How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications for specific AWS service event types?

3 minute read

I created an Amazon EventBridge rule to trigger on service event types for Amazon GuardDuty, but the responses are in JSON format. I want to receive an email response with a custom notification.

Short description

Use a custom event pattern with the EventBridge rule to match a specific finding type. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.


This example uses an Amazon GuardDuty event type UnauthorizedAccess:EC2/MaliciousIPCaller.Custom.

Note: You can replace the service name and event type for your specific AWS service.

1.    If you haven't already created an Amazon SNS topic, follow the instructions for Getting started with Amazon SNS.

Note: The Amazon SNS topic must be in the same Region as your Amazon GuardDuty service.

2.    Open the EventBridge console.

3.    Select Create rule.

4.    Enter a Name for your rule. You can optionally enter a Description.

5.    Select the bus that the event applies to.

6.    In Rule type, select Rule with an event pattern. Then, select Next.

7.    Under Event pattern, choose AWS services for the Event source. Then, choose GuardDuty for the AWS service.

8.    For Event type, choose GuardDuty Finding.

9.    In the Event pattern preview section, select Edit pattern.

10.    Copy the following code, paste it in Event pattern preview section, and then choose Save.

  "source": [
  "detail": {
    "type": [

11.    Select Next.

12.    For Target types, select AWS service.

13.    For Select a target, choose SNS topic. Then, select your topic from the dropdown list.

14.    (Optional) To configure an input transformer, choose the Additional settings dropdown list.
In the Configure Target Input dropdown list, choose Input transformer.
Choose Configure Input Transfer.
Under Target input transformer section, for Input path, paste the following JSON:

  "severity": "$.detail.severity",
  "Finding_ID": "$",
  "instanceId": "$.detail.resource.instanceDetails.instanceId",
  "port": "$.detail.service.action.networkConnectionAction.localPortDetails.port",
  "eventFirstSeen": "$.detail.service.eventFirstSeen",
  "eventLastSeen": "$.detail.service.eventLastSeen",
  "count": "$.detail.service.count",
  "Finding_Type": "$.detail.type",
  "region": "$.region",
  "Finding_description": "$.detail.description"

For more information on available filters, see Filter attributes.
For Template, paste the following string template:

"You have a new GuardDuty alert. View finding in console -<region>=#/findings?search=id%3D<Finding\_ID> "

Then, choose Confirm.

15.    Select Next.

        (Optional) Add tags to your rule, and then select Next.

16.    Review the rule's details, and then select Create rule.

17.    Select Create at the bottom of the page.

18.    If an event type is triggered, then you receive an SNS notification on the SNS endpoint.

Related information

Creating Amazon EventBridge rules that react to events

Tutorial: use input transformer to customize what EventBridge passes to the event target

How can I troubleshoot GuardDuty custom Amazon SNS notifications that are not being delivered?

AWS OFFICIALUpdated a year ago

There's a type-o in the input transformer template for anyone that tries this. The correct version (and it's correct in the video) is: "You have a new GuardDuty alert. View finding in console -<region>=#/findings?search=id%3D<Finding_ID> "

lose the \

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied a year ago