{
  "_comment": "EventBridge rule pattern that matches ONLY GuardDuty critical-severity attack-sequence findings, so you page a human on correlated intent rather than on every high finding. Target it at SNS (pager), a Lambda that opens a ticket (Jira/ServiceNow), or a Slack webhook. GuardDuty maps severity 9.0-10.0 to the 'critical' label used by Extended Threat Detection attack sequences. Verify the severity band and finding-type prefixes against current GuardDuty docs before relying on this in production.",
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{ "numeric": [">=", 9.0] }],
    "type": [{ "prefix": "AttackSequence:" }]
  },
  "_usage": {
    "create_rule": "aws events put-rule --name gd-critical-attack-sequences --event-pattern file://route-critical-findings-eventbridge.json",
    "add_pager_target": "aws events put-targets --rule gd-critical-attack-sequences --targets 'Id=pager,Arn=<SNS_TOPIC_ARN>'",
    "note": "Keep medium/high findings OUT of this rule. Route those to a low-urgency queue or let AWS Security Incident Response auto-triage and suppression rules absorb them. Paging on every high finding is how teams learn to ignore the pager."
  }
}