stackoom
  简体   繁体   中英

AWS guardduty generate sample event and generate cloudwatch event

 原文  2018-03-28 20:22:53       amazon-web-services/ aws-lambda/ aws-cli/ amazon-cloudwatch

Question

I'm working on a Lambda function to process AWS GuardDuty findings.

I'd like to generate sample events, which is easily done using the CreateSampleFindings API call or create-sample-findings cli command.

I have a custom cloudwatch rule that responds to the following event Pattern which triggers my Lambda function:

{
  "detail-type": [
    "GuardDuty Finding"
  ],
  "source": [
    "aws.guardduty"
  ]
}

Generating the first sample finding easily triggers a cloudwatch event

$ aws guardduty create-sample-findings \
    --detector-id abcd12345efgh6789 \
    --finding-types Recon:EC2/PortProbeUnprotectedPort

However when I call this same command again, the count of the finding in guard duty increments, but no more cloudwatch events are generated.

$ aws guardduty get-findings \
    --detector-id abcd12345efgh6789 \
    --finding-ids zyxwv987654acbde1234 \
    --query "Findings[].Service.Count" --output text
$ 2

I understand why this behavior is in place, as the findings are grouped by unique signature and triggering cloudwatch events for each instance of a unique finding would be too much noise

However for developing/debugging purposes, is there a way I can generate multiple sample events that will trigger a cloudwatch event?

2 answers

solution1
 4 ACCPTED  2018-07-07 14:23:24

For anyone that comes across this for testing purposes disabling GuardDuty and then reenabling allows you to regenerate sample findings that trigger the CloudWatch event. This method has worked for me while creating a log forwarder for GuardDuty.

solution2
 1  2021-05-21 13:26:58

As @jl-dos has pointed out you can just disable/enable GD. But what that effectively does is to delete all findings for this GD instance, so when you go to create sample findings they are brand new an trigger the CloudWatch events.

The other option I've found is to archive the current findings. Then when you create new sample findings they will come out as brand new ones and not just increment the counters. This should also trigger a CloudWatch event.

To do that use a combination of aws guardduty get-findings and aws guardduty archive-findings commands.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Cloudwatch Guardduty link AWS cloudwatch cron event AWS Lambda - CloudWatch Event type AWS Cloudwatch queries Full event Trigger AWS CloudWatch Event Manually Cloudwatch event rule triggered by AWS ECR event AWS Cloudwatch event rule: Start and stop time AWS CloudWatch Event invoking Lambda only sometimes Scope of CloudWatch event rule for AWS Health AWS Cloudwatch Event Rule - Invoke Lambda - with Parameter
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM