If the Amazon Detective integration is enabled, and you have offenses that are generated
from events that come from GuardDuty log sources, add a custom event property for the GuardDuty
FindingID so that you can take full advantage of the integration.
About this task
If you don't add a custom event property for the GuardDuty FindingID, you get errors in the
GuardDuty Findings section of the AWS resources in
offense window.
Procedure
-
On the Admin tab, click Custom Event Properties,
and then click Add in the Custom Event Properties
window.
- Configure the properties in the following table:
Field |
Values |
New Property |
FindingID Important: The name must be spelled exactly as shown.
|
Enable for use in Rules, Forwarding Profiles and Search Indexing |
Select the checkbox. |
Field Type |
AlphaNumeric |
Description |
Complete as you need. |
Enabled |
Select the checkbox. |
Log Source Type |
Amazon GuardDuty |
Log Source |
All |
Category |
Select this option. |
High Level Category |
Any |
Low Level Category |
Any |
Regex |
"detail"\s*:\s*\{(.*)"id"\:"(.*?)" |
Capture Group |
2 |
- Click Save and close the Custom Event
Properties window.
Results
When you investigate an offense from the AWS Offense Overview
dashboard, GuardDuty findings appear in the AWS resources in offense window. To
see the most up to date findings associated with the offense,click the Refresh icon.