feat(eb): add guardduty finding to event bridge rule (SSPROD-41990) (#123)

* add guardduty finding to event bridge rule

* add variable for event pattern rule

* remove new line

* new line

Author: matteopasa

templates_cspm_eventbridge/FullInstall.yaml

@@ -13,6 +13,7 @@ Metadata:
           - EventBusARN
           - EventBridgeRoleName
           - EventBridgeState
+          - EventBridgeEventPattern
 
     ParameterLabels:
       RoleName:
@@ -27,8 +28,9 @@ Metadata:
         default: "Integration Name (Sysdig use only)"
       EventBridgeState:
         default: "State of the EventBridge Rule (Sysdig use only)"
-          
-       
+      EventBridgeEventPattern:
+        default: "Event Pattern (Sysdig use only)"
+
 Parameters:
   RoleName:
     Type: String
@@ -53,6 +55,28 @@ Parameters:
       - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
       - ENABLED
       - DISABLED
+  EventBridgeEventPattern:
+    Type: String
+    Description: JSON pattern for the EventBridge rule's event pattern
+    Default: |
+      {
+        "detail-type": [
+          "AWS API Call via CloudTrail",
+          "AWS Console Sign In via CloudTrail",
+          "AWS Service Event via CloudTrail",
+          "Object Access Tier Changed",
+          "Object ACL Updated",
+          "Object Created",
+          "Object Deleted",
+          "Object Restore Completed",
+          "Object Restore Expired",
+          "Object Restore Initiated",
+          "Object Storage Class Changed",
+          "Object Tags Added",
+          "Object Tags Deleted",
+          "GuardDuty Finding"
+        ]
+      }
 
 Resources:
   CloudAgentlessRole:
@@ -133,27 +157,12 @@ Resources:
     Type: AWS::Events::Rule
     Properties:
       Name: !Ref EventBridgeRoleName
-      Description: Capture all CloudTrail events
-      EventPattern:
-        detail-type:
-          - 'AWS API Call via CloudTrail'
-          - 'AWS Console Sign In via CloudTrail'
-          - 'AWS Service Event via CloudTrail'
-          - 'Object Access Tier Changed'
-          - 'Object ACL Updated'
-          - 'Object Created'
-          - 'Object Deleted'
-          - 'Object Restore Completed'
-          - 'Object Restore Expired'
-          - 'Object Restore Initiated'
-          - 'Object Storage Class Changed'
-          - 'Object Tags Added'
-          - 'Object Tags Deleted'
+      Description: Capture events based on the provided event pattern
+      EventPattern: !Ref EventBridgeEventPattern
       State: !Ref EventBridgeState
       Targets:
         - Id: !Ref EventBridgeRoleName
           Arn: !Ref EventBusARN
           RoleArn: !GetAtt
             - EventBridgeRole
             - Arn
-            

templates_cspm_eventbridge/OrgFullInstall.yaml

@@ -1,5 +1,6 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: IAM Role and EventBridge resources used by Sysdig Secure
+
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -14,6 +15,7 @@ Metadata:
           - Regions
           - OrganizationUnitIDs
           - EventBridgeState
+          - EventBridgeEventPattern
     ParameterLabels:
       CSPMRoleName:
         default: "CSPM Role Name (Sysdig use only)"
@@ -30,7 +32,10 @@ Metadata:
       OrganizationUnitIDs:
         default: "Organization Unit IDs (Sysdig use only)"
       EventBridgeState:
-        default: "State of the EventBridge Rule (Sysdig use only)"  
+        default: "State of the EventBridge Rule (Sysdig use only)"
+      EventBridgeEventPattern:
+        default: "Event Pattern (Sysdig use only)"  
+
 Parameters:
   CSPMRoleName:
     Type: String
@@ -61,7 +66,29 @@ Parameters:
       - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
       - ENABLED
       - DISABLED
-       
+  EventBridgeEventPattern:
+    Type: String
+    Description: JSON pattern for the EventBridge rule's event pattern
+    Default: |
+      {
+        "detail-type": [
+          "AWS API Call via CloudTrail",
+          "AWS Console Sign In via CloudTrail",
+          "AWS Service Event via CloudTrail",
+          "Object Access Tier Changed",
+          "Object ACL Updated",
+          "Object Created",
+          "Object Deleted",
+          "Object Restore Completed",
+          "Object Restore Expired",
+          "Object Restore Initiated",
+          "Object Storage Class Changed",
+          "Object Tags Added",
+          "Object Tags Deleted",
+          "GuardDuty Finding"
+        ]
+      }
+
 Resources:
   AdministrationRole:
     Type: AWS::IAM::Role
@@ -357,6 +384,7 @@ Resources:
                   - 'Object Storage Class Changed'
                   - 'Object Tags Added'
                   - 'Object Tags Deleted'
+                  - 'GuardDuty Finding'
               State: !Sub ${EventBridgeState}
               Targets:
                 - Id: !Sub ${EventBridgeRoleName}
@@ -388,6 +416,8 @@ Resources:
           ParameterValue: !Ref EventBusARN
         - ParameterKey: EventBridgeState
           ParameterValue: !Ref EventBridgeState
+        - ParameterKey: EventBridgeEventPattern
+          ParameterValue: !Ref EventBridgeEventPattern
       StackInstancesGroup:
         - DeploymentTargets:
             Accounts:
@@ -410,28 +440,36 @@ Resources:
             AllowedValues:
               - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
               - ENABLED
-              - DISABLED                     
+              - DISABLED
+          EventBridgeEventPattern:
+            Type: String
+            Description: JSON pattern for the EventBridge rule's event pattern
+            Default: |
+              {
+                "detail-type": [
+                  "AWS API Call via CloudTrail",
+                  "AWS Console Sign In via CloudTrail",
+                  "AWS Service Event via CloudTrail",
+                  "Object Access Tier Changed",
+                  "Object ACL Updated",
+                  "Object Created",
+                  "Object Deleted",
+                  "Object Restore Completed",
+                  "Object Restore Expired",
+                  "Object Restore Initiated",
+                  "Object Storage Class Changed",
+                  "Object Tags Added",
+                  "Object Tags Deleted",
+                  "GuardDuty Finding"
+                ]
+              }
         Resources:           
           EventBridgeRule:
             Type: "AWS::Events::Rule"
             Properties:
               Name: !Sub ${EventBridgeRoleName}
               Description: Capture all CloudTrail events
-              EventPattern:
-                detail-type:
-                  - 'AWS API Call via CloudTrail'
-                  - 'AWS Console Sign In via CloudTrail'
-                  - 'AWS Service Event via CloudTrail'
-                  - 'Object Access Tier Changed'
-                  - 'Object ACL Updated'
-                  - 'Object Created'
-                  - 'Object Deleted'
-                  - 'Object Restore Completed'
-                  - 'Object Restore Expired'
-                  - 'Object Restore Initiated'
-                  - 'Object Storage Class Changed'
-                  - 'Object Tags Added'
-                  - 'Object Tags Deleted'
+              EventPattern: !Ref EventBridgeEventPattern
               State: !Sub ${EventBridgeState}
               Targets:
                 - Id: !Sub ${EventBridgeRoleName}

templates_eventbridge/EventBridge.yaml

@@ -11,6 +11,8 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - EventBusARN
+          - EventBridgeState
+          - EventBridgeEventPattern
 
     ParameterLabels:
       ExternalID:
@@ -23,6 +25,8 @@ Metadata:
         default: "Integration Name (Sysdig use only)"
       EventBridgeState:
         default: "State of the EventBridge Rule (Sysdig use only)"
+      EventBridgeEventPattern:
+        default: "Event Pattern (Sysdig use only)"
 
 Parameters:
   EventBridgeRoleName:
@@ -45,6 +49,28 @@ Parameters:
       - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
       - ENABLED
       - DISABLED
+  EventBridgeEventPattern:
+    Type: String
+    Description: JSON pattern for the EventBridge rule's event pattern
+    Default: |
+      {
+        "detail-type": [
+          "AWS API Call via CloudTrail",
+          "AWS Console Sign In via CloudTrail",
+          "AWS Service Event via CloudTrail",
+          "Object Access Tier Changed",
+          "Object ACL Updated",
+          "Object Created",
+          "Object Deleted",
+          "Object Restore Completed",
+          "Object Restore Expired",
+          "Object Restore Initiated",
+          "Object Storage Class Changed",
+          "Object Tags Added",
+          "Object Tags Deleted",
+          "GuardDuty Finding"
+        ]
+      }
 
 Resources:
   EventBridgeRole:
@@ -83,25 +109,11 @@ Resources:
     Properties:
       Name: !Ref EventBridgeRoleName
       Description: Capture all CloudTrail events
-      EventPattern:
-        detail-type:
-          - 'AWS API Call via CloudTrail'
-          - 'AWS Console Sign In via CloudTrail'
-          - 'AWS Service Event via CloudTrail'
-          - 'Object Access Tier Changed'
-          - 'Object ACL Updated'
-          - 'Object Created'
-          - 'Object Deleted'
-          - 'Object Restore Completed'
-          - 'Object Restore Expired'
-          - 'Object Restore Initiated'
-          - 'Object Storage Class Changed'
-          - 'Object Tags Added'
-          - 'Object Tags Deleted'
+      EventPattern: !Ref EventBridgeEventPattern
       State: !Ref EventBridgeState
       Targets:
         - Id: !Ref EventBridgeRoleName
           Arn: !Ref EventBusARN
           RoleArn: !GetAtt
             - EventBridgeRole
-            - Arn    
+            - Arn