Automating Incident Response > Configure-Response > Step Function response > Create EventBridge Rule

Create EventBridge Rule

In this step we will create a EventBridge Rule for create a snapshot for the BasicLinuxTarget.

Create EventBridge Rule

Search for the EventBridge. This will take you to the EventBridge home, click on Create Rule.

EventBridge

Name the rule is : gd-compromised-instance-remediation (if you still kept the old one then add this rule with -sf), the description is optional, then foward to the creation.

EventBridge

Under Event pattern, Creation method click the Custom pattern(JSON editor) and paste the Json below into the editor.

{
    "source": ["aws.guardduty"],
    "detail": {
        "type": ["UnauthorizedAccess:EC2/TorClient", "Backdoor:EC2/C&CActivity.B!DNS", "Trojan:EC2/DNSDataExfiltration", "CryptoCurrency:EC2/BitcoinTool.B", "CryptoCurrency:EC2/BitcoinTool.B!DNS"]
    }
}

The result should be like this then click Next.

EventBridge

Select Step Functions state machine as the target.
Select the the State Machine that we tested before PREFIX_StateMachine as the Target. (The result should be like this)

EventBridge

Leave every unchanged and create the Rule.

Make sure the instance is already isolated before taking snapshots otherwise you may end up with many snapshots created every 15 minutes (or 6H depending your GuardDuty setting). The author recommend disabling this rule once you’ve completed the testing.

When you are done with all the steps, head to the next part of the Workshop which is Configure Automated Response