Adding a custom event property for the GuardDuty FindingID

If the Amazon Detective integration is enabled, and you have offenses that are generated from events that come from GuardDuty log sources, add a custom event property for the GuardDuty FindingID so that you can take full advantage of the integration.

Before you begin

Configure the Amazon Detective integration first. For more information, see Integrating with Amazon Detective.

About this task

If you don't add a custom event property for the GuardDuty FindingID, you get errors in the GuardDuty Findings section of the AWS resources in offense window.

Procedure

  1. On the Admin tab, click Custom Event Properties, and then click Add in the Custom Event Properties window.
  2. Configure the properties in the following table:
    Field Values
    New Property FindingID
    Important: The name must be spelled exactly as shown.
    Enable for use in Rules, Forwarding Profiles and Search Indexing Select the checkbox.
    Field Type AlphaNumeric
    Description Complete as you need.
    Enabled Select the checkbox.
    Log Source Type Amazon GuardDuty
    Log Source All
    Category Select this option.
    High Level Category Any
    Low Level Category Any
    Regex "detail"\s*:\s*\{(.*)"id"\:"(.*?)"
    Capture Group 2
  3. Click Save and close the Custom Event Properties window.

Results

When you investigate an offense from the AWS Offense Overview dashboard, GuardDuty findings appear in the AWS resources in offense window. To see the most up to date findings associated with the offense,click the Refresh icon.
Image that shows the GuardDuty FindingIDs.

What to do next

Investigating offense-related AWS resources in Amazon Detective