# Processing Macie findings with Amazon EventBridge
<a name="findings-monitor-events-eventbridge"></a>

Amazon EventBridge, formerly Amazon CloudWatch Events, is a serverless event bus service. EventBridge delivers a stream of real-time data from applications and services, and routes that data to targets such as AWS Lambda functions, Amazon Simple Notification Service (Amazon SNS) topics, and Amazon Kinesis streams. To learn more about EventBridge, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html). 

With EventBridge, you can automate monitoring and processing of certain types of events. This includes events that Amazon Macie publishes automatically for new policy findings and sensitive data findings. This also includes events that Macie publishes automatically for subsequent occurrences of existing policy findings. For details about how and when Macie publishes these events, see [Configuring publication settings for findings](findings-publish-frequency.md).

By using EventBridge and the events that Macie publishes for findings, you can monitor and process findings in near real time. You can then act upon findings by using other applications and services. For example, you might use EventBridge to send specific types of new findings to an AWS Lambda function. The Lambda function might then process and send the data to your security incident and event management (SIEM) system. If you [integrate AWS User Notifications with Macie](findings-monitor-events-uno.md), you can also use the events to be notified of findings automatically through delivery channels that you specify.

In addition to automated monitoring and processing, use of EventBridge enables longer-term retention of your findings data. Macie stores findings for 90 days. With EventBridge, you can send findings data to your preferred storage platform and store the data for as long as you like.

**Note**  
For long-term retention, also configure Macie to store your sensitive data discovery results in an S3 bucket. A *sensitive data discovery result* is a record that logs details about the analysis that Macie performed on an S3 object to determine whether the object contains sensitive data. To learn more, see [Storing and retaining sensitive data discovery results](discovery-results-repository-s3.md).

**Topics**
+ [Working with EventBridge](#findings-monitor-events-eventbridge-overview)
+ [Creating EventBridge rules for findings](#findings-monitor-events-eventbridge-rule-cli)

## Working with Amazon EventBridge
<a name="findings-monitor-events-eventbridge-overview"></a>

With Amazon EventBridge, you create rules to specify which events you want to monitor and which targets you want to perform automated actions for those events. A *target* is a destination that EventBridge sends events to.

To automate monitoring and processing tasks for findings, you can create an EventBridge rule that automatically detects Amazon Macie finding events and sends those events to another application or service for processing or other action. You can tailor the rule to send only those events that meet certain criteria. To do this, specify criteria that derive from the [Amazon EventBridge event schema for Macie findings](findings-publish-event-schemas.md).

For example, you can create a rule that sends specific types of new findings to an AWS Lambda function. The Lambda function can then perform tasks such as: process and send the data to your SIEM system; automatically apply a certain type of server-side encryption to an S3 object; or, restrict access to an S3 object by changing the object's access control list (ACL). Or you can create a rule that automatically sends new high-severity findings to an Amazon SNS topic, which then notifies your incident response team of the finding.

In addition to invoking Lambda functions and notifying Amazon SNS topics, EventBridge supports other types of targets and actions, such as relaying events to Amazon Kinesis streams, activating AWS Step Functions state machines, and invoking the AWS Systems Manager run command. For information about supported targets, see [Event bus targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html) in the *Amazon EventBridge User Guide*.

## Creating Amazon EventBridge rules for Macie findings
<a name="findings-monitor-events-eventbridge-rule-cli"></a>

The following procedures explain how to use the Amazon EventBridge console and the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) to create an EventBridge rule for Amazon Macie findings. The rule detects EventBridge events that use the event schema and pattern for Macie findings, and it sends those events to an AWS Lambda function for processing.

AWS Lambda is a compute service that you can use to run code without provisioning or managing servers. You package your code and upload it to AWS Lambda as a *Lambda function*. AWS Lambda then runs the function when the function is invoked. A function can be invoked manually by you, automatically in response to events, or in response to requests from applications or services. For information about creating and invoking Lambda functions, see the [AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html).

------
#### [ Console ]

Follow these steps to use the Amazon EventBridge console to create a rule that automatically sends all Macie finding events to a Lambda function for processing. The rule uses default settings for rules that run when specific events are received. For details about rule settings or to learn how to create a rule that uses custom settings, see [Creating rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *Amazon EventBridge User Guide*.

**Tip**  
You can also create a rule that uses a custom pattern to detect and act upon only a subset of Macie finding events. This subset can be based on specific fields that Macie includes in a finding event. To learn about the available fields, see [Amazon EventBridge event schema for Macie findings](findings-publish-event-schemas.md). To learn about using custom patterns in rules, see [Creating event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-pattern.html) in the *Amazon EventBridge User Guide*.

Before you create this rule, create the Lambda function that you want the rule to use as a target. When you create the rule, you'll need to specify this function as the target for the rule.

**To create an event rule by using the console**

1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).

1. In the navigation pane, under **Buses**, choose **Rules**.

1. In the **Rules** section, choose **Create rule**.

1. On the **Define rule detail** page, do the following:
   + For **Name**, enter a name for the rule.
   + (Optional) For **Description**, enter a brief description of the rule.
   + For **Event bus**, ensure that **default** is selected and **Enable the rule on the selected event bus** is turned on.
   + For **Rule type**, choose **Rule with an event pattern**.

1. When you finish, choose **Next**.

1. On the **Build event pattern** page, do the following:
   + For **Event source**, choose **AWS events or EventBridge partner events**.
   + (Optional) For **Sample event**, review a sample finding event for Macie to learn what an event might contain. To do this, choose **AWS events**. Then, for **Sample events**, choose **Macie Finding**.
   + For **Creation method**, choose **Use pattern form**.
   + For **Event pattern**, enter the following settings:
     + For **Event source**, choose **AWS services**.
     + For **AWS service**, choose **Macie**.
     + For **Event type**, choose **Macie Finding**.

1. When you finish, choose **Next**.

1. On the **Select targets** page, do the following:
   + For **Target types**, choose **AWS service**.
   + For **Select a target**, choose **Lambda function**. Then, for **Function**, choose the Lambda function that you want to send finding events to.
   + For **Configure version/alias**, enter version and alias settings for the target Lambda function.
   + (Optional) For **Additional settings**, enter custom settings to specify which event data you want to send to the Lambda function. You can also specify how to handle events that aren't delivered to the function successfully.

1. When you finish, choose **Next**.

1. On the **Configure tags** page, optionally enter one or more tags to assign to the rule. Then choose **Next**.

1. On the **Review and create** page, review the rule’s settings and verify that they're correct.

   To change a setting, choose **Edit** in the section that contains the setting, and then enter the correct setting. You can also use the navigation tabs to go to the page that contains a setting.

1. When you finish verifying the settings, choose **Create rule**.

------
#### [ AWS CLI ]

Follow these steps to use the AWS CLI to create an EventBridge rule that sends all Macie finding events to a Lambda function for processing. The rule uses default settings for rules that run when specific events are received. In this procedure, the commands are formatted for Microsoft Windows. For Linux, macOS, or Unix, replace the caret (^) line-continuation character with a backslash (\$1).

Before you create this rule, create the Lambda function that you want the rule to use as a target. When you create the function, note the Amazon Resource Name (ARN) of the function. You'll need to enter this ARN when you specify the target for the rule.

**To create an event rule by using the AWS CLI**

1. Create a rule that detects events for all the findings that Macie publishes to EventBridge. To do this, run the EventBridge [put-rule](https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html) command. For example:

   ```
   C:\> aws events put-rule ^
   --name MacieFindings ^
   --event-pattern "{\"source\":[\"aws.macie\"]}"
   ```

   Where *MacieFindings* is the name that you want for the rule.
**Tip**  
You can also create a rule that uses a custom pattern (`event-pattern`) to detect and act upon only a subset of Macie finding events. This subset can be based on specific fields that Macie includes in a finding event. To learn about the available fields, see [Amazon EventBridge event schema for Macie findings](findings-publish-event-schemas.md). To learn about using custom patterns in rules, see [Creating event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-pattern.html) in the *Amazon EventBridge User Guide*.

   If the command runs successfully, EventBridge responds with the ARN of the rule. Note this ARN. You'll need to enter it in step 3.

1. Specify the Lambda function to use as a target for the rule. To do this, run the EventBridge [put-targets](https://docs.aws.amazon.com/cli/latest/reference/events/put-targets.html) command. For example:

   ```
   C:\> aws events put-targets ^
   --rule MacieFindings ^
   --targets Id=1,Arn=arn:aws:lambda:regionalEndpoint:accountID:function:my-findings-function
   ```

   Where *MacieFindings* is the name that you specified for the rule in step 1, and the value for the `Arn` parameter is the ARN of the function that you want the rule to use as a target.

1. Add permissions that allow the rule to invoke the target Lambda function. To do this, run the Lambda [add-permission](https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html) command. For example:

   ```
   C:\> aws lambda add-permission ^
   --function-name my-findings-function ^
   --statement-id Sid ^
   --action lambda:InvokeFunction ^
   --principal events.amazonaws.com ^
   --source-arn arn:aws:events:regionalEndpoint:accountId:rule:MacieFindings
   ```

   Where:
   + *my-findings-function* is the name of the Lambda function that you want the rule to use as a target.
   + *Sid* is a statement identifier that you define to describe the statement in the Lambda function policy.
   + `source-arn` is the ARN of the EventBridge rule.

   If the command runs successfully, you receive output similar to the following:

   ```
   {
     "Statement": "{\"Sid\":\"sid\",
       \"Effect\":\"Allow\",
       \"Principal\":{\"Service\":\"events.amazonaws.com\"},
       \"Action\":\"lambda:InvokeFunction\",
       \"Resource\":\"arn:aws:lambda:us-east-1:111122223333:function:my-findings-function\",
       \"Condition\":
         {\"ArnLike\":
           {\"AWS:SourceArn\":
            \"arn:aws:events:us-east-1:111122223333:rule/MacieFindings\"}}}"
   }
   ```

   The `Statement` value is a JSON string version of the statement that was added to the Lambda function policy.

------