 finding has been detected.",
"Severity": "<severity>",
"Description": "<description>",
"View the finding": "https://console.aws.amazon.com/inspector/v2/home#/findings/<findingArn>",
"Source URL": "<sourceUrl>",
"Remediation": "<remediation>" // This needs correction
}
I thought so too, but unfortunately the quotes don't change anything.
actually in your code having "Remediation": <remediation> like this
but you need to change "Remediation": "<remediation>" , you need to change this way remaining all good
Relevant content
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
I tried using the following event pattern in my AWS account, and was able to notify events of "HIGH" or higher. Please try the following event pattern just to be sure. If this does not resolve your issue, I recommend creating a new thread and asking a new question.
Yes, that did it thank you! For some reason I now get alerts for every single finding no matter what severity even though my Event Rule Pattern looks like this:
Do you know what might cause this? I would expect Event Bridge to do the filtering based on that pattern and then send the ones that pass the filter in my custom format to Chatbot.
Can you confirm that using the event pattern below, you can narrow down and notify only events of "HIGH" or higher? I recommend that you create a new thread and post your question so that others can hear their opinions.
Unfortunately your event pattern doesn't work either. I created a follow-up thread. Thank you for your solution!
https://repost.aws/questions/QUCuDeMsccTpeKlwwkAslg1A/eventbridge-rule-pattern-does-not-seem-to-get-applied-to-custom-chatbot-alerts