GuardDuty の検出結果を EventBridge で通知する際に重要度で絞る方法
severity の数値を指定することで、重要度で絞ることができます。
2025.03.18困っていること
GuardDuty が検知された場合に、重要度が高いもののみ EventBridge ルールでトリガーしたいです。
どのようなイベントパターンを記述するかを教えてください。
どう解決すればいいの?
4.0 以上の重要度を指定する場合は、下記のイベントパターンを設定してください。
{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"severity": [4, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5, 5.0, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 7, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 9, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 9.9, 10]
}
}
やってみた
EventBridge の設定
下記のイベントパターンの EventBridge ルールを作成し、ターゲットを Amazon SNS にします。
{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"severity": [8, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 9, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 9.9, 10]
}
}
GuardDuty で検出結果のサンプルを生成
GuardDuty コンソールの左ペインの設定から、「検出結果サンプルの生成」ボタンを押すと、検出結果のサンプルが生成されるので、これが EventBridge にトリガーされるかを確認します。
メール到着
下記のような通知がされました。
{
"version": "0",
"id": "83244f70-f9e4-a3eb-91c8-47c99cSAMPLE",
"detail-type": "GuardDuty Finding",
"source": "aws.guardduty",
"account": "<AccountID>",
"time": "2025-03-17T06:45:00Z",
"region": "ap-northeast-1",
"resources": [],
"detail": {
"schemaVersion": "2.0",
"accountId": "<AccountID>",
"region": "ap-northeast-1",
"partition": "aws",
"id": "27c0b148bda04cdc96a33aaf69SAMPLE",
"arn": "arn:aws:guardduty:ap-northeast-1:<AccountID>:detector/bcc3fd0c52b545c8130590c42dSAMPLE/finding/27c0b148bda04cdc96a33aaf69SAMPLE",
"type": "Object:S3/MaliciousFile",
"resource": {
"resourceType": "S3Object",
"s3BucketDetails": [
{
"arn": "arn:aws:s3:::example-bucket1",
"name": "example-bucket1",
"type": "Destination",
"createdAt": 1639005830,
"owner": {
"id": "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456781"
},
"tags": [
{
"key": "GeneratedFindingTag1",
"value": "GeneratedFindingTagValue1"
},
{
"key": "GeneratedFindingTag2",
"value": "GeneratedFindingTagValue2"
},
{
"key": "GeneratedFindingTag3",
"value": "GeneratedFindingTagValue3"
},
{
"key": "GeneratedFindingTag4",
"value": "bGeneratedFindingTagValue4"
}
],
"defaultServerSideEncryption": {
"encryptionType": "AES256",
"kmsMasterKeyArn": "arn:aws:kms:us-west-2:123456789012:key/abcd1234-5678-90ab-cdef-1234567890a1"
},
"publicAccess": {
"permissionConfiguration": {
"bucketLevelPermissions": {
"accessControlList": {
"allowsPublicReadAccess": false,
"allowsPublicWriteAccess": false
},
"bucketPolicy": {
"allowsPublicReadAccess": false,
"allowsPublicWriteAccess": false
},
"blockPublicAccess": {
"ignorePublicAcls": false,
"restrictPublicBuckets": false,
"blockPublicAcls": false,
"blockPublicPolicy": false
}
},
"accountLevelPermissions": {
"blockPublicAccess": {
"ignorePublicAcls": false,
"restrictPublicBuckets": false,
"blockPublicAcls": false,
"blockPublicPolicy": false
}
}
},
"effectivePermission": "NOT_PUBLIC"
},
"s3ObjectDetails": [
{
"key": "EXAMPLE-OBJECT",
"objectArn": "arn:aws:s3:::EXAMPLE-BUCKET/EXAMPLE-OBJECT",
"versionId": "3HL4kqCxf3vjVBH40SAMPLE",
"eTag": "d41d8cd98f00b204e9800998ecSAMPLE",
"hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b78SAMPLE"
}
]
}
]
},
"service": {
"serviceName": "guardduty",
"detectorId": "bcc3fd0c52b545c8130590c42dSAMPLE",
"featureName": "S3MalwareProtection",
"malwareScanDetails": {
"threats": [
{
"name": "EICAR-Test-File",
"source": "Bitdefender",
"itemPaths": [
{
"nestedItemPath": "nested/item/path",
"hash": "a4d6e2a6ff04b29cf23bd8a32cd03a4fa4d6e2a6ff04b29cf23bd8a32cSAMPLE"
}
]
}
]
},
"additionalInfo": {
"sample": true,
"value": "{\"sample\":true}",
"type": "default"
},
"eventFirstSeen": "2025-03-07T01:30:41.000Z",
"eventLastSeen": "2025-03-17T06:40:10.000Z",
"archived": false,
"count": 5
},
"severity": 8,
"createdAt": "2025-03-07T01:30:41.170Z",
"updatedAt": "2025-03-17T06:40:10.489Z",
"title": "A malware scan on your S3 object EXAMPLE-OBJECT has detected a security risk EICAR-Test-File.",
"description": "A malware scan on your S3 object arn:aws:s3:::EXAMPLE-BUCKET/EXAMPLE-OBJECT has detected a security risk EICAR-Test-File."
}
}
補足
severity を絞っても100件以上のメールが来たので、お試しする場合はご留意ください。
参考資料
Amazon CloudWatch Events を使用した GuardDuty の検出結果に対するカスタムレスポンスの作成 - Amazon GuardDuty
