Automating Incident Response > Configure-Response > Single Lambda response > Create EventBridge Rule

Create EventBridge Rule

In this step we will create a EventBridge Rule for create a snapshot for the BasicLinuxTarget.

Create EventBridge Rule

Search for the EventBridge. This will take you to the EventBridge homepage, click on Create Rule.

EventBridge

Name the rule is : gd-compromised-instance-remediation, the description is optional, then foward to the creation.

EventBridge

Under Event pattern, Creation method click the Custom pattern(JSON editor) and paste the Json below into the editor.

{
    "source": ["aws.guardduty"],
    "detail": {
        "type": ["UnauthorizedAccess:EC2/TorClient", "Backdoor:EC2/C&CActivity.B!DNS", "Trojan:EC2/DNSDataExfiltration", "CryptoCurrency:EC2/BitcoinTool.B", "CryptoCurrency:EC2/BitcoinTool.B!DNS"]
    }
}

The result should be like this then click Next.

EventBridge

Select Lambda function as the target.
Select the ec2instance-containment-with-forensics as the Function. (The result should be like this)

EventBridge

Leave every unchanged and create the Rule.

Make sure the instance is already isolated before taking snapshots otherwise you may end up with many snapshots created every 15 minutes (or 6H depending your GuardDuty setting). The author recommend disabling this rule once you’ve completed the testing.

When you are done with all the steps, head to the next part of the Workshop which is Configure Automated Response or you can do the Step Function response