By using AWS re:Post, you agree to the Terms of Use

SecurityHub to EventBridge


I have integrated GuardDuty with SecurityHub I am looking to filter and process Only the GD findings that come via Securityhub in eventbridge when I go to create a rule to process the messages in eventbridge do I need to select the event source as GuardDuty or security hub?

1 Answer

You should select just Security Hub as the source. If you run an EventBridge for Security Hub and GuardDuty, you'll get duplicate findings for GuardDuty, because SecurityHub will be forwarding them, as well.

answered a month ago
  • Thanks. however when I look at event in Security hub that came via GuardDuty it does not seem to carry a reference to security hub see the snippet below for a port scan alert in Security hub also when I select the source at SecurityHub in eventbridge the filter has options like Compliance status etc which is also not part of the message

    { "SchemaVersion": "2018-10-08", "Id": "arn:aws:guardduty:ap-southeast-2:1xxxxx303257:detector/a0c1245b45b6c971a0b4eece2539e70b/finding/c0c1580e6e98d8644b571751b6b96330", "ProductArn": "arn:aws:securityhub:ap-southeast-2::product/aws/guardduty", "ProductName": "GuardDuty", "CompanyName": "Amazon", "Region": "ap-southeast-s", "GeneratorId": "arn:aws:guardduty:ap-southeast-2:1xxxxxxxxx:detector/a0c1245b45b6c971a0b4eece2539e70b", "AwsAccountId": "1xxxxxx", "Types": [ "TTPs/Discovery/Recon:EC2-Portscan" ],

    EDIT: I have updated the Event Pattern to following in EventBridge and it works to filter out only notices from GuardDuty

    { "source": ["aws.securityhub"], "detail-type": ["Security Hub Findings - Imported"], "detail": { "findings": { "ProductName": ["GuardDuty"] } } }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions