You can trigger an AWS Lambda function directly from a Scheduled Search or Monitor by configuring a webhook connection. You can use the Webhook Connection as the Alert Type in a Scheduled Search or the Connection Type in a Monitor.
For example, you can create a Scheduled Search that triggers a Lambda function when too many requests are received from a suspicious IP address. The Lambda function can shut down additional requests from that IP address, while simultaneously sending a notification to the security team for review.
Build an API in the API Gateway to expose a Lambda function
First, generate an Invoke URL, with a POST method for your Lambda function by creating an API in Amazon API Gateway. For information about exposing an HTTP endpoint, see Amazon's API Gateway documentation:
When you have created the Invoke URL, copy and paste it into a notepad. You will need it to configure the webhook connection in the next section.
Create a Webhook connection
Configure the webhook connection to trigger the AWS Lambda function.
- Go to Manage Data > Alerts > Connections.
- On the Connections page click Add.
- Click AWS Lambda.
- In the Create Connection dialog, enter:
- Name. Enter a name for the Connection.
- Description. Optional: Enter a Description for the Connection.
- URL. Enter the Invoke URL from the previous section.
- Access Key and Secret Key. Enter your AWS Access Key and Secret Key.
- Secure your API gateway method by selecting AWS_IAM for the authorization type.
- Create an IAM user who has basic API gateway invoke access. You can use the AWS managed policy AmazonAPIGatewayInvokeFullAccess.
- Region. Select your region.
- Service Name. Enter execute-api as the service name.
- (Optional) Custom Headers, enter up to five comma separated key-value pairs.
- Payload. Enter a JSON object in the format required. For details on variables that can be used as parameters within your JSON object, see Webhook Payload Variables.
- Click Test Connection. If the connection is made, you will see a 200 OK response message.
- Click Save.