Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EventBridge rule pattern does not seem to get applied to custom Chatbot alerts

0

Hello,

we set up the following Event pattern for EventBridge:

{
  "source": ["aws.inspector2"],
  "detail-type": ["Inspector2 Finding"],
  "detail": {
    "status": ["ACTIVE"],
    "severity": ["HIGH", "CRITICAL"]
  }
}

This rule also has the following Input transformer

Input path:

{"description":"$.detail.description","findingArn":"$.detail.findingArn","remediation":"$.detail.remediation.recommendation.text","severity":"$.detail.packageVulnerabilityDetails.vendorSeverity","sourceUrl":"$.detail.packageVulnerabilityDetails.sourceUrl"}

Template:

{
  "version": "1.0",
  "source": "custom",
   "content": {
  "description": "<description> \nfindingArn: <findingArn>\nremediation: <remediation>\nseverity: <severity>\nsourceUrl: <sourceUrl>"
   }
}

I would expect EventBridge to filter the Events based on our Event pattern configuration before applying the transformer and sending messages to Chatbot. But that doesnt seem to be the case. After testing it with a vulnerable Image gets spammed with messages no matter what Severity:

Slack Screenshot

Any idea what we are missing here? Thank you!

Topics
Application IntegrationServerlessManagement & Governance
Tags
Amazon Simple Notification Service (SNS)AWS ChatbotAmazon EventBridge
Language
English
asked 2 years ago320 views
1 Answer
2
Accepted Answer

It seems the severity attribute in the chatbot output comes from $.detail.packageVulnerabilityDetails.vendorSeverity in the original event, while the matching criterion for the EventBridge rule uses the $.detail.severity field of the original event from Inspector. That original value isn't shown in the output.

You might want to try including the original $.detail.severity value in the chatbot output temporarily to see what it contained. Based on your configuration, it would seem to contain either the value HIGH or CRITICAL. If you want your filter to match based on the same value that is currently shown in the chatbot output, you should define your EventBridge rule pattern to match the field $.detail.packageVulnerabilityDetails.vendorSeverity, such as like this:

{
  "source": ["aws.inspector2"],
  "detail-type": ["Inspector2 Finding"],
  "detail": {
    "status": ["ACTIVE"],
    "packageVulnerabilityDetails": {
      "vendorSeverity": ["HIGH", "CRITICAL"]
    }
  }
}
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
  • nicl-dev
    2 years ago

    Of course, that's it! No idea how I did not see that. Thank you!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content