By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

GuardDuty Findings not published to eventbridge rule

0

I have enabled Guard duty and changed the Finding publish frequency to 15 minutes. I have created a eventbridge rule to send me an email if there are any new findings.

There is one new finding listed in guard duty but the event is not received in Eventbridge. I also checked Cloudtrail but there are no events from Guardduty about new findings.

Can someone please help to understand what may be the issue ?

This is the link i am following : https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

Topics
Security, Identity, & ComplianceServerlessApplication Integration
Tags
Amazon GuardDutyAmazon EventBridgeAmazon Simple Notification Service (SNS)
Language
English
DM
asked a year ago1.4K views
2 Answers
2

Here are my thoughts about the possible reasons that you didn't get the email notification (I followed the same document and it worked for me):

  1. the CloudWatch event pattern created at step 6 in the "Setup a CloudWatch event for GuardDuty findings" section in the document only alert for findings at Medium to High severity level. you can check the new finding's severity to see if it is at Low level.
  2. Because you could not find any GuardDuty events in CloudTrail and CloudTrail should capture all API calls to GuardDuty, I also suggest you use either of the two ways below to actively generate some new findings:
  1. After new findings are generated, wait for more than 15 minutes, then check your email to see a corresponding number of Medium and High severity findings are received; if not, check CloudTrail events and also refer to this document - How can I troubleshoot issues with Amazon EventBridge rules? to narrow down the cause of the issue.

Hope these steps can help you make the GuardDuty notification work in your environment.

Jasenc
answered a year ago
0

Probably permission issue, you can use the following link - https://medium.com/@cloud_tips/how-to-connect-eventbridge-to-aws-860e6f303793

profile pictureAWS
SUPPORT ENGINEER
Ravid_G
answered a year ago
  • DM
    a year ago

    In Guardduty-> Settings console, it says as below : Findings export options Findings are automatically sent to EventBridge. You can also export findings to an S3 bucket. New findings are exported within 5 minutes. You can modify the frequency for updated findings below.

    Does this mean that we don’t need to do anything special apart from setting up an eventbridge rule to get the findings to eventbridge ?

    The blogpost you mentioned it talks about setting up the event destination from settings page. I don’t see that option at all in settings and my understanding is that we don’t need to do anything special to send events to eventbridge. Please correct.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content