How does AWS guardduty generate sample event and generate cloudwatch event

0 votes

I'm working on a Lambda function to process AWS GuardDuty findings.

I'd like to generate sample events, which is easily done using the CreateSampleFindings API call or create-sample-findings cli command.

I have a custom cloudwatch rule that responds to the following event Pattern which triggers my Lambda function:

{
    "detail-type": [
    "GuardDuty Finding"
    ],
    "source": [
    "aws.guardduty"
    ]
}

Generating the first sample finding easily triggers a cloudwatch event

$ aws guardduty create-sample-findings \
--detector-id abcd12345efgh6789 \
--finding-types Recon:EC2/PortProbeUnprotectedPort

However when I call this same command again, the count of the finding in guard duty increments, but no more cloudwatch events are generated.

$ aws guardduty get-findings \
--detector-id abcd12345efgh6789 \
--finding-ids zyxwv987654acbde1234 \
--query "Findings[].Service.Count"
--output text $ 2

I understand why this behavior is in place, as the findings are grouped by unique signature and triggering cloudwatch events for each instance of a unique finding would be too much noise

However for developing/debugging purposes, is there a way I can generate multiple sample events that will trigger a cloudwatch event?

Aug 22, 2018 in AWS by bug_seeker
• 15,550 points
1,536 views

1 answer to this question.

0 votes

For anyone that comes across this for testing purposes disabling GuardDuty and then reenabling allows you to regenerate sample findings that trigger the CloudWatch event. This method has worked for me while creating a log forwarder for GuardDuty.
 

answered Aug 22, 2018 by Priyaj
• 58,140 points

Related Questions In AWS

0 votes
1 answer

How to generate .pem and .ppk from AWS?

Hi@akhtar, .pem and .ppk files are used to ...READ MORE

answered Jun 16, 2020 in AWS by MD
• 95,320 points
310 views
+1 vote
2 answers

Want my AWS s3 Bucket to read Name from CloudWatch Event

CloudTrail events for S3 bucket level operations ...READ MORE

answered May 28, 2018 in AWS by Cloud gunner
• 4,650 points
1,039 views
+15 votes
2 answers

Git management technique when there are multiple customers and need multiple customization?

Consider this - In 'extended' Git-Flow, (Git-Multi-Flow, ...READ MORE

answered Mar 27, 2018 in DevOps & Agile by DragonLord999
• 8,450 points
1,326 views
+2 votes
1 answer
0 votes
1 answer

How to get AWS account/service cost using CloudWatch API?

You can check this link for a ...READ MORE

answered Jul 13, 2018 in AWS by Priyaj
• 58,140 points
333 views
0 votes
2 answers

How and Why AWS bill comes after i suspended the account

While your account is suspended, you will ...READ MORE

answered Oct 18, 2020 in AWS by anonymous
2,210 views