By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue with Event Bridge rule for Guard Duty findings

0

Hello,

I created an Event Bridge rule that picks Guard Duty findings and send them to a SNS topic. The topic itself is subscribed to a Slack channel. I followed this article for setting up the rule: https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-cloudwatch-sns-rule/ It is working now and the notifications about findings are received. The issue is that when a finding is generated it's not being send on time sometimes, for example it sometimes take up to 30 mins to receive it in the Slack channel. In addition it sometime receives several findings at once - the findings have different timestamps and supposed to be received when they are published in the Guard Duty findings dashboard. The question is if there are any settings of the Event Bridge rule that can be edited in order to cope with this? The issue is not on the SNS side as I tested to publish messages and they are received immediately.

Thanks.

  • Brian_D
    5 months ago

    Are there any FailedInvocations in CloudWatch? For a delay that long I'd expect some failures and retries.

  • gtges
    5 months ago

    I am checking it regularly for failed invocations, but there is none. It's also subscribed to a dead letter SQS queue, no messages there too.

Topics
Security, Identity, & ComplianceServerlessApplication Integration
Tags
Security, Identity, & ComplianceAmazon GuardDutyAmazon EventBridgeAmazon Simple Notification Service (SNS)
Language
English
gtges
asked 5 months ago207 views
1 Answer
1
Accepted Answer

Reviewing the documentation here - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html - it seems that findings should be getting published to your SNS topic and on to Slack at or near the 5 minute mark, but subsequent occurrences of particular findings are aggregated and sent by default at 6 hours so this still doesn't match what you are seeing. If you've not changed the default for this behaviour or these are not subsequent alarms that are aggregating I suggest you get in touch with support to investigate your specific configuration.

AWS
Brian_D
answered 5 months ago
  • gtges
    5 months ago

    Thank you. This document explains everything.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content