Skip to content

fix: use numeric severity values in GuardDuty Sigma detections#119

Merged
abraithwaite merged 3 commits into
mainfrom
alan/fix-guardduty-severity-numeric
Jul 10, 2026
Merged

fix: use numeric severity values in GuardDuty Sigma detections#119
abraithwaite merged 3 commits into
mainfrom
alan/fix-guardduty-severity-numeric

Conversation

@abraithwaite

Copy link
Copy Markdown
Member

Summary

  • GuardDuty findings use numeric severity values (1-10), not text labels like 'CRITICAL' or 'High'
  • All four GuardDuty Sigma rules were matching on text strings that never matched any real events
  • Updated severity matching to use the correct numeric ranges per the AWS GuardDuty severity scale:
    • Critical: 9, 10
    • High: 7, 8
    • Medium: 4, 5, 6
    • Low: 1, 2, 3
  • Added explicit sourcetypes: [guardduty] to all four rules

Test plan

Validated with runreveal lint sigma and runreveal detections run against real GuardDuty ndjson events:

# Lint all four rules
runreveal lint sigma detections/aws/guardduty/sigma/

# Test against sample guardduty events (one raw finding JSON per line)
runreveal detections run -f detections/aws/guardduty/sigma/high-severity-findings.yaml -i guardduty-events.ndjson
runreveal detections run -f detections/aws/guardduty/sigma/medium-severity-findings.yaml -i guardduty-events.ndjson
runreveal detections run -f detections/aws/guardduty/sigma/low-severity-findings.yaml -i guardduty-events.ndjson
runreveal detections run -f detections/aws/guardduty/sigma/critical-findings.yaml -i guardduty-events.ndjson --fail-no-match=false

Results confirmed each severity value matched only its correct bucket with no false positives across rules.

Closes RUN-2920

GuardDuty findings use numeric severity (1-10), not text labels.
The previous rules matched on strings like 'CRITICAL', 'High', etc.
which never matched any real events.

Updated to match the AWS GuardDuty severity scale:
- Critical: 9, 10
- High: 7, 8
- Medium: 4, 5, 6
- Low: 1, 2, 3

Also added explicit sourcetypes: [guardduty] to all four rules.

Closes RUN-2920
GuardDuty severity is a float (1.0-10.0), not an integer. Use |re
modifier to match severity ranges including decimal values like 7.5.
Five events covering all severity bands (low=2, medium=5, high=7/8,
critical=9) with correct GuardDuty finding schemas. Run with:
  runreveal detections run -f <rule.yaml> -i testdata/guardduty-events.ndjson
@abraithwaite abraithwaite force-pushed the alan/fix-guardduty-severity-numeric branch from 06dbcda to 26a7a64 Compare July 10, 2026 01:49
@abraithwaite abraithwaite merged commit a7f5653 into main Jul 10, 2026
1 check passed
@abraithwaite abraithwaite deleted the alan/fix-guardduty-severity-numeric branch July 10, 2026 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant