堆栈内存溢出
  简体   繁体   English

AWS guardduty 生成示例事件并生成 cloudwatch 事件

[英]AWS guardduty generate sample event and generate cloudwatch event

 原文  2018-03-28 20:22:53       amazon-web-services/ aws-lambda/ aws-cli/ amazon-cloudwatch

问题描述

I'm working on a Lambda function to process AWS GuardDuty findings.我正在使用 Lambda 函数来处理AWS GuardDuty调查结果。

I'd like to generate sample events, which is easily done using the CreateSampleFindings API call or create-sample-findings cli command.我想生成示例事件,这可以使用CreateSampleFindings API 调用或create-sample-findings cli 命令轻松完成。

I have a custom cloudwatch rule that responds to the following event Pattern which triggers my Lambda function:我有一个自定义 cloudwatch 规则,它响应以下触发我的 Lambda 函数的事件模式:

{
  "detail-type": [
    "GuardDuty Finding"
  ],
  "source": [
    "aws.guardduty"
  ]
}

Generating the first sample finding easily triggers a cloudwatch event生成第一个样本发现很容易触发 cloudwatch 事件

$ aws guardduty create-sample-findings \
    --detector-id abcd12345efgh6789 \
    --finding-types Recon:EC2/PortProbeUnprotectedPort

However when I call this same command again, the count of the finding in guard duty increments, but no more cloudwatch events are generated.然而,当我再次调用这个相同的命令时,警卫职责中的发现计数会增加,但不会生成更多的 cloudwatch 事件。

$ aws guardduty get-findings \
    --detector-id abcd12345efgh6789 \
    --finding-ids zyxwv987654acbde1234 \
    --query "Findings[].Service.Count" --output text
$ 2

I understand why this behavior is in place, as the findings are grouped by unique signature and triggering cloudwatch events for each instance of a unique finding would be too much noise我理解为什么会出现这种行为,因为结果按独特的签名分组,并且为每个独特的发现实例触发 cloudwatch 事件会造成太多干扰

However for developing/debugging purposes, is there a way I can generate multiple sample events that will trigger a cloudwatch event?但是,出于开发/调试目的,有没有一种方法可以生成多个触发 cloudwatch 事件的示例事件?

2 个解决方案

解决方案1
 4 已采纳  2018-07-07 14:23:24

For anyone that comes across this for testing purposes disabling GuardDuty and then reenabling allows you to regenerate sample findings that trigger the CloudWatch event.对于出于测试目的而遇到此问题的任何人,禁用 GuardDuty 然后重新启用允许您重新生成触发 CloudWatch 事件的示例结果。 This method has worked for me while creating a log forwarder for GuardDuty.在为 GuardDuty 创建日志转发器时,此方法对我有用。

解决方案2
 1  2021-05-21 13:26:58

As @jl-dos has pointed out you can just disable/enable GD.正如@jl-dos 指出的那样,您可以禁用/启用 GD。 But what that effectively does is to delete all findings for this GD instance, so when you go to create sample findings they are brand new an trigger the CloudWatch events.但这样做有效的是删除此 GD 实例的所有结果,因此当您创建示例结果时,它们是全新的,会触发 CloudWatch 事件。

The other option I've found is to archive the current findings.我发现的另一个选项是存档当前的发现。 Then when you create new sample findings they will come out as brand new ones and not just increment the counters.然后,当您创建新的样本结果时,它们将作为全新的结果出现,而不仅仅是增加计数器。 This should also trigger a CloudWatch event.这也应该触发 CloudWatch 事件。

To do that use a combination of aws guardduty get-findings and aws guardduty archive-findings commands.为此,请结合使用aws guardduty get-findingsaws guardduty archive-findings命令。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS Cloudwatch Guardduty链接 - AWS Cloudwatch Guardduty link AWS cloudwatch cron 事件 - AWS cloudwatch cron event AWS Lambda - CloudWatch事件类型 - AWS Lambda - CloudWatch Event type AWS Cloudwatch 查询完整事件 - AWS Cloudwatch queries Full event 手动触发 AWS CloudWatch 事件 - Trigger AWS CloudWatch Event Manually AWS ECR事件触发的Cloudwatch事件规则 - Cloudwatch event rule triggered by AWS ECR event AWS Cloudwatch 事件规则:开始和停止时间 - AWS Cloudwatch event rule: Start and stop time AWS CloudWatch Event仅有时会调用Lambda - AWS CloudWatch Event invoking Lambda only sometimes AWS Health 的 CloudWatch 事件规则的 Scope - Scope of CloudWatch event rule for AWS Health AWS Cloudwatch 事件规则 - 调用 Lambda - 带参数 - AWS Cloudwatch Event Rule - Invoke Lambda - with Parameter
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM