Filtering event rules using customized JSON event patterns in AWS User Notifications - AWS User Notifications
AWS Health events about specific services and event type categoriesAmazon EC2 instance state changed to "terminated", "stopping", "stopped", or "shutting-down"Specific Amazon CloudWatch alarm in alarm stateRoot user sign-in without multi-factor authenticationAmazon GuardDuty findings with medium and high severity

Filtering event rules using customized JSON event patterns in AWS User Notifications

Event rules are used to receive notifications about specific events. To apply additional filters to your event rules, you can customize event patterns for those rules. Advanced filtering options include:

  • Suffix filtering - match against characters at the end of a value

  • $or matching - use a single rule to check if conditions across several different fields are true

  • Equals-ignore-case - ignore case sensitivity

This topic includes JSON samples for commonly used event patterns and additional information on the EventBridge console's rule builder. For more event pattern examples, see Content filtering in Amazon EventBridge event patterns in the Amazon EventBridge User Guide.

Managed rules include event patterns that are required by the service to manage your notifications. For more information, see Amazon EventBridge managed rules in AWS User Notifications.

Tip

By default, User Notifications adds the service and event type to the event rule. You can include them in the Advance filter, but they aren't required.

For assistance while building your event patterns, you can use the EventBridge console's rule builder. Use the Event Pattern Builder and the in-place tester to try out your patterns. You aren't required to complete the Create rule workflow to use the rule builder.

AWS Health events about specific services and event type categories

The following event pattern creates a rule to monitor events for the issue, accountNotification, and scheduledChange event type categories for Amazon EC2, Amazon EC2 Auto Scaling, and Amazon Virtual Private Cloud. For more information, see Monitoring AWS Health events with Amazon EventBridge in the AWS Health User Guide.

To use the following JSON code:

  1. Create or edit a notification configuration in the User Notifications console.

  2. Create an Event Rule:

    1. For Service Type, select Health.

    2. For Event Type, select Specific Health Events.

    3. For Regions, select the AWS Regions where your service data is located.

    4. In Advanced filter, paste the following JSON code.

{
  "detail": {
    "eventTypeCategory": [
      "issue",
      "accountNotification",
      "scheduledChange"
    ],
    "service": [
      "AUTOSCALING",
      "VPC",
      "EC2"
    ]
  }
}

Amazon EC2 instance state changed to "terminated", "stopping", "stopped", or "shutting-down"

The following event pattern matches terminated, stopping, stopped, and shutting-down state changes for all Amazon EC2 instances. For more information, see State change events for Amazon EC2 instances in the Amazon EC2 User Guide.

To use the following JSON code:

  1. Create or edit a notification configuration in the User Notifications console.

  2. Create an Event Rule:

    1. For Service Type, select EC2.

    2. For Event Type, select EC2 Instance State-Change Notification.

    3. For Regions, select the AWS Regions where your service data is located.

    4. In Advanced filter, paste the following JSON code.

{
  "detail": {
    "state": ["terminated", "stopping", "stopped", "shutting-down"]
  }
}

Specific Amazon CloudWatch alarm in alarm state

The following event pattern allows you to specify CloudWatch alarms in the ALARM state by using resource ARNs. For more information, see Alarm events and EventBridge in the Amazon CloudWatch User Guide.

To use the following JSON code:

  1. Create or edit a notification configuration in the User Notifications console.

  2. Create an Event Rule:

    1. For Service Type, select CloudWatch.

    2. For Event Type, select CloudWatch alarm state change.

    3. For Regions, select the AWS Regions where your service data is located.

    4. In Advanced filter, paste the following JSON code.

{
  "resources": [
    "arn:aws:cloudwatch:us-east-1:123456789012:alarm:BillingAlarm",
    "arn:aws:cloudwatch:us-east-1:123456789012:alarm:TestAlarm"
  ],
  "detail": {
    "state": {
      "value": [
        "ALARM"
      ]
    }
  }
}

Root user sign-in without multi-factor authentication

The following event pattern allows you to monitor root user sign-in without multi-factor authentication (MFA). For more information, see AWS Management Console sign-in events in the AWS CloudTrail User Guide.

To use the following JSON code:

  1. Create or edit a notification configuration in the User Notifications console.

  2. Create an Event Rule:

    1. For Service Type, select AWS Management Console Sign-in.

    2. For Event Type, select Sign-in events.

    3. For Regions, select the AWS Regions where your service data is located.

    4. In Advanced filter, paste the following JSON code.

{
  "detail": {
    "userIdentity": {
      "type": ["Root"]
    },
    "additionalEventData": {
      "MFAUsed": ["No"]
    }
  }
}

Amazon GuardDuty findings with medium and high severity

The following event pattern allows you to monitor GuardDuty findings with medium and high severity. For more information, see Severity levels for GuardDuty findings in the Amazon GuardDuty User Guide.

To use the following JSON code:

  1. Create or edit a notification configuration in the User Notifications console.

  2. Create an Event Rule:

    1. In Event rule, for Service Type, select GuardDuty.

    2. For Event Type, select GuardDuty Finding.

    3. For Regions, select the AWS Regions where your service data is located.

    4. In Advanced filter, paste the following JSON code.

{
  "detail-type": [
    "GuardDuty Finding"
  ],
  "source": [
    "aws.guardduty"
  ],
  "detail": {
    "severity": [{
      "numeric": [">=", 4]
    }]
  }
}