Question

I'm working on a Lambda function to process AWS GuardDuty findings.

I'd like to generate sample events, which is easily done using the CreateSampleFindings API call or create-sample-findings cli command.

I have a custom cloudwatch rule that responds to the following event Pattern which triggers my Lambda function:

{
    "detail-type": [
    "GuardDuty Finding"
    ],
    "source": [
    "aws.guardduty"
    ]
}

Generating the first sample finding easily triggers a cloudwatch event

$ aws guardduty create-sample-findings \
--detector-id abcd12345efgh6789 \
--finding-types Recon:EC2/PortProbeUnprotectedPort

However when I call this same command again, the count of the finding in guard duty increments, but no more cloudwatch events are generated.

$ aws guardduty get-findings \
--detector-id abcd12345efgh6789 \
--finding-ids zyxwv987654acbde1234 \
--query "Findings[].Service.Count"
--output text $ 2

I understand why this behavior is in place, as the findings are grouped by unique signature and triggering cloudwatch events for each instance of a unique finding would be too much noise

However for developing/debugging purposes, is there a way I can generate multiple sample events that will trigger a cloudwatch event?

Answer 1

For anyone that comes across this for testing purposes disabling GuardDuty and then reenabling allows you to regenerate sample findings that trigger the CloudWatch event. This method has worked for me while creating a log forwarder for GuardDuty.